Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\NBSchedulerService] 'ImagePath' = '%CommonProgramFiles%\ODBC\NBService.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\NBSchedulerService] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '%CommonProgramFiles%\ODBC\NBreg.exe'
- '%CommonProgramFiles%\ODBC\NB.exe'
- '%CommonProgramFiles%\ODBC\NBreg.exe' (downloaded from the Internet)
- '%CommonProgramFiles%\ODBC\NB.exe' (downloaded from the Internet)
Executes the following:
- '%WINDIR%\regedit.exe' -s "%CommonProgramFiles%\ODBC\NBreg\adsl886.reg"
- '<SYSTEM32>\sc.exe' start NBSchedulerService
- '<SYSTEM32>\sc.exe' stop NBSchedulerService
- '<SYSTEM32>\sc.exe' create NBSchedulerService binpath= "%CommonProgramFiles%\ODBC\NBService.exe" start= auto
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Modifies file system:
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\NBreg[1].gif
- %CommonProgramFiles%\ODBC\NBreg.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\NB[1].gif
- %CommonProgramFiles%\ODBC\NB.exe
Deletes the following files:
- %CommonProgramFiles%\ODBC\NBreg.exe
- %CommonProgramFiles%\ODBC\NB.exe
Network activity:
Connects to:
- 'www.fi##expo.cn':80
- 'localhost':1038
TCP:
HTTP GET requests:
- http://www.fi##expo.cn/admin/images/NBreg.gif
- http://www.fi##expo.cn/admin/images/NB.gif
UDP:
- DNS ASK www.fi##expo.cn
Miscellaneous:
Searches for the following windows:
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''