Technical Information
Malicious functions:
Creates and executes the following:
- '%TEMP%\TempFile(1).exe'
- '%TEMP%\SiZhu.exe' SiZhu
- '%TEMP%\TempFile(1).exe' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\svchost.exe'
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\vip[1].exe
- %TEMP%\TempFile(1).exe
- %TEMP%\fsmhhb
- %TEMP%\SiZhu.exe
- %TEMP%\ifwuga
Sets the 'hidden' attribute to the following files:
- %TEMP%\SiZhu.exe
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\vip[1].exe
- %TEMP%\fsmhhb
- %TEMP%\ifwuga
Network activity:
Connects to:
- '40####308.5166.info':80
TCP:
HTTP GET requests:
- 40####308.5166.info/vip.exe
UDP:
- DNS ASK 40####308.5166.info