Technical Information
Malicious functions:
Creates and executes the following:
- <SYSTEM32>\wmpcdg.exe
Executes the following:
- <SYSTEM32>\ntvdm.exe -f -i1
- <SYSTEM32>\ipconfig.exe /flushdns
Modifies file system :
Creates the following files:
- %WINDIR%\Temp\scs1.tmp
- %HOMEPATH%xplore.exe
- <SYSTEM32>\wmpcdg.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\wmpcdg.exe
Network activity:
Connects to:
- 'im###hut4.cn':80
- 'wi###ounter.net':80
TCP:
HTTP GET requests:
- im###hut4.cn/update/utu.dat
UDP:
- DNS ASK im###hut4.cn
- DNS ASK wi###ounter.net
- '<Private IP address>':1036
Miscellaneous:
Searches for the following windows:
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-be0.be4.380001'