Technical Information
Malicious functions:
Creates and executes the following:
- <Current directory>\ConfigUpdate.exe
- <Current directory>\ConfigUpdate.exe (downloaded from the Internet)
Modifies file system :
Creates the following files:
- <Current directory>\ConfigUpdate.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\google[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ConfigUpdate[1].txt
- <Current directory>\Log\<Virus name>_2012-10-23.log
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\partner[1]
Network activity:
Connects to:
- 'do##.fx678.com':80
- '74.##5.232.51':80
- 'zi###.fx678.com':80
- 'localhost':1036
- 'zi###.fx678.com':6000
TCP:
HTTP GET requests:
- 74.##5.232.51/
- do##.fx678.com/version/yhtnews/ConfigUpdate.txt
- zi###.fx678.com/partner
UDP:
- DNS ASK www.google.com
- DNS ASK do##.fx678.com
- DNS ASK zi###.fx678.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''