Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '' = '%APPDATA%\.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '' = '%APPDATA%\.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'FILE_34929' = '%APPDATA%\FILE_34929.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Microsoft? Windows? Operating System' = '%APPDATA%\Microsoft\Protect\Credentials\audiodgi.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'FILE_81400' = '%APPDATA%\FILE_81400.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\Svchosted.exe
Malicious functions:
Creates and executes the following:
- %APPDATA%\Microsoft\Protect\Credentials\wmpmetwk.exe
- %APPDATA%\Microsoft\Protect\Credentials\audiodgi.exe
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\_logdata=infected[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\_logdata=downloaded payload[2]
- %APPDATA%\.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\_logdata=came online[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\_logdata=executed payload[2]
- %APPDATA%\lovely.ini
- %APPDATA%\Microsoft\Protect\Credentials\audiodgi.gzp
- %APPDATA%\Microsoft\Protect\Credentials\wmpmetwk.exe
- <Current directory>\wmpnetvk.exe:ZONE.identifier
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\_logdata=executed payload[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\_logdata=downloaded payload[1]
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\Svchosted.exe
- <Drive name for removable media>:\autorun.inf
- %APPDATA%\Microsoft\Protect\Credentials\wmpmetwk.exe
- %APPDATA%\Microsoft\Protect\Credentials\audiodgi.exe
Network activity:
Connects to:
- 'localhost':1041
- '11#.#11.111.4':80
- 'localhost':1043
- '11#.#11.111.1':80
- '11#.#11.111.2':80
- '?l#######infected.localdomain':80
TCP:
HTTP GET requests:
- ?l#######infected.localdomain/
- 11#.#11.111.4/
- 11#.#11.111.1/
- 11#.#11.111.2/
UDP:
- DNS ASK ?l#######infected.localdomain
- DNS ASK ?l########ame online.localdomain
- DNS ASK ?l#########wnloaded payload.localdomain
- DNS ASK ?l#########ecuted payload.localdomain
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Indicator' WindowName: ''