Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}] 'StubPath' = ''
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}] 'StubPath' = 'c:\dir\install\install\server.exe Restart'
Malicious functions:
Creates and executes the following:
- C:\dir\install\install\server.exe
Executes the following:
- <SYSTEM32>\rundll32.exe <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen %TEMP%\Jellyfish.jpg
- %WINDIR%\explorer.exe
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Modifies file system :
Creates the following files:
- %APPDATA%\logs.dat
- %TEMP%\XxX.xXx
- %TEMP%\UuU.uUu
- C:\dir\install\install\server.exe
- %TEMP%\XX--XX--XX.txt
- %TEMP%\Jellyfish.jpg
Sets the 'hidden' attribute to the following files:
- %APPDATA%\logs.dat
Deletes the following files:
- %TEMP%\UuU.uUu
- %TEMP%\XxX.xXx
- C:\dir\install\install\server.exe
- %TEMP%\XX--XX--XX.txt
Network activity:
Connects to:
- 'localhost':81
Miscellaneous:
Searches for the following windows:
- ClassName: 'ShImgVw:CPreviewWnd' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''