Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Userinit' = '%APPDATA%\Roaming\jabconf32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,%APPDATA%\Roaming\jabconf32.exe,'
Malicious functions:
Executes the following:
- '<SYSTEM32>\wermgr.exe' -queuereporting
- '<SYSTEM32>\svchost.exe'
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\WerFault.exe
- <SYSTEM32>\wermgr.exe
- <SYSTEM32>\Dwm.exe
- <SYSTEM32>\taskhost.exe
- %WINDIR%\Explorer.EXE
Modifies file system :
Creates the following files:
- %APPDATA%\Roaming\jabconf32.exe
Sets the 'hidden' attribute to the following files:
- %APPDATA%\Roaming\jabconf32.exe
Deletes itself.
Network activity:
Connects to:
- 'di#######redehydratorysagp.com':80
TCP:
HTTP POST requests:
- di#######redehydratorysagp.com/welcome.php
UDP:
- DNS ASK di#######redehydratorysagp.com
- DNS ASK www.go##le.de
- '22#.0.0.252':5355