Technical Information
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\rx.exe'
- '<SYSTEM32>\rx.exe' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\cmd.exe' /c <SYSTEM32>\Deledomn.bat
- '<SYSTEM32>\mstsc.exe'
Injects code into
the following system processes:
- <SYSTEM32>\mstsc.exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\rx.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\rx[1].exe
- <SYSTEM32>\Deledomn.bat
Deletes itself.
Network activity:
Connects to:
- 'www.pk##1.cn':80
- 'localhost':1036
TCP:
HTTP GET requests:
- www.pk##1.cn/8/rx.exe
UDP:
- DNS ASK www.pk##1.cn
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'