Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Security Log TCP/IP File SSDP Gateway' = '<SYSTEM32>\crmkivmoprx.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Installer Source DCOM Level Multimedia] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\hpjgetekehdy.exe' "<SYSTEM32>\crmkivmoprx.exe"
- '%WINDIR%\Temp\gjmrampd31lqmxj1.exe' -r 43312 tcp
- '%TEMP%\gjmrampd2wfjmxj1xbbo2cs4.exe'
- '<SYSTEM32>\crmkivmoprx.exe'
Modifies file system :
Creates the following files:
- <SYSTEM32>\wlogpnnf\run
- <SYSTEM32>\wlogpnnf\rng
- %WINDIR%\Temp\gjmrampd31lqmxj1.exe
- <SYSTEM32>\wlogpnnf\cfg
- <SYSTEM32>\hpjgetekehdy.exe
- %TEMP%\gjmrampd2wfjmxj1xbbo2cs4.exe
- <SYSTEM32>\wlogpnnf\tst
- <SYSTEM32>\crmkivmoprx.exe
- <SYSTEM32>\wlogpnnf\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\hpjgetekehdy.exe
- <SYSTEM32>\crmkivmoprx.exe
Deletes the following files:
- %WINDIR%\Temp\gjmrampd31lqmxj1.exe
- <DRIVERS>\etc\hosts
- %TEMP%\gjmrampd2wfjmxj1xbbo2cs4.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'he###ext.net':80
- 'ca###een.net':80
- 'ca###ext.net':80
- 'ca###ook.net':80
- 'he###ook.net':80
- 'qu###cook.net':80
- 'th###ook.net':80
- 'th###all.net':80
- 'he###een.net':80
- 'qu###tall.net':80
- 'he###all.net':80
- 'th###cook.net':80
- 'si###cook.net':80
- 'si###tall.net':80
- 'du###een.net':80
- 'th###tall.net':80
- 'si###been.net':80
- 'ca###all.net':80
- 'th###been.net':80
- 'th###next.net':80
- 'si###next.net':80
- 'me###ook.net':80
- 'si###ook.net':80
- 'si###all.net':80
- 'mo###een.net':80
- 'me###all.net':80
- 'si###een.net':80
- 'cl###tall.net':80
- 'me###een.net':80
- 'me###ext.net':80
- 'si###ext.net':80
- 'su###ybeen.net':80
- 'th###een.net':80
- 'su###ytall.net':80
- 'qu###been.net':80
- 'qu###next.net':80
- 'th###ext.net':80
- 'su###ynext.net':80
- 'mo###ext.net':80
- 'mo###ook.net':80
- 'mo###all.net':80
- 'su###ycook.net':80
- 'si###ine.net':80
- 'me###tart.net':80
- 'me###ine.net':80
- 'al###being.net':80
- 'ri###nstorm.net':80
- 'cl###never.net':80
- 'da###ever.net':80
- 'si###ing.net':80
- 'si###tart.net':80
- 'me###ing.net':80
- 'ca####nbring.net':80
- 'cr#####onaraminta.net':80
- 'le###form.net':80
- 'jo####ymeasure.net':80
- 'ef###tbuilt.net':80
- 'th###while.net':80
- 'mo###olor.net':80
- 'pr####tbottom.net':80
- 'ab###ell.net':80
- 'mo###ugust.net':80
- 'mi###hown.net':80
- 'wi###all.net':80
- 'du###all.net':80
- 'tr###been.net':80
- 'tr###next.net':80
- 'mi###een.net':80
- 'du###ext.net':80
- 'wi###een.net':80
- 'wi###ext.net':80
- 'wi###ook.net':80
- 'du###ook.net':80
- 'mi###ext.net':80
- 'da###tart.net':80
- 'cl###sing.net':80
- 'cl###start.net':80
- 'cl###nine.net':80
- 'da###ine.net':80
- 'mi###ook.net':80
- 'tr###cook.net':80
- 'tr###tall.net':80
- 'da###ing.net':80
- 'mi###all.net':80
TCP:
HTTP GET requests:
- http://he###ext.net/index.php
- http://ca###een.net/index.php
- http://ca###ext.net/index.php
- http://ca###ook.net/index.php
- http://he###ook.net/index.php
- http://qu###cook.net/index.php
- http://th###ook.net/index.php
- http://th###all.net/index.php
- http://he###een.net/index.php
- http://qu###tall.net/index.php
- http://he###all.net/index.php
- http://th###cook.net/index.php
- http://si###cook.net/index.php
- http://si###tall.net/index.php
- http://du###een.net/index.php
- http://th###tall.net/index.php
- http://si###been.net/index.php
- http://ca###all.net/index.php
- http://th###been.net/index.php
- http://th###next.net/index.php
- http://si###next.net/index.php
- http://me###ook.net/index.php
- http://si###ook.net/index.php
- http://si###all.net/index.php
- http://mo###een.net/index.php
- http://me###all.net/index.php
- http://si###een.net/index.php
- http://cl###tall.net/index.php
- http://me###een.net/index.php
- http://me###ext.net/index.php
- http://si###ext.net/index.php
- http://su###ybeen.net/index.php
- http://th###een.net/index.php
- http://su###ytall.net/index.php
- http://qu###been.net/index.php
- http://qu###next.net/index.php
- http://th###ext.net/index.php
- http://su###ynext.net/index.php
- http://mo###ext.net/index.php
- http://mo###ook.net/index.php
- http://mo###all.net/index.php
- http://su###ycook.net/index.php
- http://si###ine.net/index.php
- http://me###tart.net/index.php
- http://me###ine.net/index.php
- http://al###being.net/index.php
- http://ri###nstorm.net/index.php
- http://cl###never.net/index.php
- http://da###ever.net/index.php
- http://si###ing.net/index.php
- http://si###tart.net/index.php
- http://me###ing.net/index.php
- http://ca####nbring.net/index.php
- http://cr#####onaraminta.net/index.php
- http://le###form.net/index.php
- http://jo####ymeasure.net/index.php
- http://ef###tbuilt.net/index.php
- http://th###while.net/index.php
- http://mo###olor.net/index.php
- http://pr####tbottom.net/index.php
- http://ab###ell.net/index.php
- http://mo###ugust.net/index.php
- http://mi###hown.net/index.php
- http://wi###all.net/index.php
- http://du###all.net/index.php
- http://tr###been.net/index.php
- http://tr###next.net/index.php
- http://mi###een.net/index.php
- http://du###ext.net/index.php
- http://wi###een.net/index.php
- http://wi###ext.net/index.php
- http://wi###ook.net/index.php
- http://du###ook.net/index.php
- http://mi###ext.net/index.php
- http://da###tart.net/index.php
- http://cl###sing.net/index.php
- http://cl###start.net/index.php
- http://cl###nine.net/index.php
- http://da###ine.net/index.php
- http://mi###ook.net/index.php
- http://tr###cook.net/index.php
- http://tr###tall.net/index.php
- http://da###ing.net/index.php
- http://mi###all.net/index.php
UDP:
- DNS ASK he###ext.net
- DNS ASK ca###een.net
- DNS ASK ca###ext.net
- DNS ASK ca###ook.net
- DNS ASK he###ook.net
- DNS ASK qu###cook.net
- DNS ASK th###ook.net
- DNS ASK th###all.net
- DNS ASK he###een.net
- DNS ASK qu###tall.net
- DNS ASK he###all.net
- DNS ASK th###cook.net
- DNS ASK si###cook.net
- DNS ASK si###tall.net
- DNS ASK du###een.net
- DNS ASK th###tall.net
- DNS ASK si###been.net
- DNS ASK ca###all.net
- DNS ASK th###been.net
- DNS ASK th###next.net
- DNS ASK si###next.net
- DNS ASK qu###next.net
- DNS ASK si###ook.net
- DNS ASK me###ext.net
- DNS ASK me###ook.net
- DNS ASK me###all.net
- DNS ASK si###all.net
- DNS ASK cl###tall.net
- DNS ASK da###all.net
- DNS ASK si###een.net
- DNS ASK si###ext.net
- DNS ASK me###een.net
- DNS ASK mo###een.net
- DNS ASK su###ytall.net
- DNS ASK mo###all.net
- DNS ASK th###een.net
- DNS ASK th###ext.net
- DNS ASK qu###been.net
- DNS ASK mo###ext.net
- DNS ASK su###ybeen.net
- DNS ASK su###ynext.net
- DNS ASK su###ycook.net
- DNS ASK mo###ook.net
- DNS ASK si###ine.net
- DNS ASK me###tart.net
- DNS ASK me###ine.net
- DNS ASK al###being.net
- DNS ASK ri###nstorm.net
- DNS ASK cl###never.net
- DNS ASK da###ever.net
- DNS ASK si###ing.net
- DNS ASK si###tart.net
- DNS ASK me###ing.net
- DNS ASK ca####nbring.net
- DNS ASK cr#####onaraminta.net
- DNS ASK le###form.net
- DNS ASK jo####ymeasure.net
- DNS ASK ef###tbuilt.net
- DNS ASK th###while.net
- DNS ASK mo###olor.net
- DNS ASK pr####tbottom.net
- DNS ASK ab###ell.net
- DNS ASK mo###ugust.net
- DNS ASK mi###hown.net
- DNS ASK wi###all.net
- DNS ASK du###all.net
- DNS ASK tr###been.net
- DNS ASK tr###next.net
- DNS ASK mi###een.net
- DNS ASK du###ext.net
- DNS ASK wi###een.net
- DNS ASK wi###ext.net
- DNS ASK wi###ook.net
- DNS ASK du###ook.net
- DNS ASK mi###ext.net
- DNS ASK da###tart.net
- DNS ASK cl###sing.net
- DNS ASK cl###start.net
- DNS ASK cl###nine.net
- DNS ASK da###ine.net
- DNS ASK mi###ook.net
- DNS ASK tr###cook.net
- DNS ASK tr###tall.net
- DNS ASK da###ing.net
- DNS ASK mi###all.net
- '23#.#55.255.250':1900