Technical Information
To ensure autorun and distribution:
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\office.e6e
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\ services.exe'
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\showmyip[1]
- <SYSTEM32>\~systemlg\}sez.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\showmyip[1]
- <SYSTEM32>\ services.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\office.e6e
Deletes the following files:
- %TEMP%\~DFD26E.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\showmyip[1]
Network activity:
Connects to:
- 'localhost':1039
- 'www.sh###yip.com':80
- 'localhost':1036
TCP:
HTTP GET requests:
- www.sh###yip.com/
UDP:
- DNS ASK www.sh###yip.com