Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\netmanage] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '%TEMP%\dft23.tmp'
Executes the following:
- '<SYSTEM32>\svchost.exe' -k netmanage
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Installs hooks to intercept notifications
on keystrokes:
- Handler for all processes: <SYSTEM32>\netmanage.dll
Modifies file system :
Creates the following files:
- %TEMP%\~wr5.tmp
- %TEMP%\~wr4.tmp
- %WINDIR%\Temp\profile.tmp
- <SYSTEM32>\netmanage.dll
- %TEMP%\~wr1.tmp
- %TEMP%\dft23.tmp
- %TEMP%\~wr3.tmp
- %TEMP%\~wr2.tmp
Deletes the following files:
- %TEMP%\dft23.tmp
Network activity:
Connects to:
- 'am#####nline.8866.org':80
- 'ap#####ilytw.9966.org':80
- 'pa####.no-ip.info':21
UDP:
- DNS ASK pa####.no-ip.info
- DNS ASK am#####nline.8866.org
- DNS ASK ap#####ilytw.9966.org
- DNS ASK www.microsoft.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''