Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Control\SafeBoot\Network] 'ctfmon.exe' = 'ctfmon.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe] 'Debugger' = 'avmgsa.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = 'ctfmon.exe'
- [<HKLM>\SYSTEM\ControlSet001\Control\SafeBoot\Minimal] 'ctfmon.exe' = 'ctfmon.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\CACHE-19204730\comd.sys
- <Drive name for removable media>:\CACHE-19204730\Desktop.ini
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '<SYSTEM32>\avmgsa.exe' = '<SYSTEM32>\avmgsa.exe:*:Enabled:Windows Live'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\avmgsa.exe' = '<SYSTEM32>\avmgsa.exe:*:Enabled:Windows Live'
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
blocks the following features:
- System Restore (SR)
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\avmgsa.exe'
Executes the following:
- '<SYSTEM32>\sc.exe' config NOD32krn start= disabled
- '<SYSTEM32>\sc.exe' stop NOD32krn
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '<SYSTEM32>\sc.exe' delete NOD32krn
- '<SYSTEM32>\net1.exe' stop NOD32krn
- '<SYSTEM32>\net.exe' stop NOD32krn
- '<SYSTEM32>\sc.exe' stop avg8wd
- '<SYSTEM32>\net.exe' stop avg8wd
- '<SYSTEM32>\sc.exe' config avg8wd start= disabled
- '<SYSTEM32>\sc.exe' delete avg8wd
- '<SYSTEM32>\net1.exe' stop avg8wd
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Terminates or attempts to terminate
the following user processes:
- GUARD.EXE
- spidernt.exe
- nod32.exe
- zlclient.exe
- ntvdm.exe
- MCAGENT.EXE
- fsav32.exe
- bdss.exe
- bdagent.exe
- 360tray.exe
- fsav.exe
- Drweb32w.exe
- ClamWin.exe
Searches for windows to
detect programs and games:
- ClassName: 'MSBLWindowClass' WindowName: ''
Hides the following processes:
- <Full path to virus>
- <SYSTEM32>\avmgsa.exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\avmgsa.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\CACHE-19204730\comd.sys
- <SYSTEM32>\avmgsa.exe
Modifies the HOSTS file.
Deletes itself.
Network activity:
Connects to:
- 'se#####.flash-adobe.info':34091
UDP:
- DNS ASK se#####.flash-adobe.info
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''