Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'shell' = 'Explorer.exe <SYSTEM32>\blackice.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'run' = '<SYSTEM32>\blackice.exe'
Malicious functions:
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Terminates or attempts to terminate
the following user processes:
- NAVAPW32.EXE
- nod32.exe
- ccapp.exe
- AVP.EXE
- 360tray.exe
- ashAvast.exe
- AVP.COM
Modifies file system:
Creates the following files:
- <SYSTEM32>\blackice.ini
- <SYSTEM32>\kernel.dll
- <SYSTEM32>\blackice.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\blackice.exe
Deletes the following files:
- <SYSTEM32>\blackice.ini
Network activity:
Connects to:
- 'fm###d.zj.com':80
TCP:
HTTP GET requests:
- http://fm###d.zj.com/blackice3/url.txt
UDP:
- DNS ASK fm###d.zj.com