Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'KM_Path2' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'KM_Path' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'KM_Path3' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'KM_Path7' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'KM_Path4' = ''
Malicious functions:
Forces autoplay for removable media.
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ip-adress[1]
- <SYSTEM32>\oobe\p1
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ip2location[1]
- <SYSTEM32>\oobe\nl.lnk
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\cmyip[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\whatismyipaddress[1]
- <SYSTEM32>\oobe\page
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\adversion7.blogspot[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\kog6.blogspot[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\kogpage.blogspot[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\doniablog.wordpress[1]
Deletes the following files:
- <SYSTEM32>\oobe\p1
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ip-adress[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\whatismyipaddress[1]
- <SYSTEM32>\oobe\nl.lnk
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\cmyip[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ip2location[1]
- <SYSTEM32>\oobe\page
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\adversion7.blogspot[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\doniablog.wordpress[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\kog6.blogspot[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\kogpage.blogspot[1]
Network activity:
Connects to:
- 'www.ip###cation.com':80
- 'www.ko##.#logspot.com':80
- 'www.ip###ress.com':80
- 'www.cm##p.com':80
- 'wh#####yipaddress.com':80
- 'localhost':1037
- '67.##5.160.76':80
- 'ad#####on7.blogspot.com':80
- 'www.ko#####.blogspot.com':80
- 'do#####og.wordpress.com':80
TCP:
HTTP GET requests:
- www.ip###ress.com/
- www.ip###cation.com/
- www.cm##p.com/
- wh#####yipaddress.com/
- do#####og.wordpress.com/
- ad#####on7.blogspot.com/
- www.ko##.#logspot.com/
- www.ko#####.blogspot.com/
UDP:
- DNS ASK www.ip###ress.com
- DNS ASK www.ip###cation.com
- DNS ASK www.cm##p.com
- DNS ASK wh#####yipaddress.com
- DNS ASK www.ko##.#logspot.com
- DNS ASK ad#####on7.blogspot.com
- DNS ASK www.ya##o.com
- DNS ASK www.ko#####.blogspot.com
- DNS ASK do#####og.wordpress.com