Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SonyAgent' = '<Full path to virus>'
Malicious functions:
Searches for registry branches where third party applications store passwords:
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
- [<HKLM>\Software\FlashFXP\3]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
- [<HKCU>\Software\FTP Explorer\Profiles]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKLM>\Software\FlashFXP]
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\SOFTWARE\Far2\Plugins\FTP\Hosts]
- [<HKCU>\SOFTWARE\Microsoft\MessengerService]
- [<HKCU>\SOFTWARE\Far\Plugins\FTP\Hosts]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\FlashFXP]
- [<HKCU>\Software\FlashFXP\3]
- [<HKLM>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\Ghisler\Windows Commander]
Modifies file system :
Creates the following files:
- <DRIVERS>\npf.sys
- <SYSTEM32>\wpcap.dll
- <SYSTEM32>\Packet.dll
Sets the 'hidden' attribute to the following files:
- <Full path to virus>
Network activity:
Connects to:
- '88.##3.130.88':80
- 'localhost':1074
- 'localhost':1077
- 'localhost':1080
- '19#.#84.22.17':80
- 'localhost':1068
- '79.##0.132.108':80
- '78.##.151.247':80
- '46.#5.64.24':80
- 'localhost':1071
- '95.##1.171.203':80
- 'localhost':1089
- 'localhost':1092
- '41.##.146.47':80
- '17#.#9.23.19':80
- 'localhost':1083
- '17#.#15.122.56':80
- '87.##0.150.20':80
- '46.##9.183.77':80
- 'localhost':1086
- 'localhost':1065
- 'localhost':1044
- '94.##1.240.8':80
- '31.##7.71.50':80
- '91.##4.136.12':80
- 'localhost':1047
- '95.##0.179.239':80
- 'localhost':1035
- 'localhost':1038
- 'localhost':1041
- '75.##6.113.172':80
- 'localhost':1059
- '21#.#59.34.25':80
- '89.##4.154.4':80
- '10#.#92.182.26':80
- 'localhost':1062
- '17#.#49.21.114':80
- 'localhost':1050
- 'localhost':1053
- 'localhost':1056
- '89.#28.40.3':80
TCP:
HTTP GET requests:
- 41.##.146.47/online.htm