Technical Information
Malicious functions:
Executes the following:
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE' -Embedding
- '%WINDIR%\regedit.exe' /s c:\1.reg
- '%WINDIR%\che6.exe'
- '<SYSTEM32>\cmd.exe' /c c:\65dgdfgsd36543.bat
Modifies file system:
Creates the following files:
- %WINDIR%\bemark2.dat
- C:\1.reg
- %WINDIR%\che6.exe
- C:\65dgdfgsd36543.bat
Sets the 'hidden' attribute to the following files:
- %WINDIR%\bemark2.dat
- %WINDIR%\che6.exe
Deletes the following files:
- %WINDIR%\che6.exe
- C:\1.reg
Deletes itself.
Network activity:
Connects to:
- 'y1##108.com':80
TCP:
HTTP POST requests:
- http://y1##108.com/be/first.php
UDP:
- DNS ASK y1##108.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: ''