Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows Update' = '<SYSTEM32>\A'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\System32.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Command Prompt (CMD)
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
Executes the following:
- '<SYSTEM32>\netsh.exe' firewall set opmode disable
Modifies file system :
Creates the following files:
- %TEMP%\TMP.dat
- <SYSTEM32>\A
- C:\System32.exe
- C:\autorun.inf
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\System32.exe
- C:\autorun.inf
- C:\System32.exe
Network activity:
Connects to:
- 'sm##.gmail.com':587
- 'wh###smyip.com':80
- 'wp#d':80
TCP:
HTTP GET requests:
- wh###smyip.com/automation/n09230945.asp
- wp#d/wpad.dat
UDP:
- DNS ASK sm##.gmail.com
- DNS ASK wh###smyip.com
- DNS ASK wp#d
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''