Technical Information
Malicious functions:
Creates and executes the following:
- '%TEMP%\PreECDD.tmp'
- '%TEMP%\PreECDD.tmp' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\rundll32.exe' "<SYSTEM32>\wuausrv.dll",CRestart
- '<SYSTEM32>\wbem\WMIADAP.EXE' /F /T /R
- '<SYSTEM32>\NotePAD.exe' "%WINDIR%\hh.exe"
- '<SYSTEM32>\tasklist.exe'
Modifies file system :
Creates the following files:
- C:\ProgramData\Microsoft\RAC\Temp\sql279D.tmp
- C:\ProgramData\Microsoft\RAC\Temp\sql277C.tmp
- <SYSTEM32>\LogFiles\Scm\ae46234f-0ec8-474b-b348-ab59e1fa45ce
- %TEMP%\PreECDD.tmp
- %TEMP%\vmmD5A6.tmp
- %TEMP%\vmmD5E4.tmp
- %TEMP%\~Thumbbs.tmp
Deletes the following files:
- %WINDIR%\inf\WmiApRpl\WmiApRpl.h
- %WINDIR%\inf\WmiApRpl\0019\WmiApRpl.ini
- <SYSTEM32>\Tasks\Microsoft\Windows Defender\MP Scheduled Scan
- <SYSTEM32>\PerfStringBackup.TMP
- %WINDIR%\inf\WmiApRpl\0009\WmiApRpl.ini
- C:\ProgramData\Microsoft\RAC\Temp\sql279D.tmp
- %TEMP%\vmmD5E4.tmp
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini
- C:\ProgramData\Microsoft\RAC\Temp\sql277C.tmp
Moves the following files:
- from %TEMP%\vmmD5A6.tmp to <SYSTEM32>\wuausrv.dll
Network activity:
Connects to:
- '17#.16.2.99':80
TCP:
HTTP GET requests:
- 17#.16.2.99/update/20110907.jpg