Technical Information
Malicious functions:
Creates and executes the following:
- %PROGRAM_FILES%\Internet Explorer\carss.exe "%PROGRAM_FILES%\Internet Explorer\file.III" pandeng
Executes the following:
- <SYSTEM32>\xcopy.exe /y c:\win.txt <SYSTEM32>\GroupPolicy\Machine\Scripts
- <SYSTEM32>\gpupdate.exe /force
- <SYSTEM32>\xcopy.exe /y c:\gpt.txt <SYSTEM32>\GroupPolicy
- %WINDIR%\regedit.exe /s C:\1.reg
- <SYSTEM32>\cmd.exe /c ""%PROGRAM_FILES%\sys.bat" "
Forces autoplay for removable media.
Modifies file system :
Creates the following files:
- <SYSTEM32>\GroupPolicy\gpt.txt
- C:\win.txt
- <SYSTEM32>\GroupPolicy\Machine\Scripts\win.txt
- %WINDIR%\window.txt
- %HOMEPATH%\ntuser.pol
- %TEMP%\126609_res.tmp
- %PROGRAM_FILES%\Internet Explorer\carss.exe
- %TEMP%\142578_res.tmp
- C:\gpt.txt
- %PROGRAM_FILES%\sys.bat
Deletes the following files:
- C:\gpt.txt
- <SYSTEM32>\GroupPolicy\Machine\Scripts\win.txt
- <SYSTEM32>\GroupPolicy\gpt.ini
Moves itself:
- from <Full path to virus> to C:\tmp.tmp
Network activity:
Connects to:
- 'xb###.3322.org':3660
UDP:
- DNS ASK xb###.3322.org
Miscellaneous:
Searches for the following windows:
- ClassName: 'RegEdit_RegEdit' WindowName: ''