Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Proxy Secondary Upgrade SPP Initiator' = '<SYSTEM32>\aqvxvut.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Process Receiver Computer Bluetooth] 'ImagePath' = '<SYSTEM32>\aqvxvut.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Process Receiver Computer Bluetooth] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Executes the following:
- '<SYSTEM32>\ngqwamm.exe' "<SYSTEM32>\aqvxvut.exe"
- '%WINDIR%\Temp\fploheobupul38uknzc.exe' -r 21845 tcp
- '%TEMP%\fploheob8bw3fuknzcwxyqiyye.exe'
- '<SYSTEM32>\aqvxvut.exe'
Modifies file system:
Creates the following files:
- <SYSTEM32>\gwtmlbjeuibnhr\run
- <SYSTEM32>\gwtmlbjeuibnhr\rng
- %WINDIR%\Temp\fploheobupul38uknzc.exe
- <SYSTEM32>\gwtmlbjeuibnhr\cfg
- %TEMP%\fploheob8bw3fuknzcwxyqiyye.exe
- <SYSTEM32>\gwtmlbjeuibnhr\tst
- <SYSTEM32>\ngqwamm.exe
- <SYSTEM32>\aqvxvut.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\ngqwamm.exe
- <SYSTEM32>\aqvxvut.exe
Deletes the following files:
- %WINDIR%\Temp\fploheobupul38uknzc.exe
- %TEMP%\fploheob8bw3fuknzcwxyqiyye.exe
Network activity:
Connects to:
- 'ri###arry.net':80
- 'no###arry.net':80
- 'ri###ide.net':80
- 'fa###ride.net':80
- 'ta###them.ru':80
- 'li###asy.net':80
- 'fa###marry.ru':80
- 'fe###est.net':80
- 'ri###mall.net':80
- 'ri###nstorm.net':80
- 'lo####thepings.ru':80
- '18#.#17.73.77':80
- '18#.#06.120.168':80
- 'fa###small.net':80
- 'ri###mall.ru':80
- 'fa###ought.net':80
- 'ri###ught.net':80
TCP:
HTTP GET requests:
- http://ri###arry.net/index.php
- http://no###arry.net/index.php
- http://ri###ide.net/index.php
- http://fa###ride.net/index.php
- http://ta###them.ru/index.php
- http://li###asy.net/index.php
- http://fa###marry.ru/index.php
- http://fe###est.net/index.php
- http://ri###mall.net/index.php
- http://ri###nstorm.net/index.php
- http://lo####thepings.ru/index.php
- http://18#.#17.73.77/index.php
- http://18#.#06.120.168/index.php
- http://fa###small.net/index.php
- http://ri###mall.ru/index.php
- http://fa###ought.net/index.php
- http://ri###ught.net/index.php
UDP:
- DNS ASK so###road.net
- DNS ASK fa###gone.net
- DNS ASK ri###one.net
- DNS ASK so###mail.net
- DNS ASK fi###road.net
- DNS ASK fi###road.ru
- DNS ASK fa###light.net
- DNS ASK ri###ool.net
- DNS ASK fa###goes.net
- DNS ASK ri###oes.net
- DNS ASK ri###ight.net
- DNS ASK ri###ight.ru
- DNS ASK fa###fool.net
- DNS ASK li##mail.ru
- DNS ASK th###mail.net
- DNS ASK li###oad.net
- DNS ASK th###wore.net
- DNS ASK li###ail.net
- DNS ASK li###ore.net
- DNS ASK th###road.net
- DNS ASK fi###wore.net
- DNS ASK so###wore.net
- DNS ASK fi###mail.net
- DNS ASK fi###where.net
- DNS ASK so###where.net
- DNS ASK so###where.ru
- DNS ASK no##gone.ru
- DNS ASK le###one.net
- DNS ASK ta###gone.net
- DNS ASK ta###gone.ru
- DNS ASK po###fool.net
- DNS ASK ca###oes.net
- DNS ASK po###goes.net
- DNS ASK le###ight.net
- DNS ASK le###oes.net
- DNS ASK le##goes.ru
- DNS ASK ta###goes.net
- DNS ASK ta###light.net
- DNS ASK le###ool.net
- DNS ASK ta###fool.net
- DNS ASK no###ool.net
- DNS ASK no###ight.net
- DNS ASK no###oes.net
- DNS ASK we##fool.ru
- DNS ASK no###one.net
- DNS ASK li###ight.ru
- DNS ASK no##goes.ru
- DNS ASK po###light.net
- DNS ASK ca###ool.net
- DNS ASK ca##fool.ru
- DNS ASK ca###one.net
- DNS ASK po###gone.net
- DNS ASK ca###ight.net
- DNS ASK no###ore.net
- DNS ASK no###here.net
- DNS ASK no###here.ru
- DNS ASK ri###oad.net
- DNS ASK ri##road.ru
- DNS ASK no##mail.ru
- DNS ASK no###ail.net
- DNS ASK po###where.net
- DNS ASK ca###ore.net
- DNS ASK po###wore.net
- DNS ASK li##road.ru
- DNS ASK ca###here.net
- DNS ASK no###oad.net
- DNS ASK fi###lift.net
- DNS ASK so###lift.net
- DNS ASK fa###where.net
- DNS ASK fi###green.net
- DNS ASK so###green.net
- DNS ASK so###green.ru
- DNS ASK ri###here.net
- DNS ASK fa###mail.net
- DNS ASK ri###ail.net
- DNS ASK fa###road.net
- DNS ASK fa###wore.net
- DNS ASK fa###wore.ru
- DNS ASK ri###ore.net
- DNS ASK po###wore.ru
- DNS ASK fe###here.net
- DNS ASK we##wore.ru
- DNS ASK fe###ore.net
- DNS ASK ta###road.net
- DNS ASK we###here.net
- DNS ASK we###ore.net
- DNS ASK we###ail.net
- DNS ASK fe##road.ru
- DNS ASK li###here.net
- DNS ASK th###where.net
- DNS ASK fe###ail.net
- DNS ASK we###oad.net
- DNS ASK fe###oad.net
- DNS ASK po###road.net
- DNS ASK le###here.net
- DNS ASK le###here.ru
- DNS ASK ca###ail.net
- DNS ASK po###mail.net
- DNS ASK ca###oad.net
- DNS ASK ta###where.net
- DNS ASK ta###mail.net
- DNS ASK ta###mail.ru
- DNS ASK le###oad.net
- DNS ASK le###ore.net
- DNS ASK ta###wore.net
- DNS ASK le###ail.net
- DNS ASK so###sound.net
- DNS ASK we###hem.net
- DNS ASK li###hem.net
- DNS ASK we##best.ru
- DNS ASK th###best.net
- DNS ASK fi###them.net
- DNS ASK so###easy.net
- DNS ASK fa###marry.net
- DNS ASK fi###easy.net
- DNS ASK th###them.net
- DNS ASK li##them.ru
- DNS ASK fe#####siderable.net
- DNS ASK li###est.net
- DNS ASK th#####nsiderable.net
- DNS ASK le#####siderable.net
- DNS ASK le####nsiderable.ru
- DNS ASK ta#####nsiderable.net
- DNS ASK po###them.net
- DNS ASK le###asy.net
- DNS ASK ta###easy.net
- DNS ASK le###est.net
- DNS ASK so###best.net
- DNS ASK so###them.net
- DNS ASK fi###best.net
- DNS ASK ta###best.net
- DNS ASK le###hem.net
- DNS ASK ta###them.net
- DNS ASK th###easy.ru
- DNS ASK ri###ide.net
- DNS ASK fa###ride.net
- DNS ASK ri###mall.net
- DNS ASK fa###marry.ru
- DNS ASK no###arry.net
- DNS ASK ri###arry.net
- DNS ASK ri###mall.ru
- DNS ASK lo####thepings.ru
- DNS ASK ri###nstorm.net
- DNS ASK we###one.net
- DNS ASK fa###small.net
- DNS ASK ri###ught.net
- DNS ASK fa###ought.net
- DNS ASK we#####siderable.net
- DNS ASK li#####siderable.net
- DNS ASK fe###hem.net
- DNS ASK so#####nsiderable.net
- DNS ASK we###asy.net
- DNS ASK we###est.net
- DNS ASK fe###asy.net
- DNS ASK li###asy.net
- DNS ASK ta###them.ru
- DNS ASK fe###est.net
- DNS ASK so#####nsiderable.ru
- DNS ASK th###easy.net
- DNS ASK fi#####nsiderable.net
- DNS ASK th###fool.net
- DNS ASK li###oes.net
- DNS ASK fi###gone.net
- DNS ASK li###ool.net
- DNS ASK th###goes.net
- DNS ASK th###fool.ru
- DNS ASK so###gone.net
- DNS ASK fi###fool.net
- DNS ASK so###fool.net
- DNS ASK fi###goes.net
- DNS ASK fi###light.net
- DNS ASK fi###light.ru
- DNS ASK so###light.net
- DNS ASK fe###ight.ru
- DNS ASK we###ool.net
- DNS ASK fe###ool.net
- DNS ASK fe###one.net
- DNS ASK we###ight.net
- DNS ASK fe###ight.net
- DNS ASK we###oes.net
- DNS ASK th###gone.net
- DNS ASK li###ight.net
- DNS ASK th###light.net
- DNS ASK fe###oes.net
- DNS ASK li###one.net
- DNS ASK li##gone.ru
- DNS ASK so###goes.net
- DNS ASK no###hem.net
- DNS ASK ca###asy.net
- DNS ASK ca##easy.ru
- DNS ASK no#####siderable.net
- DNS ASK no####nsiderable.ru
- DNS ASK no###est.net
- DNS ASK po###easy.net
- DNS ASK po###best.net
- DNS ASK po###best.ru
- DNS ASK ca###hem.net
- DNS ASK ca#####siderable.net
- DNS ASK po#####nsiderable.net
- DNS ASK ca###est.net
- DNS ASK fa#####nsiderable.net
- DNS ASK ri#####siderable.net
- DNS ASK fa###best.net
- DNS ASK so###goes.ru
- DNS ASK fa###easy.net
- DNS ASK ri###asy.net
- DNS ASK fa###best.ru
- DNS ASK we##easy.ru
- DNS ASK no##them.ru
- DNS ASK no###asy.net
- DNS ASK ri###est.net
- DNS ASK fa###them.net
- DNS ASK ri###hem.net
- '23#.#55.255.250':1900
