Technical Information
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Modifies file system :
Creates the following files:
- C:\censor.$$$
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\censor[1].$$$
Deletes the following files:
- C:\censor.$$$
Network activity:
Connects to:
- '86.##6.122.153':80
- 'localhost':1036
TCP:
HTTP GET requests:
- 86.##6.122.153/Downloads/ce_face_copilul_tau_pe_net/censor.$$$
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''