Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] '' = '"<LS_APPDATA>\kxi.exe" -a "%PROGRAM_FILES%\Internet Explorer\iexplore.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '92916413' = '<LS_APPDATA>\kxi.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = '<SYSTEM32>\ctfmon.exe'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- <LS_APPDATA>\kxi.exe -gav <Full path to virus>
Terminates or attempts to terminate
the following user processes:
- chrome.exe
- opera.exe
- iexplore.exe
- firefox.exe
Modifies file system :
Creates the following files:
- %TEMP%\bruiwoy5fw4i4nk
- %HOMEPATH%\Templates\bruiwoy5fw4i4nk
- %ALLUSERSPROFILE%\Application Data\bruiwoy5fw4i4nk
- <LS_APPDATA>\kxi.exe
- <LS_APPDATA>\bruiwoy5fw4i4nk
Deletes itself.
Network activity:
Connects to:
- 'xi###yxew.com':80
- 'ny###yxaz.com':80
- 'va####sumuhor.com':80
- 'fy###uzyjer.com':80
- 'be####gyluzus.com':80
- 'ri###yzudu.com':80
- 'ni####lybyhi.com':80
- 'by####romyvi.com':80
- 'fe###ohuxek.com':80
- 'tu####nafucir.com':80
- 'pi####gocide.com':80
- 'ju###eler.com':80
- 'ne###uhix.com':80
- 'pe###ojuhep.com':80
- 'we####mysugamy.com':80
- 'ri###ijaxus.com':80
- 'la####heqowok.com':80
- 'ne###avyn.com':80
- 'ru###adix.com':80
- 'xi###esaf.com':80
- 'mo###akib.com':80
- 'pe###agyb.com':80
- 'ro####hidixa.com':80
- 'ka###akiduw.com':80
- 'sa####wumaser.com':80
- 'me####bugyluf.com':80
- 'qy###iboveh.com':80
- 'mo###ymalyp.com':80
- 'te###ihamib.com':80
- 'qu####jalyfa.com':80
UDP:
- DNS ASK va####sumuhor.com
- DNS ASK ny###yxaz.com
- DNS ASK pe###ojuhep.com
- DNS ASK xi###yxew.com
- DNS ASK ri###yzudu.com
- DNS ASK ni####lybyhi.com
- DNS ASK fy###uzyjer.com
- DNS ASK by####romyvi.com
- DNS ASK tu####nafucir.com
- DNS ASK pi####gocide.com
- DNS ASK dy###arov.com
- DNS ASK fe###ohuxek.com
- DNS ASK ne###uhix.com
- DNS ASK we####mysugamy.com
- DNS ASK ju###eler.com
- DNS ASK be####gyluzus.com
- DNS ASK ri###ijaxus.com
- DNS ASK la####heqowok.com
- DNS ASK ne###avyn.com
- DNS ASK ru###adix.com
- DNS ASK xi###esaf.com
- DNS ASK mo###akib.com
- DNS ASK pe###agyb.com
- DNS ASK ro####hidixa.com
- DNS ASK sa####wumaser.com
- DNS ASK ka###akiduw.com
- DNS ASK me####bugyluf.com
- DNS ASK qy###iboveh.com
- DNS ASK mo###ymalyp.com
- DNS ASK te###ihamib.com
- DNS ASK qu####jalyfa.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'msascui_class' WindowName: ''