Technical Information
Malicious functions:
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- <Current directory>\bmp\РВЅЗЙ«_їЄіЎНјЖ¬.bmp
- <Current directory>\bmp\РВЅЗЙ«_їЄіЎНјЖ¬2.bmp
- <Current directory>\bmp\ґґЅЁЅЗЙ«_№нЅЈКї.bmp
- <Current directory>\bmp\РЎµШНј_УО±к4.bmp
- <Current directory>\bmp\ЅзГж_ґґЅЁЅЗЙ«.bmp
- <Current directory>\bmp\NPC_іцКЫ°ґЕҐ.bmp
- <Current directory>\bmp\јјДЬ_Чоґу»ЇС§П°°ґЕҐ.bmp
- <Current directory>\bmp\ИООсІЛµҐ_ТСНкіЙИООс.bmp
- <Current directory>\bmp\ЧЄЦ°_НкіЙ.bmp
- <Current directory>\bmp\ЦР¶П№«ёж.bmp
- <Current directory>\bmp\ЧЄЦ°_їсХЅКї.bmp
- <Current directory>\bmp\РЎµШНј_ДЬНщЙП1.bmp
- <Current directory>\bmp\РЎµШНј_ДЬНщЙП2.bmp
- <Current directory>\bmp\РЎµШНј_ДЬНщЙП.bmp
- <Current directory>\bmp\РЎµШНј_ДЬНщУТ.bmp
- <Current directory>\bmp\РЎµШНј_ДЬНщПВ.bmp
- <Current directory>\bmp\РЎµШНј_ДЬНщЧу2.bmp
- <Current directory>\bmp\РЎµШНј_УО±к2.bmp
- <Current directory>\bmp\РЎµШНј_УО±к3.bmp
- <Current directory>\bmp\РЎµШНј_УО±к1.bmp
- <Current directory>\bmp\РЎµШНј_ДЬНщУТ1.bmp
- <Current directory>\bmp\РЎµШНј_УО±к.bmp
- <Current directory>\bmp\К±ЦУ_УАѕГНЈ·в.bmp
- <Current directory>\bmp\К±ЦУ_Иэ·ЅИнјю.bmp
- <Current directory>\bmp\№эНј±кјЗ.bmp
- <Current directory>\bmp\GSDН·±к.bmp
- <Current directory>\bmp\GSDЅЕ.bmp
- <Current directory>\bmp\К±ЦУ_·вНЈИэМм.bmp
- <SYSTEM32>\Dr.sys
- <Current directory>\ini\QQОе±ККдИл·ЁґКїв.txt
- <Current directory>\ini\chk.txt
- <Current directory>\bmp\К±ЦУ_НшВзЦР¶П.bmp
- <Current directory>\ini\zk.txt
- <Current directory>\bmp\ґуµШНј_±кК¶.bmp
- <Current directory>\bmp\ЅзГж№Ш±Х1.bmp
- <Current directory>\bmp\РйИхЧґМ¬.bmp
- <Current directory>\bmp\¶Ф»°їт_ENTER.bmp
- <Current directory>\bmp\¶Ф»°їт_УТПВЅЗ.bmp
- <Current directory>\bmp\ЅзГж№Ш±Х2.bmp
- <Current directory>\bmp\јјДЬ_µЪТ»Ті.bmp
- <Current directory>\bmp\ИООс_ЧЄЦ°.bmp
- <Current directory>\bmp\јјДЬ_ЧоёЯµИј¶.bmp
- <Current directory>\bmp\Ч°±ёАё_Г»УРОдЖч.bmp
- <Current directory>\bmp\јјДЬ_јУµг°ґЕҐ.bmp
- <Current directory>\bmp\ЅЗЙ«µЧЕМ.bmp
- <Current directory>\bmp\ІЦївБмИЎ.bmp
- <Current directory>\bmp\ЖµµА±¬Въ.bmp
- <Current directory>\bmp\ЖµµАЖХНЁ.bmp
- <Current directory>\bmp\ЖµµАУµј·.bmp
- <Current directory>\bmp\ІЦїв±кјЗ.bmp
- <Current directory>\bmp\ІЦїв№«ёж№Ш±Х.bmp
- <Current directory>\bmp\ґтЙП№і.bmp
- <Current directory>\bmp\ИьАцСЗ.bmp
- <Current directory>\bmp\И·ИП°ґЕҐ.bmp
- <Current directory>\bmp\їХёс±кјЗ.bmp
- <Current directory>\Dial.bat
- <Current directory>\bmp\µЗВЅУОП·°ґЕҐ.bmp
- <Current directory>\UUWiseHelper.dll
- %TEMP%\4B28998.res
- <Current directory>\dm.dll
- <Current directory>\bmp\ГЬВлКдИлїт.bmp
- <Current directory>\bmp\ЖµµАЛіі©.bmp
- <Current directory>\bmp\ЖµµАБјєГ.bmp
- <Current directory>\bmp\ЖµµАЛўРВ.bmp
- <Current directory>\bmp\СУіЩЗшИ·ИП.bmp
- <Current directory>\bmp\їґІ»Зе.bmp
- <Current directory>\bmp\µШНјДС¶И_Г°ПХ.bmp
- <Current directory>\bmp\µШНјДС¶И_НхХЯ.bmp
- <Current directory>\bmp\µШНјДС¶И_ЖХНЁ.bmp
- <Current directory>\bmp\№Ц_ёзІјБЦ.bmp
- <Current directory>\bmp\НјГЕїЪ.bmp
- <Current directory>\bmp\ЛўНк_·µ»ШіЗХт.bmp
- <Current directory>\bmp\РЎµШНј_ДЬНщЧу3.bmp
- <Current directory>\bmp\РЎµШНј_ДЬНщЧу4.bmp
- <Current directory>\bmp\РЎµШНј_ДЬНщЧу1.bmp
- <Current directory>\bmp\ЖЈАН_їХ.bmp
- <Current directory>\bmp\РЎµШНј_ДЬНщЧу.bmp
- <Current directory>\bmp\µШНјУО±к.bmp
- <Current directory>\bmp\ёсЧУЅ»Іж.bmp
- <Current directory>\bmp\NPCїЁА¤.bmp
- <Current directory>\bmp\ОпЖ·РЕПўАёЙПЅЗ.bmp
- <Current directory>\bmp\NPCРБґп.bmp
- <Current directory>\bmp\NPC°ь№ьїХёс±кјЗ.bmp
- <Current directory>\bmp\ИЛОпЧш±к_LV.bmp
- <Current directory>\bmp\µШНј_Ѕр±Т.bmp
- <Current directory>\bmp\µШНј_ЕЈН·.bmp
- <Current directory>\bmp\°ґЕҐ_·ЕЖъ.bmp
- <Current directory>\bmp\°ь№ь_ёєЦШємМх.bmp
Deletes the following files:
- %TEMP%\4B28998.res
Network activity:
Connects to:
- 'co####.uudama.com':9000
- 'localhost':1051
- 'localhost':1047
- 'localhost':1049
- 'localhost':1053
- 'localhost':1056
- 'localhost':1058
- 'localhost':1054
- 'co####.uudati.com':9000
- 'localhost':1038
- 'localhost':1040
- 'localhost':1035
- 'co####.taskok.com':9000
- 'co###n.utask.cn':9000
- 'localhost':1045
- 'co####.uuwise.com':9000
- 'localhost':1042
- 'localhost':1044
UDP:
- DNS ASK co####.uudama.com
- DNS ASK co####.uudati.com
- DNS ASK co####.uuwise.com
- DNS ASK co####.taskok.com
- DNS ASK co###n.utask.cn