Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\sdk] 'Name' = '"%TEMP%\2.tmp"'
Malicious functions:
Injects code into
the following system processes:
- <SYSTEM32>\spoolsv.exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\wpad[1].dat
- %WINDIR%\Temp\3.tmp
- %TEMP%\1.tmp
Deletes the following files:
- %WINDIR%\Temp\3.tmp
- %TEMP%\2.tmp
Moves itself:
- from <Full path to virus> to %TEMP%\4.tmp
Network activity:
Connects to:
- 'wpad.localdomain':80
- 'wi#######rversystemupdate.com':80
TCP:
HTTP GET requests:
- wpad.localdomain/wpad.dat
- wi#######rversystemupdate.com/version/xtasks.php?1_#######################################################################################################
UDP:
- DNS ASK wpad.localdomain
- DNS ASK wi#######rversystemupdate.com