Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\taskhost.exe
Creates the following files on removable media:
- <Drive name for removable media>:\USBDriver.exe
- <Drive name for removable media>:\autorun.inf
Malicious functions:
Executes the following:
- '%TEMP%\RarSFX1\run.exe'
- '%TEMP%\RarSFX0\run.sfx.exe' -p00000 -d
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\RarSFX0\run.bat" "
Modifies file system:
Creates the following files:
- <LS_APPDATA>\taskhost\run.exe_Url_chz5dt0ejeeimedro0cb0nb3bby1odvc\1.0.0.0\_muklth3.newcfg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\gate[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\gate[2].php
- %TEMP%\RarSFX0\run.bat
- %TEMP%\RarSFX0\run.sfx.exe
- %TEMP%\RarSFX1\run.exe
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\taskhost.exe
- <Drive name for removable media>:\USBDriver.exe
- <Drive name for removable media>:\autorun.inf
Moves the following files:
- from <LS_APPDATA>\taskhost\run.exe_Url_chz5dt0ejeeimedro0cb0nb3bby1odvc\1.0.0.0\_muklth3.newcfg to <LS_APPDATA>\taskhost\run.exe_Url_chz5dt0ejeeimedro0cb0nb3bby1odvc\1.0.0.0\user.config
Network activity:
Connects to:
- 'ze##ttp.ml':80
- 'localhost':1038
TCP:
HTTP GET requests:
- http://ze##ttp.ml/Panel/robots/gate.php
UDP:
- DNS ASK ze##ttp.ml
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''