Technical Information
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '' = ':*:Enabled:AV Service Plugin'
Creates and executes the following:
- <SYSTEM32>\zlacy.exe 316 "<Full path to virus>"
Executes the following:
- %WINDIR%\regedit.exe /S %TEMP%\1.reg
- <SYSTEM32>\cmd.exe /c c:\a.bat
Modifies file system :
Creates the following files:
- <SYSTEM32>\zlacy.exe
- %TEMP%\1.reg
- C:\a.bat
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\zlacy.exe
Deletes the following files:
- %TEMP%\1.reg
Deletes itself.
Network activity:
Connects to:
- 'hj.###ikisipi.info':6667
UDP:
- DNS ASK hj.###ikisipi.info
Miscellaneous:
Searches for the following windows:
- ClassName: 'RegEdit_RegEdit' WindowName: ''