Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows Update SP5' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'Cleanup' = 'C:\cleanup.exe'
- [<HKLM>\SYSTEM\ControlSet001\Control\Session Manager] 'BootExecute' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows Defender' = ''
Creates or modifies the following files:
- %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Windows UpdateSP5.exe
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\lvzbingz] 'Start' = '00000000'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- <SYSTEM32>\GBK.exe /nogui <SYSTEM32>\GBK.txt
Executes the following:
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v "1806" /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v "1806" /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1806" /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Update SP5" /t REG_EXPAND_SZ /d "<SYSTEM32>\Windows UpdateSP5.exe" /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v "CurrentLevel" /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v "1806" /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1806" /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Security Center" /v "FirewallDisableNotify" /t REG_DWORD /d 0x00000001 /f
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Security Center" /v "AntiVirusDisableNotify" /t REG_DWORD /d 0x00000001 /f
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Security Center" /v "UacDisableNotify" /t REG_DWORD /d 0x00000001 /f
- <SYSTEM32>\reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /t REG_EXPAND_SZ /d "VSFPNC" /f
- <SYSTEM32>\reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "BootExecute" /t REG_MULTI_SZ /d "WUXP autocheck autochk *" /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d 0x00000000 /f
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1806' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1806' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'CurrentLevel' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1806' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1806' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1806' = '00000000'
Modifies file system :
Creates the following files:
- C:\zip.exe
- <DRIVERS>\neiwyr.sys
- C:\cleanup.bat
- <SYSTEM32>\McAfeeNeed27.06.12UP.ini
- C:\cleanup.exe
- <SYSTEM32>\WUXP.exe
- <SYSTEM32>\Windows UpdateSP5.exe
- <SYSTEM32>\GBK.exe
- %PROGRAM_FILES%\ltbjfyw.txt
- <SYSTEM32>\GBK.txt
Deletes the following files:
- C:\cleanup.bat
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''