Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}] 'StubPath' = '%TEMP%\InstallDir\Server.exe restart'
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}] 'StubPath' = '%TEMP%\InstallDir\Server.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'HKLM' = '%TEMP%\InstallDir\Server.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'HKCU' = '%TEMP%\InstallDir\Server.exe'
Malicious functions:
Executes the following:
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE'
- '<SYSTEM32>\svchost.exe'
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system:
Creates the following files:
- %TEMP%\InstallDir\Server.exe
Sets the 'hidden' attribute to the following files:
- %TEMP%\InstallDir\Server.exe
Network activity:
Connects to:
- 'xd###.no-ip.biz':82
- 'localhost':1037
UDP:
- DNS ASK xd###.no-ip.biz
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'MS_WINHELP' WindowName: ''