Technical Information
Malicious functions:
Executes the following:
- %WINDIR%\sleep.exe 5
- <SYSTEM32>\cmd.exe /c ""<Current directory>\123.bat" "
Modifies file system :
Creates the following files:
- <Current directory>\123.bat
- %HOMEPATH%\Desktop\40ёёїш ДнЖщ.jpg
- <Current directory>\icon_tmp.ppp
Deletes the following files:
- <Current directory>\icon_tmp.ppp
Deletes itself.
Network activity:
Connects to:
- 'po##.#o-diva.co.kr':80
- 'www.wo##izip.kr':80
TCP:
HTTP GET requests:
- www.wo##izip.kr/ico/
- po##.#o-diva.co.kr/adrive-coupon/47.jpg
- www.wo##izip.kr/lnkf/lst.php
- www.wo##izip.kr/lnkf/sres.php?pd##################
UDP:
- DNS ASK po##.#o-diva.co.kr
- DNS ASK www.wo##izip.kr
- '<Private IP address>':1036
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WINHELP' WindowName: ''