Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\RSMSS] 'Start' = '00000002'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\cmd.exe' = '<SYSTEM32>\cmd.exe:*:Enabled:@xpsp2res.dll,-22019'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\RevShell2.exe' = '<SYSTEM32>\RevShell2.exe:*:Enabled:@xpsp2res.dll,-22019'
Executes the following:
- '<SYSTEM32>\net1.exe' start "Remote Service Manager"
- '<SYSTEM32>\sc.exe' failure "RSMSS" reset= 60 actions= restart/60
Network activity:
Connects to:
- 'ge####ll.dyndns.org':443
UDP:
- DNS ASK ge####ll.dyndns.org
Miscellaneous:
Searches for the following windows:
- ClassName: '(null)' WindowName: '<Full path to virus>'