Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Windows Update.exe
- %HOMEPATH%\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%HOMEPATH%\6514D49585E42555\winlogon.exe' = '%HOMEPATH%\6514D49585E42555\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%HOMEPATH%\6514D49585E42555\winlogon.exe' = '%HOMEPATH%\6514D49585E42555\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750'
- [<HKLM>\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%HOMEPATH%\6514D49585E42555\winlogon.exe' = '%HOMEPATH%\6514D49585E42555\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246'
- [<HKLM>\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%HOMEPATH%\6514D49585E42555\winlogon.exe' = '%HOMEPATH%\6514D49585E42555\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- %HOMEPATH%\6514D49585E42555\winlogon.exe
Executes the following:
- <SYSTEM32>\svchost.exe
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Internet Explorer\Download] 'RunInvalidSignatures' = '00000001'
- [<HKCU>\Software\Microsoft\Internet Explorer\Download] 'CheckExeSignatures' = 'no'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Associations] 'LowRiskFileTypes' = '.exe'
Modifies file system :
Creates the following files:
- %ALLUSERSPROFILE%\Start Menu\Windows DVD Maker.exe
- %ALLUSERSPROFILE%\Start Menu\Programs\Windows Media Center.exe
- %HOMEPATH%\Start Menu\Programs\Internet Explorer.exe
- %HOMEPATH%\6514D49585E42555\winlogon.exe
- %HOMEPATH%\Start Menu\Fax y Escaner de Windows.exe
Network activity:
Connects to:
- 'wh##.amung.us':80
TCP:
HTTP GET requests:
- wh##.amung.us/swidget/26n2qf7pnk0x
UDP:
- DNS ASK 77##########1wqjddb06mu0k23uo6.ipcheker.com
- DNS ASK 38##########9q82l309l8fc8038hf.ipgreat.com
- DNS ASK 73##########j4a6bqy81bhmc527k9.ipgreat.com
- DNS ASK wh##.amung.us
- DNS ASK 23##########82n62825793k5bqi6e.ipcheker.com