Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Registrar Drive SSDP Helper Locator Interactive' = '<SYSTEM32>\unwqxfwsa.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Policy Host Sharing Location Process Publication] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\owxghegcdplw.exe' "<SYSTEM32>\unwqxfwsa.exe"
- '%WINDIR%\Temp\vgxkgdh2v2iyl.exe' -r 47821 tcp
- '%TEMP%\vgxkgdh2pyhyld69dsqm.exe'
- '<SYSTEM32>\unwqxfwsa.exe'
Modifies file system :
Creates the following files:
- <SYSTEM32>\gvtslobqxyfg\run
- <SYSTEM32>\gvtslobqxyfg\rng
- %WINDIR%\Temp\vgxkgdh2v2iyl.exe
- <SYSTEM32>\gvtslobqxyfg\cfg
- <SYSTEM32>\owxghegcdplw.exe
- %TEMP%\vgxkgdh2pyhyld69dsqm.exe
- <SYSTEM32>\gvtslobqxyfg\tst
- <SYSTEM32>\unwqxfwsa.exe
- <SYSTEM32>\gvtslobqxyfg\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\owxghegcdplw.exe
- <SYSTEM32>\unwqxfwsa.exe
Deletes the following files:
- %WINDIR%\Temp\vgxkgdh2v2iyl.exe
- <DRIVERS>\etc\hosts
- %TEMP%\vgxkgdh2pyhyld69dsqm.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'wi###ore.net':80
- 'du###ore.net':80
- 'wi###ail.net':80
- 'du###ail.net':80
- 'wi###here.net':80
- 'si###road.net':80
- 'th###mail.net':80
- 'du###here.net':80
- 'th###road.net':80
- 'du###oad.net':80
- 'mi###ail.net':80
- 'tr###mail.net':80
- 'mi###oad.net':80
- 'tr###road.net':80
- 'mi###ore.net':80
- 'tr###where.net':80
- 'wi###oad.net':80
- 'tr###wore.net':80
- 'mi###here.net':80
- 'he###here.net':80
- 'qu###road.net':80
- 'he###ore.net':80
- 'ca###here.net':80
- 'th###oad.net':80
- 'qu###wore.net':80
- 'th###ore.net':80
- 'qu###mail.net':80
- 'th###ail.net':80
- 'ca###ore.net':80
- 'si###wore.net':80
- 'th###where.net':80
- 'si###mail.net':80
- 'th###wore.net':80
- 'si###where.net':80
- 'ca###ail.net':80
- 'he###ail.net':80
- 'ca###oad.net':80
- 'he###oad.net':80
- 'da###one.net':80
- 'th###ight.net':80
- 'qu###gone.net':80
- 'be##lxc.com':80
- 'qu###light.net':80
- 'th###one.net':80
- 'su###yfool.net':80
- 'mo###ool.net':80
- 'su###ygoes.net':80
- 'mo###oes.net':80
- 'ri###nstorm.net':80
- 'mo###ugust.net':80
- 'mi###hown.net':80
- 'cr#####onaraminta.net':80
- 'le###form.net':80
- 'ab###ell.net':80
- 'ca####nbring.net':80
- 'al###being.net':80
- 'mo###olor.net':80
- 'pr####tbottom.net':80
- 'cl###goes.net':80
- 'da###oes.net':80
- 'me###one.net':80
- 'si###one.net':80
- 'cl###fool.net':80
- 'da###ight.net':80
- 'cl###gone.net':80
- 'da###ool.net':80
- 'cl###light.net':80
- 'si###ight.net':80
- 'su###ygone.net':80
- 'mo###one.net':80
- 'su###ylight.net':80
- 'mo###ight.net':80
- 'me###oes.net':80
- 'si###ool.net':80
- 'me###ight.net':80
- 'si###oes.net':80
- 'me###ool.net':80
TCP:
HTTP GET requests:
- http://wi###ore.net/index.php
- http://du###ore.net/index.php
- http://wi###ail.net/index.php
- http://du###ail.net/index.php
- http://wi###here.net/index.php
- http://si###road.net/index.php
- http://th###mail.net/index.php
- http://du###here.net/index.php
- http://th###road.net/index.php
- http://du###oad.net/index.php
- http://mi###ail.net/index.php
- http://tr###mail.net/index.php
- http://mi###oad.net/index.php
- http://tr###road.net/index.php
- http://mi###ore.net/index.php
- http://tr###where.net/index.php
- http://wi###oad.net/index.php
- http://tr###wore.net/index.php
- http://mi###here.net/index.php
- http://he###here.net/index.php
- http://qu###road.net/index.php
- http://he###ore.net/index.php
- http://ca###here.net/index.php
- http://th###oad.net/index.php
- http://qu###wore.net/index.php
- http://th###ore.net/index.php
- http://qu###mail.net/index.php
- http://th###ail.net/index.php
- http://ca###ore.net/index.php
- http://si###wore.net/index.php
- http://th###where.net/index.php
- http://si###mail.net/index.php
- http://th###wore.net/index.php
- http://si###where.net/index.php
- http://ca###ail.net/index.php
- http://he###ail.net/index.php
- http://ca###oad.net/index.php
- http://he###oad.net/index.php
- http://da###one.net/index.php
- http://th###ight.net/index.php
- http://qu###gone.net/index.php
- http://be##lxc.com/index.php
- http://qu###light.net/index.php
- http://th###one.net/index.php
- http://su###yfool.net/index.php
- http://mo###ool.net/index.php
- http://su###ygoes.net/index.php
- http://mo###oes.net/index.php
- http://ri###nstorm.net/index.php
- http://mo###ugust.net/index.php
- http://mi###hown.net/index.php
- http://cr#####onaraminta.net/index.php
- http://le###form.net/index.php
- http://ab###ell.net/index.php
- http://ca####nbring.net/index.php
- http://al###being.net/index.php
- http://mo###olor.net/index.php
- http://pr####tbottom.net/index.php
- http://cl###goes.net/index.php
- http://da###oes.net/index.php
- http://me###one.net/index.php
- http://si###one.net/index.php
- http://cl###fool.net/index.php
- http://da###ight.net/index.php
- http://cl###gone.net/index.php
- http://da###ool.net/index.php
- http://cl###light.net/index.php
- http://si###ight.net/index.php
- http://su###ygone.net/index.php
- http://mo###one.net/index.php
- http://su###ylight.net/index.php
- http://mo###ight.net/index.php
- http://me###oes.net/index.php
- http://si###ool.net/index.php
- http://me###ight.net/index.php
- http://si###oes.net/index.php
- http://me###ool.net/index.php
UDP:
- DNS ASK wi###ore.net
- DNS ASK du###ore.net
- DNS ASK wi###ail.net
- DNS ASK du###ail.net
- DNS ASK wi###here.net
- DNS ASK si###road.net
- DNS ASK th###mail.net
- DNS ASK du###here.net
- DNS ASK th###road.net
- DNS ASK du###oad.net
- DNS ASK mi###ail.net
- DNS ASK tr###mail.net
- DNS ASK mi###oad.net
- DNS ASK tr###road.net
- DNS ASK mi###ore.net
- DNS ASK tr###where.net
- DNS ASK wi###oad.net
- DNS ASK tr###wore.net
- DNS ASK mi###here.net
- DNS ASK si###mail.net
- DNS ASK qu###road.net
- DNS ASK th###oad.net
- DNS ASK ca###here.net
- DNS ASK he###here.net
- DNS ASK qu###mail.net
- DNS ASK th###ore.net
- DNS ASK qu###where.net
- DNS ASK th###ail.net
- DNS ASK qu###wore.net
- DNS ASK he###ore.net
- DNS ASK th###where.net
- DNS ASK si###where.net
- DNS ASK th###wore.net
- DNS ASK si###wore.net
- DNS ASK ca###oad.net
- DNS ASK he###ail.net
- DNS ASK ca###ore.net
- DNS ASK he###oad.net
- DNS ASK ca###ail.net
- DNS ASK da###one.net
- DNS ASK th###ight.net
- DNS ASK qu###gone.net
- DNS ASK be##lxc.com
- DNS ASK qu###light.net
- DNS ASK th###one.net
- DNS ASK su###yfool.net
- DNS ASK mo###ool.net
- DNS ASK su###ygoes.net
- DNS ASK mo###oes.net
- DNS ASK ri###nstorm.net
- DNS ASK mo###ugust.net
- DNS ASK mi###hown.net
- DNS ASK cr#####onaraminta.net
- DNS ASK le###form.net
- DNS ASK ab###ell.net
- DNS ASK ca####nbring.net
- DNS ASK al###being.net
- DNS ASK mo###olor.net
- DNS ASK pr####tbottom.net
- DNS ASK cl###goes.net
- DNS ASK da###oes.net
- DNS ASK me###one.net
- DNS ASK si###one.net
- DNS ASK cl###fool.net
- DNS ASK da###ight.net
- DNS ASK cl###gone.net
- DNS ASK da###ool.net
- DNS ASK cl###light.net
- DNS ASK si###ight.net
- DNS ASK su###ygone.net
- DNS ASK mo###one.net
- DNS ASK su###ylight.net
- DNS ASK mo###ight.net
- DNS ASK me###oes.net
- DNS ASK si###ool.net
- DNS ASK me###ight.net
- DNS ASK si###oes.net
- DNS ASK me###ool.net
- '23#.#55.255.250':1900