Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] '' = '"<LS_APPDATA>\gpr.exe" -a "%ProgramFiles%\Internet Explorer\iexplore.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '2679572104' = '<LS_APPDATA>\gpr.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = '<SYSTEM32>\ctfmon.exe'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '%TEMP%\AbqM8XJJC.exe' (downloaded from the Internet)
Executes the following:
- '%TEMP%\AbqM8XJJC.exe'
- '<LS_APPDATA>\gpr.exe' -gav <Full path to file>
Searches for registry branches where third party applications store passwords:
- [<HKCU>\Software\VanDyke\SecureFX]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKCU>\Software\Cryer\WebSitePublisher]
- [<HKLM>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\Software\ExpanDrive\Sessions]
- [<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
- [<HKCU>\Software\TurboFTP]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKCU>\Software\Sota\FFFTP]
- [<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKLM>\Software\Martin Prikryl]
- [<HKCU>\Software\Martin Prikryl]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
- [<HKCU>\Software\Microsoft\Internet Explorer\IntelliForms\Storage2]
- [<HKLM>\Software\South River Technologies\WebDrive\Connections]
- [<HKLM>\Software\SoftX.org\FTPClient\Sites]
- [<HKLM>\SOFTWARE\NCH Software\Fling\Accounts]
- [<HKCU>\SOFTWARE\NCH Software\Fling\Accounts]
- [<HKCU>\Software\FTPClient\Sites]
- [<HKCU>\Software\SoftX.org\FTPClient\Sites]
- [<HKLM>\Software\FTPClient\Sites]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar]
- [<HKLM>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar]
- [<HKLM>\Software\FileZilla Client]
- [<HKLM>\Software\FileZilla]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
- [<HKCU>\Software\FileZilla Client]
- [<HKCU>\Software\FlashFXP]
- [<HKCU>\Software\FlashFXP\3]
- [<HKLM>\Software\FlashFXP\3]
- [<HKCU>\Software\FileZilla]
- [<HKLM>\Software\FlashFXP]
Modifies file system:
Creates the following files:
- <LS_APPDATA>\aylh.exe
- %ALLUSERSPROFILE%\Application Data\ptrv.exe
- %TEMP%\hjkf.exe
- %ALLUSERSPROFILE%\Application Data\arlj.exe
- %TEMP%\jphy.exe
- %HOMEPATH%\Templates\xtbd.exe
- %HOMEPATH%\Templates\6pb32ub1387f3qs570a50564mglrq4160
- %HOMEPATH%\Templates\ydgi.exe
- %TEMP%\AbqM8XJJC.exe
- <LS_APPDATA>\6pb32ub1387f3qs570a50564mglrq4160
- %ALLUSERSPROFILE%\Application Data\6pb32ub1387f3qs570a50564mglrq4160
- %TEMP%\6pb32ub1387f3qs570a50564mglrq4160
- %ALLUSERSPROFILE%\Application Data\ldfh.exe
- %TEMP%\xvhv.exe
- %HOMEPATH%\Templates\cooh.exe
- %TEMP%\dgd1.tmp
- <LS_APPDATA>\gpr.exe
- <LS_APPDATA>\hygn.exe
- %TEMP%\mtir.exe
- %HOMEPATH%\Templates\erow.exe
- <LS_APPDATA>\ddqg.exe
- <LS_APPDATA>\tcmb.exe
- %ALLUSERSPROFILE%\Application Data\dcac.exe
- %TEMP%\dgd2.tmp
Deletes the following files:
- %TEMP%\dgd2.tmp
- %TEMP%\dgd1.tmp
Deletes itself.
Network activity:
Connects to:
- 'za####dixahok.com':80
- 'hy###ucugi.com':80
- 'qa###alomo.com':80
- 're####-oladt.com':80
- 'dy####gymasasu.com':80
- 'zy####movyxy.com':80
TCP:
HTTP GET requests:
- http://re####-oladt.com/setup.exe
UDP:
- DNS ASK wu####lyhura.com
- DNS ASK xa###iwehiw.com
- DNS ASK lo####hosywaw.com
- DNS ASK xe####wunikyle.com
- DNS ASK ma####noralibu.com
- DNS ASK zo####kimewut.com
- DNS ASK to###uwace.com
- DNS ASK xy####talomu.com
- DNS ASK pi####caciqil.com
- DNS ASK se####wytuzek.com
- DNS ASK lo###ejav.com
- DNS ASK nu####jilamipu.com
- DNS ASK vu####hevixaf.com
- DNS ASK microsoft.com
- DNS ASK ne###ezyjih.com
- DNS ASK pu####pageta.com
- DNS ASK bo####lawiqo.com
- DNS ASK co###irebu.com
- DNS ASK wu###osux.com
- DNS ASK xy####nihyfo.com
- DNS ASK qa###alomo.com
- DNS ASK le####bunosu.com
- DNS ASK va###uzozuq.com
- DNS ASK hy###ucugi.com
- DNS ASK dy####gymasasu.com
- DNS ASK re####-oladt.com
- DNS ASK za####dixahok.com
- DNS ASK zy####movyxy.com
- DNS ASK na####hohuly.com
- DNS ASK ku###idewar.com
- DNS ASK di####jubeka.com
- DNS ASK to####lymavi.com
- DNS ASK zy####dojusoko.com
- DNS ASK pe###ukos.com
- DNS ASK ny####wafyfa.com
- DNS ASK xy###yquk.com
- DNS ASK ry###amogo.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'msascui_class' WindowName: ''