Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'services.exe' = '"%APPDATA%\Microsoft\Windows\services.exe" -start'
Creates the following files on removable media
- <Drive name for removable media>:\!!! all your files are encrypted !!!.txt
- <Drive name for removable media>:\sioc.rdf
- <Drive name for removable media>:\schema.rdf
- <Drive name for removable media>:\contenttypes.rdf
- <Drive name for removable media>:\samieee_obiee_presentation.pptx
- <Drive name for removable media>:\iso27k_isms_implementation_and_certification_process_overview_v2.pptx
- <Drive name for removable media>:\stoc13_ml_quoc_le.pptx
- <Drive name for removable media>:\indogerman2010.pptx
- <Drive name for removable media>:\sacs_presentation_sacs_qep_improving_rt_education_final.ppt
- <Drive name for removable media>:\metac.ppt
- <Drive name for removable media>:\ksearch_esa_talk.ppt
- <Drive name for removable media>:\accountsreceivable.ppt
- <Drive name for removable media>:\arrow-down.png
- <Drive name for removable media>:\asm.png
- <Drive name for removable media>:\bg_search_box.png
- <Drive name for removable media>:\calibre.png
- <Drive name for removable media>:\dissolveanother.png
- <Drive name for removable media>:\tunpersonalca1.pem
- <Drive name for removable media>:\ck.pem
- <Drive name for removable media>:\delongcacert.pem
- <Drive name for removable media>:\cert.pem
- <Drive name for removable media>:\investmentbankca_ca8.pem
- <Drive name for removable media>:\elvisimp.rdf
- <Drive name for removable media>:\swc_2009-03-02.rdf
- <Drive name for removable media>:\price.zip
- <Drive name for removable media>:\router_manual.rtf
- <Drive name for removable media>:\1sm_price.zip
- <Drive name for removable media>:\fiche_inscription_2015.zip
- <Drive name for removable media>:\excel_example.zip
- <Drive name for removable media>:\national_autism_preparation_programs.xlsx
- <Drive name for removable media>:\trtf_matrix2012_oct.xlsx
- <Drive name for removable media>:\2013_smccc_competition_points_jul2013.xlsx
- <Drive name for removable media>:\highly_cited_2001.xlsx
- <Drive name for removable media>:\cee_mmsprogram_summary_public.xlsx
- <Drive name for removable media>:\disclosuredetails.xlsx
- <Drive name for removable media>:\excel_example.xls
- <Drive name for removable media>:\calculatorworksheet.xls
- <Drive name for removable media>:\productos.xls
- <Drive name for removable media>:\babyboymaintoscenesbackground.wmv
- <Drive name for removable media>:\flower_trans_matte.wmv
- <Drive name for removable media>:\babyboymaintoscenesbackground_pal.wmv
- <Drive name for removable media>:\babyboymaintonotesbackground_pal.wmv
- <Drive name for removable media>:\passport_pal.wmv
- <Drive name for removable media>:\military_callsigns_0311.rtf
- <Drive name for removable media>:\pubnet_855.rtf
- <Drive name for removable media>:\static_electricity_easy_and_quick_activities.rtf
- <Drive name for removable media>:\pandp.rtf
- <Drive name for removable media>:\ck_ugo.pem
- <Drive name for removable media>:\20140114.rdf
- <Drive name for removable media>:\ff_ot_user_guide.pdf
- <Drive name for removable media>:\ituneshelpunavailable.htm
- <Drive name for removable media>:\trivial-merge.htm
- <Drive name for removable media>:\wrar520.exe
- <Drive name for removable media>:\chromesetup.exe
- <Drive name for removable media>:\calc.exe
- <Drive name for removable media>:\skypesetup.exe
- <Drive name for removable media>:\dotnetfx45_full_setup.exe
- <Drive name for removable media>:\notepad.exe
- <Drive name for removable media>:\sdszfo.docx
- <Drive name for removable media>:\hadac_newsletter_july_2010_final.docx
- <Drive name for removable media>:\nwfieldnotes1966.docx
- <Drive name for removable media>:\lisp_success.doc
- <Drive name for removable media>:\cveuropeo.doc
- <Drive name for removable media>:\hanni_umami_chapter.doc
- <Drive name for removable media>:\508softwareandos.doc
- <Drive name for removable media>:\contoso_1.cer
- <Drive name for removable media>:\sdkfailsafeemulator.cer
- <Drive name for removable media>:\contosoroot.cer
- <Drive name for removable media>:\dashborder_96.bmp
- <Drive name for removable media>:\coffee.bmp
- <Drive name for removable media>:\correct.avi
- <Drive name for removable media>:\join.avi
- <Drive name for removable media>:\64bit_notes.htm
- <Drive name for removable media>:\advice_process.htm
- <Drive name for removable media>:\spib_pima.pdf
- <Drive name for removable media>:\iisstart.htm
- <Drive name for removable media>:\2015-02-patients-topic-work-related-asthma-jobs.pdf
- <Drive name for removable media>:\lom602.pdf
- <Drive name for removable media>:\d0068197bb5a41fea16a220c45390606.mp4
- <Drive name for removable media>:\video_1.mp4
- <Drive name for removable media>:\clip_480_5sec_6mbps_h264.mp4
- <Drive name for removable media>:\etc6_m_1.mov
- <Drive name for removable media>:\scan.mov
- <Drive name for removable media>:\spanner.mov
- <Drive name for removable media>:\dag2_panel1_320_ref.mov
- <Drive name for removable media>:\3.jpg
- <Drive name for removable media>:\4f0bf7ff71f28.jpg
- <Drive name for removable media>:\pushkin.jpg
- <Drive name for removable media>:\2.jpg
- <Drive name for removable media>:\parnas_01.jpeg
- <Drive name for removable media>:\3.jpeg
- <Drive name for removable media>:\4f0bf7ff71f28.jpeg
- <Drive name for removable media>:\pushkin.jpeg
- <Drive name for removable media>:\howto-index.html
- <Drive name for removable media>:\browse.html
- <Drive name for removable media>:\trivial-merge.html
- <Drive name for removable media>:\about.html
- <Drive name for removable media>:\7790_preview.pdf
- <Drive name for removable media>:\calculatorworksheet.zip
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Injects code into
the following system processes:
- %WINDIR%\syswow64\notepad.exe
Modifies file system
Creates the following files
- %TEMP%\05f5bf5f.zeppelin
- %APPDATA%\microsoft\windows\services.exe
- %TEMP%\edb7477f.zeppelin
- %TEMP%\~temp001.bat
- D:\$recycle.bin\.zeppelin
- D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\.zeppelin
- D:\!!! all your files are encrypted !!!.txt
- D:\$recycle.bin\!!! all your files are encrypted !!!.txt
- D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\!!! all your files are encrypted !!!.txt
- C:\$recycle.bin\.zeppelin
- C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\.zeppelin
Deletes the following files
- %TEMP%\05f5bf5f.zeppelin
- %TEMP%\edb7477f.zeppelin
Modifies the following files
- <Drive name for removable media>:\join.avi
- <Drive name for removable media>:\correct.avi
- <Drive name for removable media>:\coffee.bmp
- <Drive name for removable media>:\dashborder_96.bmp
- <Drive name for removable media>:\contosoroot.cer
- <Drive name for removable media>:\sdkfailsafeemulator.cer
- <Drive name for removable media>:\contoso_1.cer
- <Drive name for removable media>:\508softwareandos.doc
- <Drive name for removable media>:\hanni_umami_chapter.doc
- <Drive name for removable media>:\cveuropeo.doc
- <Drive name for removable media>:\lisp_success.doc
- <Drive name for removable media>:\indogerman2010.pptx
- <Drive name for removable media>:\stoc13_ml_quoc_le.pptx
- <Drive name for removable media>:\iso27k_isms_implementation_and_certification_process_overview_v2.pptx
- <Drive name for removable media>:\samieee_obiee_presentation.pptx
Deletes itself.
Modifies user data files (Trojan.Encoder).
Network activity
Connects to
- 'ge###tool.com':80
- 'ge###tool.com':443
- 'ip###ger.org':80
- 'ip###ger.org':443
- 'oc##.#ectigo.com':80
TCP
Other
- 'ge###tool.com':443
- 'ip###ger.org':443
UDP
- DNS ASK ge###tool.com
- DNS ASK ge###tatool.com
- DNS ASK ip###ger.org
- DNS ASK oc##.#ectigo.com
Miscellaneous
Creates and executes the following
- '%APPDATA%\microsoft\windows\services.exe' -start
- '%APPDATA%\microsoft\windows\services.exe' -agent 0
- '%APPDATA%\microsoft\windows\services.exe' -agent 1
- '%APPDATA%\microsoft\windows\services.exe' -agent 2
- '%WINDIR%\syswow64\cmd.exe' /C wmic shadowcopy delete' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} recoveryenabled no' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C wbadmin delete catalog -quiet' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C vssadmin delete shadows /all /quiet' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C %TEMP%\~temp001.bat' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\notepad.exe'
- '%WINDIR%\syswow64\cmd.exe' /C wmic shadowcopy delete
- '%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} recoveryenabled no
- '%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
- '%WINDIR%\syswow64\cmd.exe' /C wbadmin delete catalog -quiet
- '%WINDIR%\syswow64\cmd.exe' /C vssadmin delete shadows /all /quiet
- '%WINDIR%\syswow64\cmd.exe' /C %TEMP%\~temp001.bat