Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Print Spooler Process' = '<SYSTEM32>\spool\drivers\w32x86\3\Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}\spooler.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
Malicious functions:
Executes the following:
- <SYSTEM32>\attrib.exe +h N:\autorun.inf
- <SYSTEM32>\attrib.exe +h M:\autorun.inf
- <SYSTEM32>\attrib.exe +h L:\autorun.inf
- <SYSTEM32>\attrib.exe +h Q:\autorun.inf
- <SYSTEM32>\attrib.exe +h P:\autorun.inf
- <SYSTEM32>\attrib.exe +h O:\autorun.inf
- <SYSTEM32>\attrib.exe +h K:\autorun.inf
- <SYSTEM32>\attrib.exe +h G:\autorun.inf
- <SYSTEM32>\attrib.exe +h F:\autorun.inf
- <SYSTEM32>\attrib.exe +h E:\autorun.inf
- <SYSTEM32>\attrib.exe +h J:\autorun.inf
- <SYSTEM32>\attrib.exe +h I:\autorun.inf
- <SYSTEM32>\attrib.exe +h H:\autorun.inf
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /f /v "Enabled" /t REG_DWORD /d 00000001
- <SYSTEM32>\attrib.exe +h Z:\autorun.inf
- <SYSTEM32>\attrib.exe +h Y:\autorun.inf
- <SYSTEM32>\cmd.exe /c ""<Current directory>\ftp.bat" "
- <SYSTEM32>\wscript.exe "<Current directory>\b.vbs"
- <SYSTEM32>\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v "Print Spooler Process" /d <SYSTEM32>\spool\drivers\w32x86\3\Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}\spooler.exe
- <SYSTEM32>\attrib.exe +h X:\autorun.inf
- <SYSTEM32>\attrib.exe +h T:\autorun.inf
- <SYSTEM32>\attrib.exe +h S:\autorun.inf
- <SYSTEM32>\attrib.exe +h R:\autorun.inf
- <SYSTEM32>\attrib.exe +h W:\autorun.inf
- <SYSTEM32>\attrib.exe +h V:\autorun.inf
- <SYSTEM32>\attrib.exe +h U:\autorun.inf
- <SYSTEM32>\attrib.exe +h <Drive name for removable media>:\autorun.inf
- <SYSTEM32>\attrib.exe +h K:\RECYCLER
- <SYSTEM32>\attrib.exe +h J:\RECYCLER
- <SYSTEM32>\attrib.exe +h I:\RECYCLER
- <SYSTEM32>\attrib.exe +h N:\RECYCLER
- <SYSTEM32>\attrib.exe +h M:\RECYCLER
- <SYSTEM32>\attrib.exe +h L:\RECYCLER
- <SYSTEM32>\attrib.exe +h H:\RECYCLER
- <SYSTEM32>\attrib.exe +h <Drive name for removable media>:\RECYCLER
- <SYSTEM32>\attrib.exe +h C:\RECYCLER
- <SYSTEM32>\attrib.exe +h "<SYSTEM32>\spool\drivers\w32x86\3\Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}\spooler.exe"
- <SYSTEM32>\attrib.exe +h G:\RECYCLER
- <SYSTEM32>\attrib.exe +h F:\RECYCLER
- <SYSTEM32>\attrib.exe +h E:\RECYCLER
- <SYSTEM32>\attrib.exe +h X:\RECYCLER
- <SYSTEM32>\attrib.exe +h W:\RECYCLER
- <SYSTEM32>\attrib.exe +h V:\RECYCLER
- <SYSTEM32>\attrib.exe +h C:\autorun.inf
- <SYSTEM32>\attrib.exe +h Z:\RECYCLER
- <SYSTEM32>\attrib.exe +h Y:\RECYCLER
- <SYSTEM32>\attrib.exe +h U:\RECYCLER
- <SYSTEM32>\attrib.exe +h Q:\RECYCLER
- <SYSTEM32>\attrib.exe +h P:\RECYCLER
- <SYSTEM32>\attrib.exe +h O:\RECYCLER
- <SYSTEM32>\attrib.exe +h T:\RECYCLER
- <SYSTEM32>\attrib.exe +h S:\RECYCLER
- <SYSTEM32>\attrib.exe +h R:\RECYCLER
Modifies file system :
Creates the following files:
- <Current directory>\ftp.bat
- <Current directory>\b.vbs
- <Current directory>\a.vbs
- <Current directory>\tmp
- %TEMP%\bt2516.bat
- C:\autorun.inf
- %TEMP%\reg
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- C:\autorun.inf
- %TEMP%\bt2516.bat