Technical Information
Malicious functions:
Creates and executes the following:
- %TEMP%\Setup.exe
- %TEMP%\is-UGJ3S.tmp\Setup.tmp /SL5="$60036,910814,51712,%TEMP%\Setup.exe"
- %TEMP%\go32.exe
- %TEMP%\AHSetup.exe
- %TEMP%\data.exe
Executes the following:
- <SYSTEM32>\cmd.exe /c ""%TEMP%\DelTemp.bat" "
- <SYSTEM32>\regsvr32.exe /s %PROGRAM_FILES%\Youdao\Toolbar\ydtbv2.3\YodaoToolbar.dll
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\sobarrecv[1].htm
- %PROGRAM_FILES%\baidu\bar\log.dat
- %PROGRAM_FILES%\baidu\bar\baidubartmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\objlist[1].dat
- %TEMP%\bar49F1.tmp
- %TEMP%\Obj_199921.ini
- %TEMP%\temp_199921
- %ALLUSERSPROFILE%\Start Menu\Programs\°Щ¶И№¤ѕЯАё\А¬»шЗеАн.url
- %ALLUSERSPROFILE%\Start Menu\Programs\°Щ¶И№¤ѕЯАё\№гёжА№ЅШ.url
- %ALLUSERSPROFILE%\Start Menu\Programs\°Щ¶И№¤ѕЯАё\°пЦъЦёДП.url
- %ALLUSERSPROFILE%\Start Menu\Programs\°Щ¶И№¤ѕЯАё\ПµНіјУЛЩ.url
- %ALLUSERSPROFILE%\Start Menu\Programs\°Щ¶И№¤ѕЯАё\ЧФ¶ЁТе°ґЕҐ.url
- %ALLUSERSPROFILE%\Start Menu\Programs\°Щ¶И№¤ѕЯАё\ТюЛЅ±Ј»¤.url
- %ALLUSERSPROFILE%\Start Menu\Programs\°Щ¶И№¤ѕЯАё\РЮёґ№¦ДЬ.url
- %WINDIR%\Help\ADODC98.CHM
- %WINDIR%\ime\SPTIPIME.ini
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\loadmovie[1].swf
- %TEMP%\bar49FE.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\i3322[1]
- %WINDIR%\Help\CMCTL29832.CHM
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\notice[1].html
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\control[1].txt
- %TEMP%\bar49F2.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\ipinfo[1].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\i3322[1]
- %PROGRAM_FILES%\baidu\bar\loadmovie.swf
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\baidubar_versionex[1].txt
- %PROGRAM_FILES%\baidu\bar\baidubar_versionex.txt
- %HOMEPATH%\Start Menu\Жф¶Ї Internet Explorer дЇААЖч.url
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Жф¶Ї Internet Explorer дЇААЖч.url
- %HOMEPATH%\Desktop\Internet Explorer.url
- %PROGRAM_FILES%\baidu\bar\BDBar_tmp\img\imglist.bmp
- %PROGRAM_FILES%\baidu\bar\BDBar_tmp\baidubar.dat
- %HOMEPATH%\Desktop\№єОпЙМіЗ.url
- %PROGRAM_FILES%\baidu\bar\BDBar_tmp\img\logo.bmp
- %TEMP%\data.exe
- %TEMP%\AHSetup.exe
- %TEMP%\nsc2.tmp\System.dll
- %WINDIR%\ime\SPTIPIMERS.ini
- %TEMP%\Setup.exe
- %HOMEPATH%\Favorites\ѕ«Ж·НшЦ·µјєЅ.url
- %TEMP%\go32.exe
- %PROGRAM_FILES%\baidu\bar\img\imglist.bmp
- %PROGRAM_FILES%\baidu\bar\img\logo.bmp
- %PROGRAM_FILES%\baidu\bar\BDBar_tmp\baidubartmp
- %PROGRAM_FILES%\baidu\bar\baidubar.dat
- %ALLUSERSPROFILE%\Start Menu\Programs\°Щ¶И№¤ѕЯАё\°йВВµјєЅ.url
- %ALLUSERSPROFILE%\Start Menu\Programs\°Щ¶И№¤ѕЯАё\ЖБ±ОБР±н.url
- %TEMP%\DelTemp.bat
- %PROGRAM_FILES%\Youdao\Toolbar\ydtbv2.3\YodaoToolbar.dll
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\№єОпЙМіЗ.url
- %PROGRAM_FILES%\baidu\bar\BDBar_tmp\BaiduBar.dll
- %PROGRAM_FILES%\baidu\bar\BaiduBar.dll
- %TEMP%\is-BFH7O.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-BFH7O.tmp\_isetup\_RegDLL.tmp
- %TEMP%\is-UGJ3S.tmp\Setup.tmp
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\control[1].txt
- %TEMP%\bar49F2.tmp
- %TEMP%\Obj_199921.ini
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\ipinfo[1].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\baidubar_versionex[1].txt
- %TEMP%\bar49FE.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\i3322[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\loadmovie[1].swf
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\notice[1].html
- %PROGRAM_FILES%\baidu\bar\BDBar_tmp\img\logo.bmp
- %PROGRAM_FILES%\baidu\bar\BDBar_tmp\img\imglist.bmp
- %TEMP%\nsc2.tmp\System.dll
- %PROGRAM_FILES%\baidu\bar\BDBar_tmp\BaiduBar.dll
- %PROGRAM_FILES%\baidu\bar\BDBar_tmp\baidubar.dat
- %TEMP%\AHSetup.exe
- %TEMP%\temp_199921
- %PROGRAM_FILES%\baidu\bar\BDBar_tmp\baidubartmp
- %PROGRAM_FILES%\baidu\bar\baidubartmp
Network activity:
Connects to:
- 'www.i3##2.cn':80
- 'so###.baidu.com':80
- 'localhost':1057
- 'www.co###how8.com':80
- 'ba#.#aidu.com':80
- 'do##.gv168.com':80
- 'so####op.baidu.com':80
- 'localhost':1041
TCP:
HTTP GET requests:
- www.i3##2.cn/
- ba#.#aidu.com/update/barcab/control.txt?tn#####################################################################################
- ba#.#aidu.com/update/barcab/ipinfo.txt?tn########################################################################
- www.co###how8.com/mscps.pdf
- www.co###how8.com/img09.pdf
- ba#.#aidu.com/update/barcab/baidubar_versionex.txt?tn#########################################################################################################################################################################
- ba#.#aidu.com/update/barcab/objlist.dat?t=######
- ba#.#aidu.com/update/barcab/rp?t=##########
- ba#.#aidu.com/update/cab/loadmovie.swf
- do##.gv168.com/2.txt
- so###.baidu.com/sobar/notice/notice_baiducb.txt?tn#########################
- so####op.baidu.com/sobar/sobar_top_total.html?t=##############################################################
- ba#.#aidu.com/sobar/notice.html?tn########################################################################
HTTP POST requests:
- ba#.#aidu.com/cgi-bin/sobarrecv.cgi
UDP:
- DNS ASK so###.baidu.com
- DNS ASK www.i3##2.cn
- DNS ASK www.co###how8.com
- DNS ASK do##.gv168.com
- DNS ASK ba#.#aidu.com
- DNS ASK so####op.baidu.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'MS_WINHELP' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
