Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /p'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /e'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /t'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /w'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /c'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /s'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /K'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /U'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /F'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /r'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /V'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /G'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /D'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /I'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /M'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /o'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /Z'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\1386695136] 'Name' = '%TEMP%\2.tmp'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /Y'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /a'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /X'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /q'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /L'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /j'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /n'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /h'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coaot' = '%HOMEPATH%\coaot.exe /B'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\71ad0a78] 'imagepath' = '%WINDIR%\TEMP\3.tmp'
Creates the following files on removable media:
- <Drive name for removable media>:\Documents.lnk
- <Drive name for removable media>:\Passwords.lnk
- <Drive name for removable media>:\Pictures.lnk
- <Drive name for removable media>:\Video.lnk
- <Drive name for removable media>:\Music.lnk
- <Drive name for removable media>:\kGW.ico
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\coaot.exe
- <Drive name for removable media>:\New Folder.lnk
- <Drive name for removable media>:\coaotx.exe
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
Executes the following:
- '<SYSTEM32>\tasklist.exe'
- '<SYSTEM32>\cmd.exe' /c tasklist&&del yoc.exe
- '<SYSTEM32>\cmd.exe' /c tasklist&&del XwhBJDqO13692LM8.exe
- '%HOMEPATH%\coaot.exe'
- '<SYSTEM32>\cmd.exe' /c del <Virus name>.exe
- '%HOMEPATH%\XwhBJDqO13692LM8.exe'
- '%HOMEPATH%\bcstat.exe'
- '%HOMEPATH%\yoc.exe'
- '%HOMEPATH%\yob.exe'
Injects code into
the following system processes:
- <SYSTEM32>\tasklist.exe
- <SYSTEM32>\spoolsv.exe
Modifies file system:
Creates the following files:
- %TEMP%\1.tmp
- %HOMEPATH%\bcstat.dll
- %HOMEPATH%\coaot.exe
- %WINDIR%\Temp\3.tmp
- %HOMEPATH%\XwhBJDqO13692LM8.exe
- %HOMEPATH%\bcstat.exe
- %HOMEPATH%\yoc.exe
- %HOMEPATH%\yob.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\coaot.exe
- <Drive name for removable media>:\coaotx.exe
- <Drive name for removable media>:\kGW.ico
- %HOMEPATH%\coaot.exe
- <Drive name for removable media>:\autorun.inf
Deletes the following files:
- %TEMP%\2.tmp
Moves the following files:
- from %HOMEPATH%\yob.exe to %TEMP%\4.tmp
- from %TEMP%\1.tmp to %TEMP%\2.tmp
Deletes itself.
Network activity:
Connects to:
- 'vi###mx.co.be':80
TCP:
HTTP GET requests:
- http://vi###mx.co.be/hit.php
UDP:
- DNS ASK vi###mx.co.be
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
