Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Firewall.cpl] 'Debugger' = 'wuauc'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe] 'Debugger' = 'wuauc'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '*' = '"%ALLUSERSPROFILE%\WinMngr\svchost.exe"'
Changes the following executable system files:
- <SYSTEM32>\mmc.exe.3huX6
- <SYSTEM32>\Firewall.cpl.1qer99
Substitutes the following executable system files:
- <SYSTEM32>\mmc.exe.B0718HIps with <SYSTEM32>\mmc.exe.B0718HIps
- <SYSTEM32>\Firewall.cpl.172L43Mi with <SYSTEM32>\Firewall.cpl.172L43Mi
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
Creates and executes the following:
- '%ALLUSERSPROFILE%\WinMngr\procmon.exe'
Executes the following:
- '<SYSTEM32>\netsh.exe' firewall set opmode mode=disable profile=all
- '<SYSTEM32>\sc.exe' config SharedAccess start= disabled
Modifies file system :
Creates the following files:
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP15\rp.log
- <SYSTEM32>\mmc.exe.39O8o02
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP15\RestorePointSize
- <SYSTEM32>\firewall.cpl:Zone.Identifier
- <SYSTEM32>\mmc.exe:Zone.Identifier
- <SYSTEM32>\Firewall.cpl.6XTKAoj00
- <SYSTEM32>\mmc.exe.new
- %ALLUSERSPROFILE%\WinMngr\procmon.exe
- <SYSTEM32>\firewall.cpl.new
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\fifo.log
- <SYSTEM32>\mmc.exe.p13gZN12H
Sets the 'hidden' attribute to the following files:
- %ALLUSERSPROFILE%\WinMngr\procmon.exe
Deletes the following files:
- <SYSTEM32>\CWAxTSMzOZNsdpvBFcRRfqQMp
- <SYSTEM32>\mmc.exe:Zone.Identifier
- <SYSTEM32>\pVUiVNqJhvWxeIbNWNbx
- <SYSTEM32>\lbKJPSBIXOWDHXJCsfYIn
- <SYSTEM32>\wELwCKpJFWCXpal
- <SYSTEM32>\WcIrQvEvuwSCnpGzl
Moves the following system files:
- from <SYSTEM32>\uekJKibocoCZxF to <SYSTEM32>\IgXAFZVQRdzIMyBVc
- from <SYSTEM32>\IgXAFZVQRdzIMyBVc to <SYSTEM32>\EoJwQrrPPLQpBDa
- from <SYSTEM32>\EoJwQrrPPLQpBDa to <SYSTEM32>\oJnoBgtOdOyDnIHti
- from <SYSTEM32>\nbYOSPCRQwHlk to <SYSTEM32>\uekJKibocoCZxF
- from <SYSTEM32>\mmc.exe.3huX6 to <SYSTEM32>\GKZxdRmNmGhfUIMlA
- from <SYSTEM32>\GKZxdRmNmGhfUIMlA to <SYSTEM32>\wiuSkPmHCMzFP
- from <SYSTEM32>\wiuSkPmHCMzFP to <SYSTEM32>\nbYOSPCRQwHlk
- from <SYSTEM32>\bqZcgqpFTbTfGZ@K to <SYSTEM32>\OmpTBLldhQWkRj
- from <SYSTEM32>\OmpTBLldhQWkRj to <SYSTEM32>\lONukvmQbZUeU
- from <SYSTEM32>\lONukvmQbZUeU to <SYSTEM32>\wELwCKpJFWCXpal
- from <SYSTEM32>\xaXsKANeflQLX to <SYSTEM32>\bqZcgqpFTbTfGZ@K
- from <SYSTEM32>\oJnoBgtOdOyDnIHti to <SYSTEM32>\NavrTerVaAmsElOTT
- from <SYSTEM32>\NavrTerVaAmsElOTT to <SYSTEM32>\JqZKLoAbyZEZfXv
- from <SYSTEM32>\JqZKLoAbyZEZfXv to <SYSTEM32>\xaXsKANeflQLX
- from <SYSTEM32>\mmc.exe to <SYSTEM32>\mmc.exe.3huX6
- from <SYSTEM32>\DfNdAGRMRbxpnc@aDlGcUL to <SYSTEM32>\nEgdRtuGtOJKxNpeyjsjnR
- from <SYSTEM32>\nEgdRtuGtOJKxNpeyjsjnR to <SYSTEM32>\OgXgqvMnWEqWllGFqiuZYU
- from <SYSTEM32>\OgXgqvMnWEqWllGFqiuZYU to <SYSTEM32>\ylOswysiMXffiDxlfqMauXl
- from <SYSTEM32>\GeOBWNkkxFAAucIiLgnI to <SYSTEM32>\DfNdAGRMRbxpnc@aDlGcUL
- from <SYSTEM32>\firewall.cpl to <SYSTEM32>\Firewall.cpl.1qer99
- from <SYSTEM32>\Firewall.cpl.1qer99 to <SYSTEM32>\EXESKYYmHfabsCHHlGMR
- from <SYSTEM32>\EXESKYYmHfabsCHHlGMR to <SYSTEM32>\GeOBWNkkxFAAucIiLgnI
- from <SYSTEM32>\EOSQpKszzmIoVWLNYOSX to <SYSTEM32>\uBQtxtqJuoaUEzpVZUxPrQ
- from <SYSTEM32>\uBQtxtqJuoaUEzpVZUxPrQ to <SYSTEM32>\ShmYxflqCqPxEUcZVUQDdB
- from <SYSTEM32>\ShmYxflqCqPxEUcZVUQDdB to <SYSTEM32>\lbKJPSBIXOWDHXJCsfYIn
- from <SYSTEM32>\CoqxCBCobnTJzLwoogOb to <SYSTEM32>\EOSQpKszzmIoVWLNYOSX
- from <SYSTEM32>\ylOswysiMXffiDxlfqMauXl to <SYSTEM32>\tKJfpbpxKiasqnEaNPLgWh
- from <SYSTEM32>\tKJfpbpxKiasqnEaNPLgWh to <SYSTEM32>\HnPpDaRoOPGsiXkhnPlWk
- from <SYSTEM32>\HnPpDaRoOPGsiXkhnPlWk to <SYSTEM32>\CoqxCBCobnTJzLwoogOb
Moves the following files:
- from <SYSTEM32>\ElasBLwnTygySVtRxpiNrfXB to <SYSTEM32>\YkUtnQLVzUUJUMyFVTlpyjqE
- from <SYSTEM32>\EMpQeuYsYEXhaaEChsXfO to <SYSTEM32>\MFyKzxeaUjPmgECMgSscQ
- from <SYSTEM32>\MFyKzxeaUjPmgECMgSscQ to <SYSTEM32>\IINEQISCKxgXHCLwVrRMS
- from <SYSTEM32>\IINEQISCKxgXHCLwVrRMS to <SYSTEM32>\YXzVtTYQWSTMNbTiBnOLi
- from <SYSTEM32>\YkUtnQLVzUUJUMyFVTlpyjqE to <SYSTEM32>\oxWpTKqMvmYZM@kMQfnXeRfRZ
- from <SYSTEM32>\xhVfoPSVIVReyeOpvSbSJe to <SYSTEM32>\ElasBLwnTygySVtRxpiNrfXB
- from <SYSTEM32>\mlIodJvSjRDwcIulJcAGPoBgl to <SYSTEM32>\funevNUApLsbxZKw`vMPEiAx
- from <SYSTEM32>\PASovEKIbN@uIkoLwD to <SYSTEM32>\wmcnAKpnLKiOiXSGMXyH
- from <SYSTEM32>\wmcnAKpnLKiOiXSGMXyH to <SYSTEM32>\AhkqEEsphBmDRhBNkprr
- from <SYSTEM32>\AhkqEEsphBmDRhBNkprr to <SYSTEM32>\EMpQeuYsYEXhaaEChsXfO
- from <SYSTEM32>\funevNUApLsbxZKw`vMPEiAx to <SYSTEM32>\xhVfoPSVIVReyeOpvSbSJe
- from <SYSTEM32>\oxWpTKqMvmYZM@kMQfnXeRfRZ to <SYSTEM32>\gMaNymZbdUJbjATqvgpeyXn
- from <SYSTEM32>\KOjbiXikmDhleiQMNjoJG to <SYSTEM32>\xyVrNncMozRRsFYBGwo
- from <SYSTEM32>\QgYrsuxeiLwckYDBXqeII to <SYSTEM32>\KOjbiXikmDhleiQMNjoJG
- from <SYSTEM32>\xyVrNncMozRRsFYBGwo to <SYSTEM32>\MlFzoUKJRpNSiNdfcGbS
- from <SYSTEM32>\DvkHcmytZMGraqgdRmuG to <SYSTEM32>\pVUiVNqJhvWxeIbNWNbx
- from <SYSTEM32>\MlFzoUKJRpNSiNdfcGbS to <SYSTEM32>\DvkHcmytZMGraqgdRmuG
- from <SYSTEM32>\kteQGCQSyttyncgWV to <SYSTEM32>\QgYrsuxeiLwckYDBXqeII
- from <SYSTEM32>\gMaNymZbdUJbjATqvgpeyXn to <SYSTEM32>\vZMscoYSIlDSXpSyBtupLHfy
- from <SYSTEM32>\YXzVtTYQWSTMNbTiBnOLi to <SYSTEM32>\lCBTnPbpBoIpyMyIE
- from <SYSTEM32>\lCBTnPbpBoIpyMyIE to <SYSTEM32>\jzTdDaOatqvhTIegUjRP
- from <SYSTEM32>\vZMscoYSIlDSXpSyBtupLHfy to <SYSTEM32>\CWAxTSMzOZNsdpvBFcRRfqQMp
- from <SYSTEM32>\jzTdDaOatqvhTIegUjRP to <SYSTEM32>\kteQGCQSyttyncgWV
- from <SYSTEM32>\CRfrGXDJRFKlVYEdpJCcSJmq to <SYSTEM32>\mlIodJvSjRDwcIulJcAGPoBgl
- from <SYSTEM32>\yJKPqElMmhjTqGEJH to <SYSTEM32>\iQNYFVbqxMsKRqT
- from <SYSTEM32>\UvvBvyzTcSwxRPg to <SYSTEM32>\yJKPqElMmhjTqGEJH
- from <SYSTEM32>\iQNYFVbqxMsKRqT to <SYSTEM32>\IxbrjMblkwIhCoeY
- from <SYSTEM32>\VxzMnByvsqcziOQxMg to <SYSTEM32>\yBRNiGBjUuljpvVQtV
- from <SYSTEM32>\IxbrjMblkwIhCoeY to <SYSTEM32>\VxzMnByvsqcziOQxMg
- from <SYSTEM32>\TEdKEJUzuxrXvlluzd to <SYSTEM32>\UvvBvyzTcSwxRPg
- from <SYSTEM32>\hgwaaeGivDdIXCiVi to <SYSTEM32>\AOEFGuewLilpfui
- from <SYSTEM32>\mmc.exe.39O8o02 to <SYSTEM32>\hgwaaeGivDdIXCiVi
- from <SYSTEM32>\AOEFGuewLilpfui to <SYSTEM32>\AGDQsZmUtPhGtXTiX
- from <SYSTEM32>\tSTCzfnYsONtYZH to <SYSTEM32>\TEdKEJUzuxrXvlluzd
- from <SYSTEM32>\AGDQsZmUtPhGtXTiX to <SYSTEM32>\tSTCzfnYsONtYZH
- from <SYSTEM32>\yBRNiGBjUuljpvVQtV to <SYSTEM32>\LkXDQPRThWOBMBi
- from <SYSTEM32>\vOtTfuATMvMwktLkz to <SYSTEM32>\WcIrQvEvuwSCnpGzl
- from <SYSTEM32>\mmc.exe.p13gZN12H to <SYSTEM32>\ZtmnzMhRdmkPSSiPfbz
- from <SYSTEM32>\zvvYtumYHbHdSHLGIxgPBolcyj to <SYSTEM32>\CRfrGXDJRFKlVYEdpJCcSJmq
- from <SYSTEM32>\vpGgCdyrpOwCxYBjUimj to <SYSTEM32>\PASovEKIbN@uIkoLwD
- from <SYSTEM32>\ZtmnzMhRdmkPSSiPfbz to <SYSTEM32>\vpGgCdyrpOwCxYBjUimj
- from <SYSTEM32>\OpSRzanehzhtusoUDMu to <SYSTEM32>\vOtTfuATMvMwktLkz
- from <SYSTEM32>\LkXDQPRThWOBMBi to <SYSTEM32>\JOKRhVrRsgqryQJqn
- from <SYSTEM32>\Firewall.cpl.6XTKAoj00 to <SYSTEM32>\hbAuPeEVeQfCCjBCJCnxeXzdh
- from <SYSTEM32>\JOKRhVrRsgqryQJqn to <SYSTEM32>\KCgdpRwlHTrrlKOw
- from <SYSTEM32>\hbAuPeEVeQfCCjBCJCnxeXzdh to <SYSTEM32>\zvvYtumYHbHdSHLGIxgPBolcyj
- from <SYSTEM32>\KCgdpRwlHTrrlKOw to <SYSTEM32>\OpSRzanehzhtusoUDMu
Moves itself:
- from <Full path to virus> to %ALLUSERSPROFILE%\WinMngr\svchost.exe
Network activity:
Connects to:
- 'so##c4us.in':80
TCP:
HTTP POST requests:
- so##c4us.in/l/page.php
UDP:
- DNS ASK so##c4us.in
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
