Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Applga] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '%PROGRAM_FILES%\servic.exe'
Executes the following:
- '<SYSTEM32>\wscript.exe' "C:\6972.vbs"
Modifies file system :
Creates the following files:
- C:\6972.vbs
- %PROGRAM_FILES%\servic.exe
Deletes the following files:
- C:\6972.vbs
Deletes itself.
Network activity:
Connects to:
- 'www.ip##8.com':80
TCP:
HTTP GET requests:
- www.ip##8.com/ips138.asp?ip##########
- www.ip##8.com/ips138.asp?ip############################
UDP:
- DNS ASK www.ip##8.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'