Technical Information
Malicious functions:
Creates and executes the following:
- <Current directory>\ConfigUpdate.exe
- <Current directory>\ConfigUpdate.exe (downloaded from the Internet)
Modifies file system :
Creates the following files:
- <Current directory>\ConfigUpdate.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\partner[1]
- %HOMEPATH%\Desktop\ТЧ»гНЁКµК±РВОЕ.lnk
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ConfigUpdate[1].txt
Network activity:
Connects to:
- 'zi###.fx678.com':6000
- 'zi###.fx678.com':80
- 'localhost':1035
- 'do##.fx678.com':80
TCP:
HTTP GET requests:
- zi###.fx678.com/partner
- do##.fx678.com/version/yhtnews/ConfigUpdate.txt
UDP:
- DNS ASK zi###.fx678.com
- DNS ASK do##.fx678.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''