Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe <SYSTEM32>\winsas32.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\driver
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
Creates and executes the following:
- '<SYSTEM32>\winsas32.exe'
Executes the following:
- '<SYSTEM32>\taskkill.exe' /f /im NOD32KUI.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCUPDATE.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NOD32.exe /t
- '<SYSTEM32>\net1.exe' /f /im NAVSTUB.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NOD32KRN.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCTOOL.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NAVWNT.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCVSRTE.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCAGENT.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCMNHDLR.exe /t
- '<SYSTEM32>\taskkill.exe' /c taskkill /f /im MCTOOL.exe /t
- '<SYSTEM32>\taskkill.exe' /c taskkill /f /im NAVW32.exe /t
- '<SYSTEM32>\taskkill.exe' /c taskkill /f /im MCVSRTE.exe /t
- '<SYSTEM32>\taskkill.exe' /c taskkill /f /im MCAGENT.exe /t
- '<SYSTEM32>\alg.exe' /pid=2996
- '<SYSTEM32>\taskkill.exe' /pid=3104
- '<SYSTEM32>\taskkill.exe' /pid=2980
- '<SYSTEM32>\taskkill.exe' /pid=2992
- '<SYSTEM32>\net1.exe' /c taskkill /f /im MCVSESCN.exe /t
- '<SYSTEM32>\net1.exe' /pid=3048
- '<SYSTEM32>\taskkill.exe' /f /im NAVW32.exe /t
- '<SYSTEM32>\net.exe' STOP SharedAccess
- '<SYSTEM32>\net.exe' STOP wuauserv
- '<SYSTEM32>\net1.exe' STOP MCSHIELD
- '<SYSTEM32>\net1.exe' STOP AntiVirservice
- '<SYSTEM32>\net1.exe' STOP AntiVirScheduler
- '<SYSTEM32>\net.exe' STOP MCSHIELD
- '<SYSTEM32>\regsvr32.exe' /s MSWINSCK.OCX
- '<SYSTEM32>\net.exe' STOP AntiVirScheduler
- '<SYSTEM32>\net.exe' STOP AntiVirservice
- '<SYSTEM32>\net.exe' STOP NOD32 Kernel Service
- '<SYSTEM32>\taskkill.exe' /f /im NAVAPW32.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NAVAPSVC.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NAVDX.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NAVSTUB.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NAVLU32.exe /t
- '<SYSTEM32>\net1.exe' STOP wuauserv
- '<SYSTEM32>\net1.exe' STOP NOD32 Kernel Service
- '<SYSTEM32>\net1.exe' STOP SharedAccess
- '<SYSTEM32>\taskkill.exe' /f /im MCVSFTSN.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCVSESCN.exe /t
Injects code into
the following system processes:
- <SYSTEM32>\taskkill.exe
- <SYSTEM32>\net.exe
- <SYSTEM32>\net1.exe
the following user processes:
- nod32.exe
Terminates or attempts to terminate
the following user processes:
- NAVAPW32.EXE
- nod32.exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\winsas32.ico
- <SYSTEM32>\winsas32
- C:\i
- <SYSTEM32>\winsas32.exe
- <SYSTEM32>\MSWINSCK.OCX
- C:\autorun.inf
- C:\driver
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\driver.exe
- <SYSTEM32>\winsas32.exe
- <Drive name for removable media>:\autorun.inf
- C:\autorun.inf
- C:\driver.exe
Deletes the following files:
- %TEMP%\~DF2DD8.tmp
- C:\i
- C:\driver
- <Drive name for removable media>:\driver
Moves the following files:
- from <SYSTEM32>\winsas32 to <SYSTEM32>\winsas32.exe
- from C:\driver to C:\driver.exe
Network activity:
Connects to:
- '<Private IP address>':139
- '<Private IP address>':445
Miscellaneous:
Searches for the following windows:
- ClassName: '(null)' WindowName: 'System Configuration Utility'
- ClassName: '(null)' WindowName: '<SYSTEM32>'
- ClassName: '(null)' WindowName: 'Windows Task Manager'
- ClassName: '(null)' WindowName: '(null)'
- ClassName: '(null)' WindowName: 'Registry Editor'