Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe] 'Debugger' = 'cwrdsye_.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe] 'Debugger' = 'dttezfx_.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe] 'Debugger' = 'xxyiof_.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe] 'Debugger' = 'gjmynan_.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows License Check' = '%CommonProgramFiles%\Windows License Check.{2227A280-3AEA-1069-A2DE-08002B30309D}\vvhweqgtk.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'Windows License Check' = '%CommonProgramFiles%\Windows License Check.{2227A280-3AEA-1069-A2DE-08002B30309D}\vvhweqgtk.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows License Check' = '%CommonProgramFiles%\Windows License Check.{2227A280-3AEA-1069-A2DE-08002B30309D}\vvhweqgtk.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\SSDPSRV] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
Creates and executes the following:
- '%CommonProgramFiles%\Windows License Check.{2227A280-3AEA-1069-A2DE-08002B30309D}\vvhweqgtk.exe'
Executes the following:
- '<SYSTEM32>\wuauclt.exe'
Searches for registry branches where third party applications store passwords:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander]
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander Deluxe]
- [<HKCU>\Software\FTPWare\CoreFTP\Sites]
- [<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions]
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2500' = '00000003'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '2500' = '00000003'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '2500' = '00000003'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2500' = '00000003'
Modifies file system :
Creates the following files:
- %CommonProgramFiles%\Windows License Check.{2227A280-3AEA-1069-A2DE-08002B30309D}\vvhweqgtk.exe
Sets the 'hidden' attribute to the following files:
- %CommonProgramFiles%\Windows License Check.{2227A280-3AEA-1069-A2DE-08002B30309D}\vvhweqgtk.exe
Network activity:
Connects to:
- '20#.#6.232.182':80
UDP:
- DNS ASK as####.hfgfr56745fg.com
- DNS ASK microsoft.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'cccccccc' WindowName: 'uuuuuuuu'
- ClassName: 'vohohoho' WindowName: 'giaiaiai'
- ClassName: 'fdhzbbbb' WindowName: 'ysauiiii'
- ClassName: 'txtxtxtx' WindowName: 'gcgcgcgc'
- ClassName: 'zmlkripg' WindowName: 'uusccgug'
- ClassName: 'uuuuuuuu' WindowName: 'aaaaaaaa'
- ClassName: 'xjtnprlv' WindowName: 'cygiucsg'
- ClassName: 'xxxxxxxx' WindowName: 'cccccccc'
- ClassName: 'ndfxdfxd' WindowName: 'isycsycs'
- ClassName: 'imwwwwww' WindowName: 'guyyyyyy'
- ClassName: 'raxqzsby' WindowName: 'cicsuyis'
- ClassName: 'hfptvtvt' WindowName: 'ayuggggg'
- ClassName: 'xvdxvdxv' WindowName: 'cgscgscg'
- ClassName: 'eeeeeeee' WindowName: 'cccccccc'
- ClassName: 'vcxwdqfs' WindowName: 'gucyssyy'
- ClassName: 'djtflnpj' WindowName: 'sygysiuy'
- ClassName: 'gggggggg' WindowName: 'gggggggg'
- ClassName: 'xtxtxtxt' WindowName: 'cgcgcgcg'
- ClassName: 'ffffffff' WindowName: 'yyyyyyyy'
- ClassName: 'fyrapkpk' WindowName: 'ysciucuc'
- ClassName: 'pppppppp' WindowName: 'uuuuuuuu'
- ClassName: 'rixgveby' WindowName: 'cgcggcis'
- ClassName: 'xsvqbytw' WindowName: 'cygsisgy'
- ClassName: 'bdfztptp' WindowName: 'isyugugu'
- ClassName: 'wwwwwwww' WindowName: 'yyyyyyyy'
- ClassName: 'kmqaiuyi' WindowName: 'cusigasg'
- ClassName: 'zzzzzzzz' WindowName: 'uuuuuuuu'
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: '' WindowName: ''
- ClassName: 'hyxqjotc' WindowName: 'ascsyigu'
- ClassName: 'vunopqrk' WindowName: 'gaiiuscc'
- ClassName: 'bdbdbdbd' WindowName: 'isisisis'
- ClassName: 'hbphbphb' WindowName: 'aiuaiuai'
- ClassName: 'dddddddd' WindowName: 'ssssssss'
- ClassName: 'zuxsdmfo' WindowName: 'uacysuyi'
- ClassName: 'oooooooo' WindowName: 'iiiiiiii'
- ClassName: 'jmpknitg' WindowName: 'yuuciggg'
- ClassName: 'bzjbzjbz' WindowName: 'iuyiuyiu'
- ClassName: 'nxbfvlzn' WindowName: 'iciygsui'
- ClassName: 'fahqhqhq' WindowName: 'yiasasas'
- ClassName: 'bnrjxxxx' WindowName: 'iicycccc'
- ClassName: 'lhlhlhlh' WindowName: 'sasasasa'
- ClassName: 'zevirmpk' WindowName: 'ucggcuuc'