Technical Information
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\explorer.exe
Modifies file system
Creates the following files
- %TEMP%\sfx.ini
- C:\extracted\server.exe
- C:\extracted\sex.avi
- %APPDATA%\addon.dat
Deletes the following files
- %TEMP%\sfx.ini
Network activity
Connects to
- 'redir.metaservices.microsoft.com':80
- 'onlinestores.metaservices.microsoft.com':80
TCP
HTTP GET requests
- http://redir.metaservices.microsoft.com/redir/allservices/?sv################################################################################
- http://onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv################################################################################
- http://onlinestores.metaservices.microsoft.com/bing/bing.xml
UDP
- DNS ASK redir.metaservices.microsoft.com
- DNS ASK onlinestores.metaservices.microsoft.com
Miscellaneous
Searches for the following windows
- ClassName: 'JFWUI2' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
Creates and executes the following
- 'C:\extracted\server.exe'
Executes the following
- '%ProgramFiles(x86)%\windows media player\wmplayer.exe' /Play -Embedding
- 'C:\extracted\server.exe' ' (with hidden window)