Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '?????' = '%ALLUSERSPROFILE%\Synaptics\Synaptics.exe'
Infects the following executable files
- %HOMEPATH%\desktop\notepad.exe
Modifies file system
Creates the following files
- <Current directory>\._cache_<File name>.exe
- %ALLUSERSPROFILE%\synaptics\synaptics.exe
- <Current directory>\._cache_synaptics.exe
- %TEMP%\ewczjlrh.exe
- %TEMP%\rcxbc2d.tmp
- %TEMP%\ewczjlrh.ico
- %TEMP%\rcxbecd.tmp
Sets the 'hidden' attribute to the following files
- <Current directory>\._cache_<File name>.exe
- %ALLUSERSPROFILE%\synaptics\synaptics.exe
- <Current directory>\._cache_synaptics.exe
Deletes the following files
- %TEMP%\ewczjlrh.exe
- %TEMP%\ewczjlrh.ico
Moves the following files
- from %TEMP%\rcxbc2d.tmp to %TEMP%\ewczjlrh.exe
- from %TEMP%\rcxbecd.tmp to %TEMP%\ewczjlrh.exe
Network activity
Connects to
- 'fr####s.afraid.org':80
TCP
HTTP GET requests
- http://fr####s.afraid.org/api/?ac###########################################################
UDP
- DNS ASK xr##.mooo.com
- DNS ASK fr####s.afraid.org
Miscellaneous
Searches for the following windows
- ClassName: 'MS_WINHELP' WindowName: ''
Creates and executes the following
- '<Current directory>\._cache_<File name>.exe'
- '%ALLUSERSPROFILE%\synaptics\synaptics.exe' InjUpdate
- '<Current directory>\._cache_synaptics.exe' InjUpdate