Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe] 'Debugger' = 'logons.exe'
Malicious functions:
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
the following user processes:
- iexplore.exe
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1609' = '00000000'
Modifies file system :
Creates the following files:
- <SYSTEM32>\logons.exe
Deletes itself.
Network activity:
Connects to:
- 'ni#####ut.servegame.com':80
- 'kr#####fow.sytes.net':80
- 'om#####tef.sendsmtp.com':80
- 'an##ra.net':80
- '74.##5.232.51':80
- 'ch###hite.com':80
- 'ki###ime.net':80
TCP:
HTTP GET requests:
- 74.##5.232.51/
HTTP POST requests:
- ni#####ut.servegame.com/mtu/gt.php
- kr#####fow.sytes.net/mtu/gt.php
- om#####tef.sendsmtp.com/mtu/gt.php
- ch###hite.com/mtu/gt.php
- ki###ime.net/mtu/gt.php
- an##ra.net/mtu/gt.php
UDP:
- DNS ASK ni#####ut.servegame.com
- DNS ASK kr#####fow.sytes.net
- DNS ASK om#####tef.sendsmtp.com
- DNS ASK an##ra.net
- DNS ASK google.com
- DNS ASK ch###hite.com
- DNS ASK ki###ime.net