Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\175953.bat" "<Full path to virus>" "
Searches for registry branches where third party applications store passwords:
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
- [<HKLM>\Software\South River Technologies\WebDrive\Connections]
- [<HKCU>\Software\FTP Explorer\Profiles]
- [<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKLM>\Software\FlashFXP]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Far\Plugins\FTP\Hosts]
- [<HKCU>\Software\Far2\Plugins\FTP\Hosts]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\FlashFXP]
- [<HKLM>\Software\FlashFXP\3]
- [<HKCU>\Software\FlashFXP\3]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\Ghisler\Total Commander]
Modifies file system :
Creates the following files:
- %TEMP%\175953.bat
Deletes itself.
Network activity:
Connects to:
- 'ma###indo.com':80
TCP:
HTTP POST requests:
- http://ma###indo.com/wp-skins.php
UDP:
- DNS ASK ma###indo.com