Technical Information
Malicious functions:
Creates and executes the following:
- %TEMP%\201375.exe
- %TEMP%\201375.exe (downloaded from the Internet)
Executes the following:
- <SYSTEM32>\cmd.exe /c ""%TEMP%\abcd.bat" "<Full path to virus>" "
Searches for registry branches where third party applications store passwords:
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
- [<HKLM>\Software\South River Technologies\WebDrive\Connections]
- [<HKCU>\Software\FTP Explorer\Profiles]
- [<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKLM>\Software\FlashFXP]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Far\Plugins\FTP\Hosts]
- [<HKCU>\Software\Far2\Plugins\FTP\Hosts]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\FlashFXP]
- [<HKLM>\Software\FlashFXP\3]
- [<HKCU>\Software\FlashFXP\3]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\Ghisler\Total Commander]
Modifies file system :
Creates the following files:
- %TEMP%\abcd.bat
- %TEMP%\201375.exe
Deletes itself.
Network activity:
Connects to:
- '5.##5.8.77':80
- '19#.#.184.77':80
- '19#.#.184.65':80
TCP:
HTTP GET requests:
- 5.##5.8.77/8bd7d5194/wert34g45ht
- 5.##5.8.77/8bd7d5194/wergwrg3gwer
- 5.##5.8.77/8bd7d5194/brgn424t235
- 5.##5.8.77/8bd7d5194/rebhg542
- 5.##5.8.77/8bd7d5194/werghw45gwe
HTTP POST requests:
- 19#.#.184.77/internet_goo.php
- 19#.#.184.65/internet_goo.php