Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Registry Background' = '<SYSTEM32>\mhituvcdmrkm.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Bluetooth Secure Host Engine Framework Tools] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\lvxgapm.exe' "<SYSTEM32>\mhituvcdmrkm.exe"
- '%WINDIR%\Temp\uxueytgc4itzwyaq.exe' -r 45258 tcp
- '%TEMP%\uxueytgc48ulwyaqub8bzsjp.exe'
- '<SYSTEM32>\mhituvcdmrkm.exe'
Modifies file system :
Creates the following files:
- <SYSTEM32>\dqblfvll\run
- <SYSTEM32>\dqblfvll\rng
- <SYSTEM32>\dqblfvll\cfg
- <SYSTEM32>\dqblfvll\por
- %WINDIR%\Temp\uxueytgc4itzwyaq.exe
- %TEMP%\uxueytgc48ulwyaqub8bzsjp.exe
- <SYSTEM32>\dqblfvll\tst
- <SYSTEM32>\dqblfvll\etc
- <SYSTEM32>\lvxgapm.exe
- <SYSTEM32>\mhituvcdmrkm.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\lvxgapm.exe
- <SYSTEM32>\mhituvcdmrkm.exe
Deletes the following files:
- %WINDIR%\Temp\uxueytgc4itzwyaq.exe
- <DRIVERS>\etc\hosts
- %TEMP%\uxueytgc48ulwyaqub8bzsjp.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'sa###ish.net':80
- 'sp###ish.net':80
- 'sa###ady.net':80
- 'gl###ast.net':80
- 'ta###wing.net':80
- 'gl###ing.net':80
- 'sp###ady.net':80
- 'sp###ing.net':80
- 'wh###fish.net':80
- 'up###ish.net':80
- 'sa###ast.net':80
- 'sp###ast.net':80
- 'sa###ing.net':80
- 'eq###lady.net':80
- 'gr###past.net':80
- 'eq###past.net':80
- 'gr###fish.net':80
- 'eq###fish.net':80
- 'gr###lady.net':80
- 'gr###wing.net':80
- 'ta###lady.net':80
- 'gl###ady.net':80
- 'ta###past.net':80
- 'eq###wing.net':80
- 'ta###fish.net':80
- 'gl###ish.net':80
- 'th###uide.net':80
- 'dr###guide.net':80
- 'th###ame.net':80
- 'ar###wing.net':80
- 'th###ate.net':80
- 'dr###late.net':80
- 'la###onea.com':80
- 'ju###ray.net':80
- 'fr###secas.com':80
- 'ka####ndertu.com':80
- 'da###ekilai.com':80
- 'ta###fruit.net':80
- 'st###march.net':80
- 'up###ast.net':80
- 'wh###wing.net':80
- 'up###ing.net':80
- 'wh###lady.net':80
- 'up###ady.net':80
- 'wh###past.net':80
- 'so###fish.net':80
- 'so###past.net':80
- 'ar###past.net':80
- 'so###wing.net':80
- 'ar###fish.net':80
- 'so###lady.net':80
- 'ar###lady.net':80
TCP:
HTTP GET requests:
- sa###ish.net/forum/search.php?me#########################################
- sp###ish.net/forum/search.php?me#########################################
- sa###ady.net/forum/search.php?me#########################################
- gl###ast.net/forum/search.php?me#########################################
- ta###wing.net/forum/search.php?me#########################################
- gl###ing.net/forum/search.php?me#########################################
- sp###ady.net/forum/search.php?me#########################################
- sp###ing.net/forum/search.php?me#########################################
- wh###fish.net/forum/search.php?me#########################################
- up###ish.net/forum/search.php?me#########################################
- sa###ast.net/forum/search.php?me#########################################
- sp###ast.net/forum/search.php?me#########################################
- sa###ing.net/forum/search.php?me#########################################
- eq###lady.net/forum/search.php?me#########################################
- gr###past.net/forum/search.php?me#########################################
- eq###past.net/forum/search.php?me#########################################
- gr###fish.net/forum/search.php?me#########################################
- eq###fish.net/forum/search.php?me#########################################
- gr###lady.net/forum/search.php?me#########################################
- gr###wing.net/forum/search.php?me#########################################
- ta###lady.net/forum/search.php?me#########################################
- gl###ady.net/forum/search.php?me#########################################
- ta###past.net/forum/search.php?me#########################################
- eq###wing.net/forum/search.php?me#########################################
- ta###fish.net/forum/search.php?me#########################################
- gl###ish.net/forum/search.php?me#########################################
- th###uide.net/forum/search.php?me#########################################
- dr###guide.net/forum/search.php?me#########################################
- th###ame.net/forum/search.php?me#########################################
- ar###wing.net/forum/search.php?me#########################################
- th###ate.net/forum/search.php?me#########################################
- dr###late.net/forum/search.php?me#########################################
- la###onea.com/forum/search.php?me#########################################
- ju###ray.net/forum/search.php?me#########################################
- fr###secas.com/forum/search.php?me#########################################
- ka####ndertu.com/forum/search.php?me#########################################
- da###ekilai.com/forum/search.php?me#########################################
- ta###fruit.net/forum/search.php?me#########################################
- st###march.net/forum/search.php?me#########################################
- up###ast.net/forum/search.php?me#########################################
- wh###wing.net/forum/search.php?me#########################################
- up###ing.net/forum/search.php?me#########################################
- wh###lady.net/forum/search.php?me#########################################
- up###ady.net/forum/search.php?me#########################################
- wh###past.net/forum/search.php?me#########################################
- so###fish.net/forum/search.php?me#########################################
- so###past.net/forum/search.php?me#########################################
- ar###past.net/forum/search.php?me#########################################
- so###wing.net/forum/search.php?me#########################################
- ar###fish.net/forum/search.php?me#########################################
- so###lady.net/forum/search.php?me#########################################
- ar###lady.net/forum/search.php?me#########################################
UDP:
- DNS ASK sa###ish.net
- DNS ASK sp###ish.net
- DNS ASK sa###ady.net
- DNS ASK gl###ast.net
- DNS ASK ta###wing.net
- DNS ASK gl###ing.net
- DNS ASK sp###ady.net
- DNS ASK sp###ing.net
- DNS ASK wh###fish.net
- DNS ASK up###ish.net
- DNS ASK sa###ast.net
- DNS ASK sp###ast.net
- DNS ASK sa###ing.net
- DNS ASK ta###past.net
- DNS ASK gr###lady.net
- DNS ASK eq###lady.net
- DNS ASK gr###past.net
- DNS ASK sp###wing.net
- DNS ASK gr###fish.net
- DNS ASK eq###fish.net
- DNS ASK eq###past.net
- DNS ASK gl###ish.net
- DNS ASK ta###lady.net
- DNS ASK gl###ady.net
- DNS ASK gr###wing.net
- DNS ASK eq###wing.net
- DNS ASK ta###fish.net
- DNS ASK th###uide.net
- DNS ASK dr###guide.net
- DNS ASK th###ame.net
- DNS ASK ar###wing.net
- DNS ASK th###ate.net
- DNS ASK dr###late.net
- DNS ASK la###onea.com
- DNS ASK ju###ray.net
- DNS ASK fr###secas.com
- DNS ASK ka####ndertu.com
- DNS ASK da###ekilai.com
- DNS ASK ta###fruit.net
- DNS ASK st###march.net
- DNS ASK up###ast.net
- DNS ASK wh###wing.net
- DNS ASK up###ing.net
- DNS ASK wh###lady.net
- DNS ASK up###ady.net
- DNS ASK wh###past.net
- DNS ASK so###fish.net
- DNS ASK so###past.net
- DNS ASK ar###past.net
- DNS ASK so###wing.net
- DNS ASK ar###fish.net
- DNS ASK so###lady.net
- DNS ASK ar###lady.net
- '23#.#55.255.250':1900