Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe] 'Debugger' = 'wmxperq.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'conime.exe' = 'conime.exe'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '<SYSTEM32>\wmxperq.exe' = '<SYSTEM32>\wmxperq.exe:*:Enabled:LAN Router'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\wmxperq.exe' = '<SYSTEM32>\wmxperq.exe:*:Enabled:LAN Router'
Creates and executes the following:
- '<SYSTEM32>\wmxperq.exe' <Full path to virus>
Executes the following:
- '<SYSTEM32>\sc.exe' /C sc delete SPF4
- '<SYSTEM32>\sc.exe' /pid=2444
- '<SYSTEM32>\net1.exe' stop SPF4
- '<SYSTEM32>\net.exe' stop SPF4
- '<SYSTEM32>\sc.exe' delete SbPF.Launcher
- '<SYSTEM32>\net1.exe' /pid=3616
- '<SYSTEM32>\sc.exe' /C sc config SPF4 start= disabled
- '<SYSTEM32>\net1.exe' stop SbPF.Launcher
- '<SYSTEM32>\sc.exe' config SPF4 start= disabled
- '<SYSTEM32>\sc.exe' /C sc stop SAVService
- '<SYSTEM32>\sc.exe' config acssrv start= disabled
- '<SYSTEM32>\net1.exe' stop acssrv
- '<SYSTEM32>\sc.exe' delete acssrv
- '<SYSTEM32>\sc.exe' /pid=2448
- '<SYSTEM32>\sc.exe' /C net stop acssrv
- '<SYSTEM32>\net.exe' stop acssrv
- '<SYSTEM32>\sc.exe' /pid=3668
- '<SYSTEM32>\sc.exe' config SbPF.Launcher start= disabled
- '<SYSTEM32>\net.exe' stop cmdAgent
- '<SYSTEM32>\net1.exe' stop SmcService
- '<SYSTEM32>\sc.exe' config cmdAgent start= disabled
- '<SYSTEM32>\sc.exe' stop cmdAgent
- '<SYSTEM32>\sc.exe' stop SmcService
- '<SYSTEM32>\sc.exe' /C sc delete SmcService
- '<SYSTEM32>\sc.exe' delete SmcService
- '<SYSTEM32>\net1.exe' /pid=3988
- '<SYSTEM32>\sc.exe' delete cmdAgent
- '<SYSTEM32>\net1.exe' stop vsmon
- '<SYSTEM32>\sc.exe' /C sc stop SbPF.Launcher
- '<SYSTEM32>\sc.exe' stop SbPF.Launcher
- '<SYSTEM32>\net.exe' stop SbPF.Launcher
- '<SYSTEM32>\net.exe' stop vsmon
- '<SYSTEM32>\net1.exe' stop cmdAgent
- '<SYSTEM32>\sc.exe' config vsmon start= disabled
- '<SYSTEM32>\sc.exe' stop vsmon
- '<SYSTEM32>\net.exe' stop "Sophos Client Firewall"
- '<SYSTEM32>\net1.exe' /pid=3912
- '<SYSTEM32>\sc.exe' config "Sophos Client Firewall" start= disabled
- '<SYSTEM32>\sc.exe' stop "Sophos Client Firewall"
- '<SYSTEM32>\sc.exe' delete "Sophos AutoUpdate Service"
- '<SYSTEM32>\net1.exe' /C sc config "Sophos Client Firewall" start= disabled
- '<SYSTEM32>\sc.exe' /pid=3384
- '<SYSTEM32>\sc.exe' /pid=3888
- '<SYSTEM32>\net1.exe' /pid=3940
- '<SYSTEM32>\net1.exe' stop "Sophos Client Firewall Manager"
- '<SYSTEM32>\sc.exe' config "Sophos Client Firewall Manager" start= disabled
- '<SYSTEM32>\sc.exe' /pid=3356
- '<SYSTEM32>\sc.exe' delete "Sophos Client Firewall Manager"
- '<SYSTEM32>\sc.exe' delete "Sophos Client Firewall"
- '<SYSTEM32>\net1.exe' stop "Sophos Client Firewall"
- '<SYSTEM32>\sc.exe' stop "Sophos Client Firewall Manager"
- '<SYSTEM32>\net.exe' stop "Sophos Client Firewall Manager"
- '<SYSTEM32>\net.exe' /C sc stop "Sophos Client Firewall"
- '<SYSTEM32>\sc.exe' /C sc delete SAVAdminService
- '<SYSTEM32>\sc.exe' delete SAVService
- '<SYSTEM32>\sc.exe' /pid=3796
- '<SYSTEM32>\net.exe' stop SAVAdminService
- '<SYSTEM32>\sc.exe' stop SAVService
- '<SYSTEM32>\net.exe' stop SAVService
- '<SYSTEM32>\net1.exe' stop SAVService
- '<SYSTEM32>\sc.exe' config SavService start= disabled
- '<SYSTEM32>\sc.exe' stop SAVAdminService
- '<SYSTEM32>\sc.exe' stop "Sophos AutoUpdate Service"
- '<SYSTEM32>\net.exe' stop "Sophos AutoUpdate Service"
- '<SYSTEM32>\sc.exe' /C net stop "Sophos Client Firewall"
- '<SYSTEM32>\sc.exe' config "Sophos AutoUpdate Service" start= disabled
- '<SYSTEM32>\sc.exe' delete SAVAdminService
- '<SYSTEM32>\net1.exe' config SAVAdminService start= disabled
- '<SYSTEM32>\net1.exe' stop SAVAdminService
- '<SYSTEM32>\sc.exe' /pid=3280
- '<SYSTEM32>\sc.exe' config PASRV start= disabled
- '<SYSTEM32>\sc.exe' stop PASRV
- '<SYSTEM32>\net1.exe' stop PASRV
- '<SYSTEM32>\sc.exe' delete PASRV
- '<SYSTEM32>\sc.exe' delete AntiVirService
- '<SYSTEM32>\sc.exe' config AntiVirService start= disabled
- '<SYSTEM32>\net1.exe' stop AntiVirService
- '<SYSTEM32>\net.exe' stop PASRV
- '<SYSTEM32>\net.exe' stop VSSERV
- '<SYSTEM32>\sc.exe' stop avg8wd
- '<SYSTEM32>\net1.exe' stop VSSERV
- '<SYSTEM32>\sc.exe' delete avg8wd
- '<SYSTEM32>\sc.exe' config avg8wd start= disabled
- '<SYSTEM32>\sc.exe' config VSSERV start= disabled
- '<SYSTEM32>\sc.exe' stop VSSERV
- '<SYSTEM32>\net.exe' stop avg8wd
- '<SYSTEM32>\sc.exe' delete VSSERV
- '<SYSTEM32>\sc.exe' stop AntiVirService
- '<SYSTEM32>\net1.exe' stop K7RTScan
- '<SYSTEM32>\sc.exe' delete K7RTScan
- '<SYSTEM32>\sc.exe' stop K7TSMngr
- '<SYSTEM32>\net.exe' stop K7TSMngr
- '<SYSTEM32>\net.exe' stop K7RTScan
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '<SYSTEM32>\sc.exe' config K7RTScan start= disabled
- '<SYSTEM32>\sc.exe' stop K7RTScan
- '<SYSTEM32>\sc.exe' config K7TSMngr start= disabled
- '<SYSTEM32>\sc.exe' delete "avast! Antivirus"
- '<SYSTEM32>\sc.exe' config "avast! Antivirus" start= disabled
- '<SYSTEM32>\net.exe' stop AntiVirService
- '<SYSTEM32>\net1.exe' stop "avast! Antivirus"
- '<SYSTEM32>\net1.exe' stop K7TSMngr
- '<SYSTEM32>\sc.exe' delete K7TSMngr
- '<SYSTEM32>\sc.exe' stop "avast! Antivirus"
- '<SYSTEM32>\net.exe' stop "avast! Antivirus"
- '<SYSTEM32>\sc.exe' config OutpostFirewall start= disabled
- '<SYSTEM32>\sc.exe' stop OutpostFirewall
- '<SYSTEM32>\net.exe' stop TmPfw
- '<SYSTEM32>\sc.exe' delete OutpostFirewall
- '<SYSTEM32>\sc.exe' delete McShield
- '<SYSTEM32>\sc.exe' config McShield start= disabled
- '<SYSTEM32>\net.exe' stop OutpostFirewall
- '<SYSTEM32>\net1.exe' stop McShield
- '<SYSTEM32>\net1.exe' stop OutpostFirewall
- '<SYSTEM32>\sc.exe' stop KPF4
- '<SYSTEM32>\net.exe' stop KPF4
- '<SYSTEM32>\sc.exe' delete KPF4
- '<SYSTEM32>\sc.exe' config KPF4 start= disabled
- '<SYSTEM32>\sc.exe' config TmPfw start= disabled
- '<SYSTEM32>\sc.exe' stop TmPfw
- '<SYSTEM32>\net1.exe' stop TmPfw
- '<SYSTEM32>\sc.exe' delete TmPfw
- '<SYSTEM32>\sc.exe' stop McShield
- '<SYSTEM32>\net1.exe' stop avg9wd
- '<SYSTEM32>\sc.exe' delete avg9wd
- '<SYSTEM32>\sc.exe' stop NOD32krn
- '<SYSTEM32>\net.exe' stop NOD32krn
- '<SYSTEM32>\net.exe' stop avg9wd
- '<SYSTEM32>\net1.exe' stop avg8wd
- '<SYSTEM32>\sc.exe' config avg9wd start= disabled
- '<SYSTEM32>\sc.exe' stop avg9wd
- '<SYSTEM32>\sc.exe' config NOD32krn start= disabled
- '<SYSTEM32>\sc.exe' delete ekrn
- '<SYSTEM32>\sc.exe' config ekrn start= disabled
- '<SYSTEM32>\net1.exe' stop ekrn
- '<SYSTEM32>\net.exe' stop McShield
- '<SYSTEM32>\net1.exe' stop NOD32krn
- '<SYSTEM32>\sc.exe' delete NOD32krn
- '<SYSTEM32>\sc.exe' stop ekrn
- '<SYSTEM32>\net.exe' stop ekrn
Injects code into
the following system processes:
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\net.exe
- <SYSTEM32>\sc.exe
- <SYSTEM32>\net1.exe
Terminates or attempts to terminate
the following user processes:
- ntvdm.exe
- GUARD.EXE
Modifies file system :
Creates the following files:
- <SYSTEM32>\wmxperq.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\wmxperq.exe
Deletes itself.
Network activity:
UDP:
- DNS ASK ns##.###kingd0xb0x28.org.uk
- DNS ASK ns##.##ds3rverhost45.me
- DNS ASK ns##.##chosting94.co.uk
- DNS ASK ns##.##perh0sting27.me
- DNS ASK se####.#uperh0sting27.me