Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avupgsvc.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysInspector.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysRescue.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrzState2k.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DF5Serv.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Armor2net.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boda fire-wall.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smsniff.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regshot.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KeyScrambler.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiLogger.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TIGeR-Firewall.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUC30.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVASTSS.scr] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VisthUpd.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashAvast.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimpl.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimp2.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashCmd.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswupdsv.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '<Virus name>' = '%WINDIR%\%USERNAME%.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashserv.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashMaisv.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgscanx.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixcfg.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgupd.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcmgr.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcfgex.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgdumpx.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgiproxy.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgfrw.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe] 'Debugger' = 'ntsd -d'
Creates the following files on removable media:
- <Drive name for removable media>:\System32.exe
- <Drive name for removable media>:\System32\<Virus name>.exe
- <Drive name for removable media>:\Autorun.inf
Malicious functions:
Creates and executes the following:
- '%WINDIR%\WarNet.exe' -modify %WINDIR%\%USERNAME%.exe , %WINDIR%\%USERNAME%.exe , %WINDIR%\WarNet.ico , ICONGROUP, 1, 0
- '%WINDIR%\WarNet.exe' -extract <SYSTEM32>\shell32.dll , %WINDIR%\WarNet.ico , ICONGROUP, 4,1036
Terminates or attempts to terminate
the following user processes:
- ekrn.exe
- AVP.EXE
- ashAvast.exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\oobe\html\isptype.exe
- <SYSTEM32>\oobe\html\mouse.exe
- <SYSTEM32>\oobe\html\oemcust.exe
- <SYSTEM32>\oobe\html\ispsgnup.exe
- <SYSTEM32>\oobe\setup.exe
- <SYSTEM32>\oobe\html\dslmain.exe
- <SYSTEM32>\oobe\html\iconnect.exe
- <SYSTEM32>\spool\drivers.exe
- <SYSTEM32>\spool\PRINTERS.exe
- <SYSTEM32>\spool\prtprocs.exe
- <SYSTEM32>\oobe\html\mouse\images.exe
- <SYSTEM32>\oobe\html\oemhw.exe
- <SYSTEM32>\oobe\html\oemreg.exe
- <SYSTEM32>\oobe\html\sconnect.exe
- <SYSTEM32>\mui\0C0A.exe
- <SYSTEM32>\mui\dispspec.exe
- <SYSTEM32>\oobe\actsetup.exe
- <SYSTEM32>\mui\081a.exe
- <SYSTEM32>\mui\042d.exe
- <SYSTEM32>\mui\0804.exe
- <SYSTEM32>\mui\0816.exe
- <SYSTEM32>\oobe\isperror.exe
- <SYSTEM32>\oobe\regerror.exe
- <SYSTEM32>\oobe\sample.exe
- <SYSTEM32>\oobe\images.exe
- <SYSTEM32>\oobe\error.exe
- <SYSTEM32>\oobe\html.exe
- <SYSTEM32>\oobe\icserror.exe
- <SYSTEM32>\wbem\mof\good.exe
- <SYSTEM32>\wbem\Repository\FS.exe
- <SYSTEM32>\XPSViewer\en-US.exe
- <SYSTEM32>\wbem\mof\bad.exe
- <SYSTEM32>\wbem\Repository.exe
- <SYSTEM32>\wbem\snmp.exe
- <SYSTEM32>\wbem\xml.exe
- %WINDIR%\Web\Wallpaper.exe
- %WINDIR%\Web\printers\images.exe
- %WINDIR%\WinSxS\InstallTemp.exe
- %WINDIR%\Web\printers.exe
- <Auxiliary element>
- %WINDIR%\Temp\tmp5.tmp
- %WINDIR%\Temp\tmp6.tmp
- <SYSTEM32>\spool\prtprocs\w32x86.exe
- <SYSTEM32>\spool\prtprocs\x64.exe
- <SYSTEM32>\spool\XPSEP\amd64.exe
- <SYSTEM32>\spool\drivers\w32x86\3.exe
- <SYSTEM32>\spool\XPSEP.exe
- <SYSTEM32>\spool\drivers\color.exe
- <SYSTEM32>\spool\drivers\w32x86.exe
- <SYSTEM32>\wbem\Logs.exe
- <SYSTEM32>\wbem\mof.exe
- <SYSTEM32>\wbem\Performance.exe
- <SYSTEM32>\wbem\AutoRecover.exe
- <SYSTEM32>\spool\XPSEP\i386.exe
- <SYSTEM32>\spool\XPSEP\amd64\amd64.exe
- <SYSTEM32>\spool\XPSEP\i386\i386.exe
- <SYSTEM32>\Microsoft\Protect.exe
- <SYSTEM32>\Microsoft\Protect\S-1-5-18.exe
- <SYSTEM32>\Microsoft\Protect\S-1-5-18\User.exe
- <SYSTEM32>\Macromed\Flash.exe
- <SYSTEM32>\IME\CINTLGNT.exe
- <SYSTEM32>\IME\PINTLGNT.exe
- <SYSTEM32>\IME\TINTLGNT.exe
- <SYSTEM32>\mui\0403.exe
- <SYSTEM32>\mui\0404.exe
- <SYSTEM32>\mui\0405.exe
- <SYSTEM32>\mui\0402.exe
- <SYSTEM32>\MsDtc\Trace.exe
- <SYSTEM32>\mui\0009.exe
- <SYSTEM32>\mui\0401.exe
- %WINDIR%\WarNet.exe
- %WINDIR%\WarNet.log
- %WINDIR%\WarNet.ini
- C:\System32\<Virus name>.exe
- %WINDIR%\%USERNAME%.exe
- <Current directory>\Autorun.inf
- <SYSTEM32>\DirectX\Dinput.exe
- <DRIVERS>\disdn.exe
- <DRIVERS>\etc.exe
- <SYSTEM32>\config\systemprofile\Start Menu\Programs\Accessories\Entertainment.exe
- <SYSTEM32>\config\systemprofile\Start Menu\Programs\Accessories.exe
- <SYSTEM32>\config\systemprofile\Start Menu\Programs\Startup.exe
- <SYSTEM32>\config\systemprofile\Start Menu\Programs\Accessories\Accessibility.exe
- <SYSTEM32>\mui\041b.exe
- <SYSTEM32>\mui\041D.exe
- <SYSTEM32>\mui\041e.exe
- <SYSTEM32>\mui\041a.exe
- <SYSTEM32>\mui\0416.exe
- <SYSTEM32>\mui\0418.exe
- <SYSTEM32>\mui\0419.exe
- <SYSTEM32>\mui\0426.exe
- <SYSTEM32>\mui\0427.exe
- <SYSTEM32>\mui\042a.exe
- <SYSTEM32>\mui\0425.exe
- <SYSTEM32>\mui\041f.exe
- <SYSTEM32>\mui\0422.exe
- <SYSTEM32>\mui\0424.exe
- <SYSTEM32>\mui\040b.exe
- <SYSTEM32>\mui\040C.exe
- <SYSTEM32>\mui\040D.exe
- <SYSTEM32>\mui\0409.exe
- <SYSTEM32>\mui\0406.exe
- <SYSTEM32>\mui\0407.exe
- <SYSTEM32>\mui\0408.exe
- <SYSTEM32>\mui\0413.exe
- <SYSTEM32>\mui\0414.exe
- <SYSTEM32>\mui\0415.exe
- <SYSTEM32>\mui\0412.exe
- <SYSTEM32>\mui\040e.exe
- <SYSTEM32>\mui\0410.exe
- <SYSTEM32>\mui\0411.exe
Sets the 'hidden' attribute to the following files:
- %WINDIR%\WarNet.exe
- %WINDIR%\WarNet.ini
- %WINDIR%\WarNet.log
- <Drive name for removable media>:\System32\<Virus name>.exe
- <Current directory>\Autorun.inf
- C:\System32\<Virus name>.exe
- <Drive name for removable media>:\Autorun.inf
Deletes the following files:
- %WINDIR%\Temp\tmp6.tmp
- %WINDIR%\Temp\tmp5.tmp
Moves the following files:
- from <SYSTEM32>\wbem\mof\good.exe to <SYSTEM32>\wbem\mof\bad\good.exe
- from <SYSTEM32>\wbem\mof\bad.exe to <SYSTEM32>\wbem\mof\bad\bad.exe
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WINHELP' WindowName: '(null)'