Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '"%APPDATA%\spoolsv.exe"'
Malicious functions:
Executes the following:
- <SYSTEM32>\dumprep.exe 2768 -dm 7 7 "%TEMP%\WERdaba.dir00\spoolsv.exe.hdmp" 16325836412027324
- <SYSTEM32>\dumprep.exe 2768 -dm 7 7 "%TEMP%\WERdaba.dir00\spoolsv.exe.mdmp" 16325836412027304
Modifies file system :
Creates the following files:
- %TEMP%\WERdaba.dir00\spoolsv.exe.hdmp
- %TEMP%\WERdaba.dir00\spoolsv.exe.mdmp
- %TEMP%\WERdaba.dir00\manifest.txt
- %TEMP%\WERdaba.dir00\appcompat.txt
- %WINDIR%\spoolsv.exe
- %APPDATA%\Microsoft\comrepl.exe
- %APPDATA%\spoolsv.exe
- %WINDIR%\system\mstsc.exe
Network activity:
Connects to:
- 'www.ka###rus.com':80
TCP:
HTTP GET requests:
- www.ka###rus.com/img/gt.cgi?s=################
UDP:
- DNS ASK www.ka###rus.com