Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\SYSTEM\ControlSet001\services\DgSafe] 'ImagePath' = '<DRIVERS>\DgSafe.sys'
- [HKLM\SYSTEM\ControlSet001\services\DgSafe] 'Start' = '00000002'
- [HKLM\SYSTEM\ControlSet002\services\DgSafe] 'ImagePath' = '<DRIVERS>\DgSafe.sys'
- [HKLM\SYSTEM\ControlSet002\services\DgSafe] 'Start' = '00000002'
- [HKLM\SYSTEM\ControlSet001\services\DGPNPSEV] 'ImagePath' = '<Current directory>\DgService.exe'
- [HKLM\SYSTEM\ControlSet001\services\DGPNPSEV] 'Start' = '00000002'
- [HKLM\SYSTEM\ControlSet002\services\DGPNPSEV] 'ImagePath' = '<Current directory>\DgService.exe'
- [HKLM\SYSTEM\ControlSet002\services\DGPNPSEV] 'Start' = '00000002'
Malicious functions
Registers file system filter
- [HKLM\SYSTEM\ControlSet001\services\DgSafe] 'Group' = 'FSFilter Anti-Virus'
- [HKLM\SYSTEM\ControlSet002\services\DgSafe] 'Group' = 'FSFilter Anti-Virus'
Modifies file system
Creates the following files
- <Current directory>\drvinst64.exe
- %APPDATA%\dg\images\osx_drag_top.gif
- %APPDATA%\dg\images\osx_drag_middle_new2.png
- %APPDATA%\dg\images\osx_drag_middle_new.png
- %APPDATA%\dg\images\osx_drag_middle_new.gif
- %APPDATA%\dg\images\osx_drag_bottom.png
- %APPDATA%\dg\images\osx_drag_bottom.gif
- %APPDATA%\dg\images\openfolder.png
- %APPDATA%\dg\images\next.png
- %APPDATA%\dg\images\loading.gif
- %APPDATA%\dg\images\install_loading_6.png
- %APPDATA%\dg\images\install_loading_5.png
- %APPDATA%\dg\images\install_loading_4.png
- %APPDATA%\dg\images\install_loading_3.png
- %APPDATA%\dg\images\install_loading_2.png
- %APPDATA%\dg\images\install_loading_1.png
- %APPDATA%\dg\images\install_fail.gif
- %APPDATA%\dg\images\fastfun.png
- %APPDATA%\dg\images\dell_s.png
- %APPDATA%\dg\images\cate_soft.png
- %APPDATA%\dg\images\cate_game.png
- %APPDATA%\dg\images\busy.gif
- %APPDATA%\dg\images\osx_drag_top.png
- %APPDATA%\dg\images\progressbar.gif
- %TEMP%\evbf4c8.tmp
- %APPDATA%\dg\images\progressbg_green.gif
- %APPDATA%\dg\images\z_bg_l_00201.png
- %APPDATA%\dg\images\z_10_9.png
- %APPDATA%\dg\images\z_09_9.png
- %APPDATA%\dg\images\z_08_9.png
- %APPDATA%\dg\images\z_010_03.png
- %APPDATA%\dg\images\y_09_9.png
- %APPDATA%\dg\images\uh_05.gif
- %APPDATA%\dg\images\topicons.png
- %APPDATA%\dg\images\tab01_ico01.jpg
- %APPDATA%\dg\images\spacer.gif
- %APPDATA%\dg\images\sj_topnav0.png
- %APPDATA%\dg\images\sj_searchtext.png
- %APPDATA%\dg\images\sj_refresh.png
- %APPDATA%\dg\images\sj_home.png
- %APPDATA%\dg\images\sj_go.png
- %APPDATA%\dg\images\sj_back.png
- %APPDATA%\dg\images\search.png
- %APPDATA%\dg\images\sanjiao.png
- %APPDATA%\dg\images\rightdevice.png
- %APPDATA%\dg\images\progressbg_red.gif
- %APPDATA%\dg\images\progressbg_orange.gif
- %APPDATA%\dg\images\basic01.bmp
- %APPDATA%\dg\images\osx_track.gif
- %APPDATA%\dg\images\back.png
- %APPDATA%\dg\js\jquery.effects.slide.js
- %APPDATA%\dg\js\highcharts.js
- %APPDATA%\dg\dg002.dat
- %APPDATA%\dg\dg001.dat
- %APPDATA%\dg\css\sj_default.css
- %APPDATA%\dg\css\jscrollpane.css
- %APPDATA%\dg\css\jquery.tablescroll.css
- %APPDATA%\dg\css\index.css
- %TEMP%\evbd9d7.tmp
- %TEMP%\evbd600.tmp
- %TEMP%\evbd5df.tmp
- %TEMP%\evbd5cf.tmp
- %TEMP%\evbd580.tmp
- %TEMP%\evbd540.tmp
- %TEMP%\evbd4a3.tmp
- %TEMP%\evbd474.tmp
- %TEMP%\evbd444.tmp
- %TEMP%\evbd388.tmp
- %TEMP%\evbd2fa.tmp
- %TEMP%\evbd25d.tmp
- %TEMP%\evbd1ef.tmp
- %TEMP%\evbd1bf.tmp
- %APPDATA%\dg\js\jquery.effects.core.js
- %APPDATA%\dg\js\jquery.jscrollpane.min.js
- %APPDATA%\dg\images\8_bg_07.png
- %APPDATA%\dg\js\jquery.min.js
- %APPDATA%\dg\images\2012_0_035.bmp
- %APPDATA%\dg\images\0_97_003.png
- %APPDATA%\dg\images\0_97_002.png
- %APPDATA%\dg\images\0_0_900.png
- %APPDATA%\dg\images\0_099.png
- %APPDATA%\dg\images\0_098.png
- %APPDATA%\dg\images\0_097.png
- %APPDATA%\dg\images\00_012.gif
- %APPDATA%\dg\images\00_011.gif
- %APPDATA%\dg\temp2.htm
- %APPDATA%\dg\temp.htm
- %APPDATA%\dg\sensorgroup.csv
- %APPDATA%\dg\sensor.csv
- %APPDATA%\dg\js\jscrollpane.js
- %APPDATA%\dg\js\jquery-loading.js
- %APPDATA%\dg\js\jquery_1.2.6.js
- %APPDATA%\dg\js\jquery.tablescroll.js
- %APPDATA%\dg\js\jquery.progressloading.js
- %APPDATA%\dg\js\jquery.progressbar.js
- %APPDATA%\dg\js\jquery.path.js
- %APPDATA%\dg\js\jquery.mousewheel.js
- %APPDATA%\dg\images\a_002.png
- %TEMP%\evbf4f7.tmp
Network activity
Connects to
- 'li#######e5.drivergenius.com':80
- 'li#######e6.drivergenius.com':80
TCP
HTTP POST requests
- http://li#######e6.drivergenius.com/InstallCount.aspx
UDP
- DNS ASK li#######e5.drivergenius.com
- DNS ASK li#######e6.drivergenius.com