Trojan.DownLoad3.22880

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Controls NetBIOS Biometric Ordering Office' = '<SYSTEM32>\nqlakshwkpj.exe'

Creates or modifies the following files:

%HOMEPATH%\Start Menu\Programs\Startup\nqlakshwkpj.exe

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\WWAN WinHTTP Session Function] 'Start' = '00000002'

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Security Center

Creates and executes the following:

'<SYSTEM32>\mskvptmrwhso.exe' "<SYSTEM32>\nqlakshwkpj.exe"
'%WINDIR%\Temp\fspfoo4ovfoe.exe' -r 31694 tcp
'%TEMP%\fspfoo3wskooddvjhid.exe'
'<SYSTEM32>\nqlakshwkpj.exe'

Modifies file system :

Creates the following files:

<SYSTEM32>\jtlibhutsqimca\run
<SYSTEM32>\jtlibhutsqimca\rng
<SYSTEM32>\jtlibhutsqimca\cfg
<SYSTEM32>\jtlibhutsqimca\por
%WINDIR%\Temp\fspfoo4ovfoe.exe
%TEMP%\fspfoo3wskooddvjhid.exe
<SYSTEM32>\jtlibhutsqimca\tst
<SYSTEM32>\jtlibhutsqimca\etc
<SYSTEM32>\mskvptmrwhso.exe
<SYSTEM32>\nqlakshwkpj.exe

Sets the 'hidden' attribute to the following files:

<SYSTEM32>\mskvptmrwhso.exe
<SYSTEM32>\nqlakshwkpj.exe

Deletes the following files:

%WINDIR%\Temp\fspfoo4ovfoe.exe
%TEMP%\fspfoo3wskooddvjhid.exe
<DRIVERS>\etc\hosts

Substitutes the HOSTS file.

Network activity:

Connects to:

'lo###nce.net':80
'th###uncle.net':80
'th###study.net':80
'fe###nce.net':80
'lo###tudy.net':80
'fe###oss.net':80
'lo###oss.net':80
'th###loss.net':80
'wi###tudy.net':80
'dr###loss.net':80
'wi###oss.net':80
'dr###study.net':80
'th###once.net':80
'dr###uncle.net':80
'wi###ncle.net':80
'fe###tudy.net':80
'mo###uia.com':80
'vi###mojo.com':80
'am###stol.com':80
'mo###itio.com':80
'do####club-grup.com':80
'el#####arimagine.com':80
'ja###uter.com':80
'hi###tudy.net':80
'wh###nce.net':80
'fe###ncle.net':80
'lo###ncle.net':80
'hi###nce.net':80
'wh###tudy.net':80
'hi###oss.net':80
'wh###oss.net':80

TCP:

HTTP GET requests:

lo###nce.net/forum/search.php?me#########################################
th###uncle.net/forum/search.php?me#########################################
th###study.net/forum/search.php?me#########################################
fe###nce.net/forum/search.php?me#########################################
lo###tudy.net/forum/search.php?me#########################################
fe###oss.net/forum/search.php?me#########################################
lo###oss.net/forum/search.php?me#########################################
th###loss.net/forum/search.php?me#########################################
wi###tudy.net/forum/search.php?me#########################################
dr###loss.net/forum/search.php?me#########################################
wi###oss.net/forum/search.php?me#########################################
dr###study.net/forum/search.php?me#########################################
th###once.net/forum/search.php?me#########################################
dr###uncle.net/forum/search.php?me#########################################
wi###ncle.net/forum/search.php?me#########################################
fe###tudy.net/forum/search.php?me#########################################
mo###uia.com/forum/search.php?me#########################################
vi###mojo.com/forum/search.php?me#########################################
am###stol.com/forum/search.php?me#########################################
mo###itio.com/forum/search.php?me#########################################
do####club-grup.com/forum/search.php?me#########################################
el#####arimagine.com/forum/search.php?me#########################################
ja###uter.com/forum/search.php?me#########################################
hi###tudy.net/forum/search.php?me#########################################
wh###nce.net/forum/search.php?me#########################################
fe###ncle.net/forum/search.php?me#########################################
lo###ncle.net/forum/search.php?me#########################################
hi###nce.net/forum/search.php?me#########################################
wh###tudy.net/forum/search.php?me#########################################
hi###oss.net/forum/search.php?me#########################################
wh###oss.net/forum/search.php?me#########################################

UDP:

DNS ASK th###uncle.net
DNS ASK lo###nce.net
DNS ASK th###loss.net
DNS ASK th###study.net
DNS ASK fe###oss.net
DNS ASK lo###tudy.net
DNS ASK fe###nce.net
DNS ASK lo###oss.net
DNS ASK dr###loss.net
DNS ASK wi###tudy.net
DNS ASK dr###once.net
DNS ASK wi###oss.net
DNS ASK dr###uncle.net
DNS ASK th###once.net
DNS ASK dr###study.net
DNS ASK wi###ncle.net
DNS ASK fe###tudy.net
DNS ASK mo###uia.com
DNS ASK vi###mojo.com
DNS ASK am###stol.com
DNS ASK mo###itio.com
DNS ASK do####club-grup.com
DNS ASK el#####arimagine.com
DNS ASK ja###uter.com
DNS ASK hi###tudy.net
DNS ASK wh###nce.net
DNS ASK fe###ncle.net
DNS ASK lo###ncle.net
DNS ASK hi###nce.net
DNS ASK wh###tudy.net
DNS ASK hi###oss.net
DNS ASK wh###oss.net
'23#.#55.255.250':1900

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial