Technical Information
Malicious functions:
Executes the following:
- <SYSTEM32>\cmd.exe /c <Current directory>\$$30689.bat
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\lcun709[1].txt
- <Current directory>\$$30689.bat
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\lcun709[1].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\lcun709[1].txt
- %TEMP%\YGXAZJLMTJY.zbc
Deletes the following files:
- %TEMP%\YGXAZJLMTJY.zbc
Deletes itself.
Network activity:
Connects to:
- 'hi##.qqjes.com':80
- 'localhost':1038
TCP:
HTTP GET requests:
- hi##.qqjes.com/pages/lcun709.txt
UDP:
- DNS ASK hi##.qqjes.com
- DNS ASK ud#.#job123.com
- 'ud#.#job123.com':31803