Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '9c2042589e270e087259bd83f01c7415' = '"<Full path to virus>" ..'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '39984bb9344283f2ee5e8534e0d99e27' = '"<Full path to virus>" ..'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '9c2042589e270e087259bd83f01c7415' = '"<Full path to virus>" ..'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '39984bb9344283f2ee5e8534e0d99e27' = '"<Full path to virus>" ..'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\39984bb9344283f2ee5e8534e0d99e27.exe
- %HOMEPATH%\Start Menu\Programs\Startup\9c2042589e270e087259bd83f01c7415.exe
Creates the following files on removable media:
- <Drive name for removable media>:\UPDAITT.exe.lnk
- <Drive name for removable media>:\UPDAIT2.exe.exe.lnk
- <Drive name for removable media>:\UPDAIT2.exe.exe
- <Drive name for removable media>:\UPDAITT.exe
- <Drive name for removable media>:\39984bb9344283f2ee5e8534e0d99e27.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:<Virus name>.exe'
Creates and executes the following:
- '%APPDATA%\UPDAIT2.exe'
- '%TEMP%\UPDAIT2.exe'
- '%APPDATA%\UPDAITT.exe'
- '%TEMP%\UPDAITT.exe'
Executes the following:
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "<Full path to virus>" "<Virus name>.exe" ENABLE
Modifies file system :
Creates the following files:
- %TEMP%\UPDAIT2.exe
- <Current directory>\UPDAITT.exe
- C:\UPDAITT.exe
- %APPDATA%\UPDAITT.exe
- %TEMP%\UPDAITT.exe
- %APPDATA%\UPDAIT2.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\UPDAITT.exe
- <Drive name for removable media>:\UPDAIT2.exe.exe
- <Drive name for removable media>:\39984bb9344283f2ee5e8534e0d99e27.exe
Deletes the following files:
- <SYSTEM32>\PerfStringBackup.TMP
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini
- %APPDATA%\UPDAITT.exe
Network activity:
Connects to:
- 'bo##.dynu.com':3495
UDP:
- DNS ASK bo##.dynu.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''