Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\svchtisks.exe
Modifies file system
Creates the following files
- %TEMP%\s.bat
- %TEMP%\<File name>.exe.pid
Network activity
Connects to
- 'br###hout.com':443
- 'we###op.vdbt.nl':443
- 'br####discounts.ro':443
- 'zh###esna-3.ru':443
- 'we###ney168.com':443
- 'we###ndalye.com':443
- 'we##yra.com':443
- 'br####orterms.ru':443
- 'br###uedoz.com':443
- 'br#####nandridge.com':443
- 'br#####foodmarket.co.uk':443
- 'br##ddo.com':443
- 'br###ybonny.com':443
TCP
HTTP GET requests
- http://17#.##1.14.125:8888/bots/knock?wo###################################### via 17#.#21.14.125
- http://17#.##1.14.125:8888/bots/chkVersion?cu#################### via 17#.#21.14.125
- http://17#.##1.14.125:8888/project/active via 17#.#21.14.125
- http://17#.##1.14.125:8888/gw?wo####################### via 17#.#21.14.125
- http://17#.##1.14.125:8888/gw?wo########## via 17#.#21.14.125
- http://17#.##1.14.125:8888/gw?wo##### via 17#.#21.14.125
UDP
- DNS ASK va###urko.com
- DNS ASK vs####ramniki.ru
- DNS ASK vs####odarochki.ru
- DNS ASK vs####odarkov.ru
- DNS ASK vs##gry.com
- DNS ASK vs###lintusa.ru
- DNS ASK vs###alatki.ru
- DNS ASK vs###uhovki.com
- DNS ASK vs#####-za-baniata.com
- DNS ASK vs###obg.com
- DNS ASK vr####lishers.com
- DNS ASK vr##bg.com
- DNS ASK vr###olakia.com
- DNS ASK vo###llets.com
- DNS ASK vo###dymohod.ru
- DNS ASK vo###z-vous.ru
- DNS ASK vo####rstore.net
- DNS ASK vr###visas.com
- DNS ASK vo###org177.ru
- DNS ASK vs###rtbg.com
- DNS ASK wa###ngear.com
- DNS ASK wa##z.com
- DNS ASK wa####ardonline.nl
- DNS ASK wa##s.ca
- DNS ASK w-###stvo.ru
- DNS ASK vz#####technika-shop.sk
- DNS ASK vy##sm.com
- DNS ASK vy######ctricbikes.com.au
- DNS ASK vy####cezasuvky.sk
- DNS ASK vv##p.com
- DNS ASK vv###-vniz.ru
- DNS ASK vv#n.ru
- DNS ASK vu##i.com
- DNS ASK vu####fficial.com
- DNS ASK vu##ua.com
- DNS ASK vt##hop.ru
- DNS ASK vs##le34.ru
- DNS ASK vo###murale.ca
- DNS ASK vr###veda.com
- DNS ASK vo###ovanna.ru
- DNS ASK vo###ksib.ru
- DNS ASK vo#####teractive.com
- DNS ASK vl###erbich.com
- DNS ASK vo####parapecas.com
- DNS ASK vn##an.ru
- DNS ASK vm###anic.com
- DNS ASK vm###metic.com
- DNS ASK vl###apan.ru
- DNS ASK vl###zaar.in
- DNS ASK vl####nadesign.com
- DNS ASK vl###ks-bg.com
- DNS ASK vo###uso.com
- DNS ASK vk###ayanoch.ru
- DNS ASK vk###nden.com
- DNS ASK vj###pping.com
- DNS ASK vi##me.ru
- DNS ASK vo#####nyyeveshchi.ru
- DNS ASK vi###art.com
- DNS ASK vi##r.ru
- DNS ASK wa####fsports.com
- DNS ASK vs###kindo.com
- DNS ASK vo###klad.com
- DNS ASK vo###kart.com
- DNS ASK vn###design.com
- DNS ASK vo###man.com
- DNS ASK vo###din.com
- DNS ASK vo####thaishop.com
- DNS ASK ru#s.ru
- DNS ASK vo###atimes.com
- DNS ASK vi###seven.com
- DNS ASK vi###abg.com
- DNS ASK vd##ine.com
- DNS ASK vo###off.com
- DNS ASK vo####-market.ru
- DNS ASK vo##enz.com
- DNS ASK vo####ec-doors.ru
- DNS ASK vo###verdi.com
- DNS ASK vo###ard.com.ua
- DNS ASK vo###arket.com
- DNS ASK vo###shki.com
- DNS ASK vo###alon.com
- DNS ASK wa###tore.com
- DNS ASK wa####hsystems.com
- DNS ASK wa###leden.com
- DNS ASK br####biketrips.com
- DNS ASK br###lsrv.com
- DNS ASK br###sworld.gr
- DNS ASK br####discounts.ro
- DNS ASK br####3sixty.com
- DNS ASK br####orterms.ru
- DNS ASK br###just.com
- DNS ASK br###hout.com
- DNS ASK br##ddo.com
- DNS ASK we###opolis.hu
- DNS ASK we###op.vdbt.nl
- DNS ASK we####p.todent.eu
- DNS ASK we####p-light.com
- DNS ASK we###ndalye.com
- DNS ASK we##uz.com
- DNS ASK we###igens.com
- DNS ASK we####eation.com
- DNS ASK br####thapner.com
- DNS ASK br#####foodmarket.co.uk
- DNS ASK vi####ntacar.com
- DNS ASK br#####odgershair.com
- DNS ASK bu#####smetalwork.com
- DNS ASK bu###baz.com
- DNS ASK bu###astone.com
- DNS ASK bu####silver.com
- DNS ASK bu###akitap.com
- DNS ASK bu######odelrailways.com
- DNS ASK bu####eyrings.com
- DNS ASK bu###ndits.com
- DNS ASK bu###tbin.com
- DNS ASK bu###icek.com
- DNS ASK bt##ah.com
- DNS ASK bs###terior.com
- DNS ASK bs###zar.com
- DNS ASK bs###adcast.com
- DNS ASK br###ybonny.com
- DNS ASK br##h.com
- DNS ASK br#####nandridge.com
- DNS ASK zh###esna-3.ru
- DNS ASK wa######atmentsupply.com
- DNS ASK we##yra.com
- DNS ASK wa####trypump.ru
- DNS ASK wa####ureworld.com
- DNS ASK wa###energy.com
- DNS ASK wa######wakeningshop.com
- DNS ASK wa###bath.ca
- DNS ASK wa###-guru.com
- DNS ASK wa###store.es
- DNS ASK wa####tore.co.uk
- DNS ASK wa###s-jp.com
- DNS ASK wa##per.com
- DNS ASK wa#####tonskincare.com
- DNS ASK wa####krowers.org
- DNS ASK wa######oftballapparel.com
- DNS ASK wa#####rthcozyhome.com
- DNS ASK wa####limate.com
- DNS ASK wa######ecraftsupplies.com
- DNS ASK wa###ouse74.com
- DNS ASK wa######tion-samples.com
- DNS ASK wa#####ftenerdirect.com
- DNS ASK bu##an.ca
- DNS ASK we##xir.com
- DNS ASK wa####orkout.com
- DNS ASK we####ting-4you.com
- DNS ASK we###opinc.com
- DNS ASK wa##31.com
- DNS ASK we####ignrace.com
- DNS ASK we###themes.com
- DNS ASK we###tuong.com
- DNS ASK we####sgallery.com
- DNS ASK we######ntedproducts.com
- DNS ASK we###feeda.com
- DNS ASK we##ll.com
- DNS ASK wd####plysource.com
- DNS ASK wa##aht.com
- DNS ASK wa####dankada.com
- DNS ASK wa####gsflowers.com
- DNS ASK wa##aby.com
- DNS ASK wa####onbonsai.com
- DNS ASK wa##9.com
- DNS ASK we###ney168.com
- DNS ASK br###uedoz.com
- DNS ASK vi####ailors.com
- DNS ASK vi####lesale.com
- DNS ASK ve####forher.com
- DNS ASK ve####mebel22.ru
- DNS ASK ve###orza.com
- DNS ASK ve###-shop.com
- DNS ASK ve##-x.com
- DNS ASK ve#####e-academy.com
- DNS ASK ve#####pedneault.com
- DNS ASK ve####al-group.ru
- DNS ASK ve####gamecenter.pt
- DNS ASK ve######hionwholesale.com
- DNS ASK ve###decafe.com
- DNS ASK ve###neyusa.com
- DNS ASK ve##sa.com
- DNS ASK ve##k52.ru
- DNS ASK ve####uadros.com
- DNS ASK ve####gpazari.com
- DNS ASK ve###raft.com
- DNS ASK vc###siness.com
- DNS ASK ve#######olutionscompany.com
- DNS ASK vg###zhe.com.ua
- DNS ASK vf####ktronik.com
- DNS ASK ve##te.ru
- DNS ASK ve##l.ru
- DNS ASK ve##ul.com
- DNS ASK ve###ntez.com
- DNS ASK ve####tmexico.com
- DNS ASK ve#######nye-kliniki-moskvy.ru
- DNS ASK ve##line.ru
- DNS ASK ve####osyblusas.com
- DNS ASK ve####ceramics.ru
- DNS ASK ve####-granit.ru
- DNS ASK ve###letto.by
- DNS ASK ve####wedding.com
- DNS ASK ve####3-official.ru
- DNS ASK ve##itsa.ru
- DNS ASK ve###tils.com
- DNS ASK ve##welt.ru
- DNS ASK ve###anik.com
- DNS ASK ve###riumf.ru
- DNS ASK ve##koni.ru
- DNS ASK ve###irov43.com
- DNS ASK va##opa.com
- DNS ASK va###nchris.com
- DNS ASK va####sgarden.com
- DNS ASK va#####-security.com
- DNS ASK va###ad-best.ru
- DNS ASK va###obilnik.ru
- DNS ASK va###thandco.in
- DNS ASK va####couture.com
- DNS ASK va####tomotiv.com
- DNS ASK vb####o-store.com
- DNS ASK va##ic.ru
- DNS ASK va###r-hut.com
- DNS ASK va###mania.gr
- DNS ASK va###iso.com
- DNS ASK va####igsllc.com
- DNS ASK va#####gsforcheap.com
- DNS ASK va###4all.pt
- DNS ASK vg##le.ru
- DNS ASK ve###berry.ru
- DNS ASK vb##ne.com
- DNS ASK vc##et.com
- DNS ASK va#####ane-gallery.com
- DNS ASK ve###rezer.com
- DNS ASK ve##doch.ru
- DNS ASK ve###oss.com
- DNS ASK ve###shop.com
- DNS ASK ve###herb.com
- DNS ASK ve###ome.com
- DNS ASK ve###ulses.com
- DNS ASK ve###agon.com
- DNS ASK ve###ica-pp.ru
- DNS ASK ve###ldata.com
- DNS ASK ve###bber.com
- DNS ASK ve###astudio.ru
- DNS ASK ve##ur.com
- DNS ASK ve##nte.ru
- DNS ASK vd###oors.com
- DNS ASK vd####pryazha.com
- DNS ASK vc###ech.com
- DNS ASK vh###una.com
- DNS ASK vi###abuy24.com
- DNS ASK vi###aoirhd.com
- DNS ASK vi####xrussia.ru
- DNS ASK vi#####cardstore.com
- DNS ASK vi###liart.com
- DNS ASK vi####beauty.com
- DNS ASK vi##aat.az
- DNS ASK vi###iga.com
- DNS ASK vi##m.ru
- DNS ASK vi####rdyceps.com
- DNS ASK vi###tton.ru
- DNS ASK vi###dor.com
- DNS ASK vi##base.ru
- DNS ASK vi####systems.com
- DNS ASK vi###t-td.com
- DNS ASK vi####-bryansk.ru
- DNS ASK vi##land.ru
- DNS ASK vi###gno.com
- DNS ASK vi#####styleliving.com
- DNS ASK vi###ntures.com
- DNS ASK vi####lectro.com
- DNS ASK vi###.biz.ua
- DNS ASK vi###leaf.com
- DNS ASK vi###arty.com
- DNS ASK vi##nls.com
- DNS ASK vi####clothing.com
- DNS ASK vi###acara.com
- DNS ASK vi####llection.ru
- DNS ASK vi###mart.ru
- DNS ASK vi###lavita.ru
- DNS ASK vi###mpack.com
- DNS ASK vi###italis.com
- DNS ASK vi##pos.com
- DNS ASK vi####nkiosken.com
- DNS ASK vi#####jnutrition.com
- DNS ASK vi####nespray.com
- DNS ASK vi#######atural-beauty-Shop.com
- DNS ASK vi####unglasses.com
- DNS ASK vi####ty-opt.com.ua
- DNS ASK vi###aum.com
- DNS ASK vi#####stylehome.com
- DNS ASK vi####esence.com
- DNS ASK vi#####radiomart.com
- DNS ASK vi###hatled.com
- DNS ASK vi#####sflorist365.com
- DNS ASK vi##has.com
- DNS ASK vi####torefront.com
- DNS ASK vi###rista.com
- DNS ASK vi###nyany.ru
- DNS ASK vi#####bliudenie-bg.com
- DNS ASK vi###domyug.ru
- DNS ASK vi####eladiri.com
- DNS ASK vi###-vsem.ru
- DNS ASK vi##o-sk.ru
- DNS ASK vi#####abliudenie.com
- DNS ASK vi####iagres.com
- DNS ASK vi####bulgaria.com
- DNS ASK vi###versa.com
- DNS ASK vi###ntbd.com
- DNS ASK vi###ox.com.br
- DNS ASK vi####extiles.com
- DNS ASK vi####mtexture.com
- DNS ASK vi###tore.net
- DNS ASK vi######artographics.com
- DNS ASK vi###ek-bg.com
- DNS ASK vi###ur96.ru
- DNS ASK vi######trangiostore.com
- DNS ASK vi###ngun.com
- DNS ASK vi###ttery.com
- DNS ASK vi###shirt.com
- DNS ASK vi##av.ru
- DNS ASK vi####karcher.com
- DNS ASK vi##ood.com
- DNS ASK vi#####flowershop.us
- DNS ASK vi######raftandcandle.com
- DNS ASK vi###-stroy.com
- DNS ASK vi####orkshop.com
- DNS ASK vi##ngkd.ru
- DNS ASK vi####-handmade.com
- DNS ASK vi###oda.com.ua
- DNS ASK vi####rniture.com
- DNS ASK vi####traders.com
- DNS ASK vi####elovers.gr
- DNS ASK bu###mcu.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat