Technical Information
Malicious functions:
Creates and executes the following:
- %APPDATA%\Desktop\lsass.exe
- %APPDATA%\Microsoft\Windows\csrss.exe
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Modifies file system :
Creates the following files:
- %APPDATA%\Desktop\lsass.exe
- %APPDATA%\Microsoft\Windows\csrss.exe
Sets the 'hidden' attribute to the following files:
- %APPDATA%\Desktop\lsass.exe
Deletes the following files:
- %APPDATA%\Microsoft\Windows\csrss.exe
Network activity:
Connects to:
- 'localhost':1035
Miscellaneous:
Searches for the following windows:
- ClassName: 'OperaWindowClass' WindowName: ''
- ClassName: 'Chrome_WidgetWin_0' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'RealWin01' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''
- ClassName: 'MozillaUIWindowClass' WindowName: ''