Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run] 'Ci Servs' = 'oldbin.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Ci Servs' = 'oldbin.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\eset\Sanex\es.EXE
- <Drive name for removable media>:\eset\Sanex\Desktop.ini
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:Ci Servs'
Creates and executes the following:
- '%WINDIR%\oldbin.exe'
Executes the following:
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram oldbin.exe 1 ENABLE
Searches for windows to
detect programs and games:
- ClassName: 'MSNHiddenWindowClass' WindowName: '(null)'
- ClassName: '_Oscar_StatusNotify' WindowName: '(null)'
Modifies file system :
Creates the following files:
- %WINDIR%\oldbin.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\eset\Sanex\es.EXE
- %WINDIR%\oldbin.exe
Network activity:
UDP:
- DNS ASK ni##.#iceshot.in
Miscellaneous:
Searches for the following windows:
- ClassName: 'Message Session' WindowName: '(null)'
- ClassName: 'TskMultiChatForm.UnicodeClass' WindowName: '(null)'
- ClassName: '__oxFrame.class__' WindowName: '(null)'