Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ICQLite' = 'C:\config\ICQLite.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'ntoskrnl' = 'C:\config\ntoskrnl.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ntoskrnl' = 'C:\config\ntoskrnl.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'rundll32' = 'C:\config\rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'rundll32' = 'C:\config\rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'ICQLite' = 'C:\config\ICQLite.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'taskmgr' = 'C:\config\taskmgr.exe'
- [<HKLM>\SOFTWARE\Classes\InternetShortcut\shell\open\command] '' = 'rundll32.exe url.dll,OpenURL %l'
- [<HKLM>\SOFTWARE\Classes\InternetShortcut\shell\open\command] '' = 'rundll32.exe shdocvw.dll,OpenURL %l'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] '{AEB6717E-7E19-11d0-97EE-00C04FD91972}' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'taskmgr' = 'C:\config\taskmgr.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'win32' = 'C:\config\win32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'win32' = 'C:\config\win32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'rundll' = 'C:\config\rundll.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'MSN' = 'C:\config\MSN.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'explorer' = 'C:\config\explorer.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'explorer' = 'C:\config\explorer.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'ICQ' = 'C:\config\ICQ.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ICQ' = 'C:\config\ICQ.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'MSN' = 'C:\config\MSN.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'paint' = 'C:\config\paint.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'antivir' = 'C:\config\antivir.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'antivir' = 'C:\config\antivir.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'rundll' = 'C:\config\rundll.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'paint' = 'C:\config\paint.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES] 'CS' = 'C:\config\CS.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'CS' = 'C:\config\CS.exe'
Malicious functions:
Creates and executes the following:
- C:\config\rundll.exe
Executes the following:
- <SYSTEM32>\regsvr32.exe /s /i MSINET.OCX
- <SYSTEM32>\regsvr32.exe /s /i Bmp2Jpeg.dll
- <SYSTEM32>\regsvr32.exe /s /i mswinsck.ocx
- <SYSTEM32>\regsvr32.exe /s /i SHDOCVW.DLL
Searches for windows to
detect analytical utilities:
- ClassName: 'RegmonClass' WindowName: ''
- ClassName: '' WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
- ClassName: '' WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'OLLYDBG' WindowName: ''
- ClassName: 'FilemonClass' WindowName: ''
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %TEMP%\RGI9.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ascii[2].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\newfolder[1].htm
- %TEMP%\RGIA.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ascii[1].txt
- %TEMP%\RGI6.tmp
- %TEMP%\RGI5.tmp
- %TEMP%\RGI7.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\newfolder[1].htm
- %TEMP%\RGI8.tmp
- %TEMP%\RGI11.tmp
- %TEMP%\RGI10.tmp
- %TEMP%\RGI12.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ascii[2].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ascii[1].txt
- %TEMP%\RGIC.tmp
- %TEMP%\RGIB.tmp
- %TEMP%\RGID.tmp
- %TEMP%\RGIF.tmp
- %TEMP%\RGIE.tmp
- C:\config\antivir.exe
- C:\config\CS.exe
- C:\config\rundll.exe
- C:\config\ICQLite.exe
- C:\config\rundll32.exe
- C:\config\ICQ.exe
- C:\config\MSN.exe
- C:\config\paint.exe
- C:\config\explorer.exe
- %TEMP%\RGI1.tmp
- <SYSTEM32>\mswinsck.ocx
- %TEMP%\RGI2.tmp
- %TEMP%\RGI4.tmp
- %TEMP%\RGI3.tmp
- C:\config\taskmgr.exe
- C:\config\ntoskrnl.exe
- C:\config\win32.exe
- <SYSTEM32>\MSINET.OCX
- <SYSTEM32>\Bmp2Jpeg.dll
Sets the 'hidden' attribute to the following files:
- C:\config\ICQLite.exe
- C:\config\rundll32.exe
- C:\config\rundll.exe
- C:\config\win32.exe
- C:\config\taskmgr.exe
- C:\config\ntoskrnl.exe
- C:\config\explorer.exe
- C:\config\MSN.exe
- C:\config\ICQ.exe
- C:\config\antivir.exe
- C:\config\CS.exe
- C:\config\paint.exe
Deletes the following files:
- %TEMP%\RGIE.tmp
- %TEMP%\RGIF.tmp
- %TEMP%\RGID.tmp
- %TEMP%\RGIB.tmp
- %TEMP%\RGIC.tmp
- %TEMP%\RGI10.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ascii[1].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ascii[2].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ascii[1].txt
- %TEMP%\RGI11.tmp
- %TEMP%\RGI12.tmp
- %TEMP%\RGI5.tmp
- %TEMP%\RGI4.tmp
- %TEMP%\RGI3.tmp
- %TEMP%\RGI1.tmp
- %TEMP%\RGI2.tmp
- %TEMP%\RGI7.tmp
- %TEMP%\RGI9.tmp
- %TEMP%\RGIA.tmp
- %TEMP%\RGI6.tmp
- %TEMP%\RGI8.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ascii[2].txt
Network activity:
Connects to:
- 'sp######wnloads.gomgo.biz':80
- 'localhost':1038
- 'localhost':1037
TCP:
HTTP GET requests:
- sp######wnloads.gomgo.biz/CRNJEUFU/ascii.txt
UDP:
- DNS ASK sp######wnloads.gomgo.biz
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: '' WindowName: 'Windows Task-Manager'
- ClassName: '18467-41' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
