Technical Information
Malicious functions:
Creates and executes the following:
- %TEMP%\Setupnn.exe
- %PROGRAM_FILES%\Baidu\Toolbar\BarBroker.exe -RegServer
- %TEMP%\TheWorld_OEM_4.exe
- %TEMP%\ACSE.exe
- %TEMP%\cqaotu.exe
Executes the following:
- <SYSTEM32>\cmd.exe /c ""%TEMP%\DelTemp.bat" "
- <SYSTEM32>\regsvr32.exe /s %PROGRAM_FILES%\fx678Toolbar\fx678Toolbar.dll
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %APPDATA%\Baidu\Toolbar\rc.dat
- %TEMP%\DelTemp.bat
- %ALLUSERSPROFILE%\Start Menu\Programs\百度工具栏\伴侣导航.url
- %ALLUSERSPROFILE%\Start Menu\Programs\百度工具栏\屏蔽列表.url
- %PROGRAM_FILES%\Baidu\Toolbar\BaiduBarX.dll
- %TEMP%\nsa6.tmp\modern-wizard.bmp
- %PROGRAM_FILES%\Baidu\Toolbar\BarBroker.exe
- %PROGRAM_FILES%\Baidu\Toolbar\rc.dll
- %ALLUSERSPROFILE%\Start Menu\Programs\百度工具栏\个性化首页.url
- %ALLUSERSPROFILE%\Start Menu\Programs\百度工具栏\隐私保护.url
- %ALLUSERSPROFILE%\Start Menu\Programs\百度工具栏\卸载百度工具栏.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\百度工具栏\自定义按钮.url
- %ALLUSERSPROFILE%\Start Menu\Programs\百度工具栏\广告拦截.url
- %ALLUSERSPROFILE%\Start Menu\Programs\百度工具栏\帮助指南.url
- %ALLUSERSPROFILE%\Start Menu\Programs\百度工具栏\修复功能.url
- %ALLUSERSPROFILE%\Start Menu\Programs\百度工具栏\垃圾清理.url
- %TEMP%\nsa6.tmp\ioSpecial.ini
- %TEMP%\Setupnn.exe
- %WINDIR%\ime\SPTIPIMERS.ini
- %HOMEPATH%\Desktop\Internet Explorer.url
- %HOMEPATH%\Favorites\ѕ«Ж·НшЦ·µјєЅ.url
- %TEMP%\ACSE.exe
- %TEMP%\nsf2.tmp\System.dll
- %TEMP%\TheWorld_OEM_4.exe
- %TEMP%\cqaotu.exe
- %TEMP%\nsr5.tmp
- %HOMEPATH%\Desktop\№єОпЙМіЗ.url
- %PROGRAM_FILES%\fx678Toolbar\fx678Toolbar.dll
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\№єОпЙМіЗ.url
- %APPDATA%\Baidu\Toolbar\Custom Buttons\custom.xml
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Жф¶Ї Internet Explorer дЇААЖч.url
- %HOMEPATH%\Start Menu\Жф¶Ї Internet Explorer дЇААЖч.url
- %PROGRAM_FILES%\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll
Deletes the following files:
- %TEMP%\ACSE.exe
- %TEMP%\nsf2.tmp\System.dll
Network activity:
Connects to:
- 'localhost':1037
UDP:
- DNS ASK hi##.qqjes.com
- DNS ASK ba#.#job123.com
- DNS ASK ud#.#job123.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WINHELP' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '#32770' WindowName: ''