Technical Information
To ensure autorun and distribution
Creates the following files on removable media
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\lisp_success.doc.lnk
- <Drive name for removable media>:\hanni_umami_chapter.doc.lnk
- <Drive name for removable media>:\508softwareandos.doc.lnk
- <Drive name for removable media>:\applicantform_en.doc.lnk
- <Drive name for removable media>:\ovp25012015.doc.lnk
- <Drive name for removable media>:\february_catalogue__2015.doc.lnk
- <Drive name for removable media>:\weeklysheet1215.doc.lnk
- <Drive name for removable media>:\coffee.bmp.lnk
- <Drive name for removable media>:\dial.bmp.lnk
- <Drive name for removable media>:\dashborder_144.bmp.lnk
- <Drive name for removable media>:\dashborder_96.bmp.lnk
- <Drive name for removable media>:\dashborder_120.bmp.lnk
- <Drive name for removable media>:\split.avi.lnk
- <Drive name for removable media>:\tueuxijx.exe
- <Drive name for removable media>:\tueuxij.exe
- <Drive name for removable media>:\cveuropeo.doc.lnk
- <Drive name for removable media>:\parnas_01.jpg.lnk
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
the following user processes:
- iexplore.exe
Searches for windows to
detect programs and games:
- ClassName: 'SkinuxWindow', WindowName: 'MySpaceIM with Skype'
Modifies settings of Windows Internet Explorer
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\] '1806' = '00000000'
Modifies file system
Creates the following files
- %HOMEPATH%\atlop.exe
- %HOMEPATH%\bmpod.exe
- %HOMEPATH%\cmpod.exe
- %HOMEPATH%\dmpod.exe
- %HOMEPATH%\tueuxij.exe
- %HOMEPATH%\a.bat
- %TEMP%\ekz..bat
Sets the 'hidden' attribute to the following files
- %HOMEPATH%\tueuxij.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\tueuxij.exe
- <Drive name for removable media>:\tueuxijx.exe
Deletes the following files
- %HOMEPATH%\bmpod.exe
- %HOMEPATH%\atlop.exe
- %HOMEPATH%\cmpod.exe
Moves the following files
- from %HOMEPATH%\dmpod.exe to %TEMP%\3cf1.tmp
Network activity
UDP
- DNS ASK am###n.co.uk
- DNS ASK ez####rticles.com
- DNS ASK ab####lipware.in
- DNS ASK je###mber.in
- DNS ASK fl###ogtags.in
Miscellaneous
Searches for the following windows
- ClassName: '739155247' WindowName: '1255247853'
Creates and executes the following
- '%HOMEPATH%\atlop.exe'
- '%HOMEPATH%\tueuxij.exe'
- '%HOMEPATH%\bmpod.exe'
- '%HOMEPATH%\cmpod.exe'
- '%HOMEPATH%\dmpod.exe'
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c tasklist&&del atlop.exe
- '%WINDIR%\syswow64\tasklist.exe'
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ""%HOMEPATH%\a.bat" "
- '%WINDIR%\syswow64\cmd.exe' /q /c "%TEMP%\Ekz..bat" > nul 2> nul
- '%WINDIR%\syswow64\cmd.exe' /c tasklist&&del atlop.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%HOMEPATH%\a.bat" "' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /q /c "%TEMP%\Ekz..bat" > nul 2> nul' (with hidden window)