Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run] '{bac04afb-ff37-195d-d8df-8ac25f454953}' = 'C:\Documents and Settings\LocalService\{bac04afb-ff37-195d-d8df-8ac25f454953}...
- [\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run] '{bac04afb-ff37-195d-d8df-8ac25f454953}' = 'C:\Documents and Settings\NetworkService\{bac04afb-ff37-195d-d8df-8ac25f45495...
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '{bac04afb-ff37-195d-d8df-8ac25f454953}' = '%WINDIR%\{bac04afb-ff37-195d-d8df-8ac25f454953}\{bac04afb-ff37-195d-d8df-8ac25f454953}.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\{bac04afb-ff37-195d-d8df-8ac25f454953}] 'ImagePath' = '%WINDIR%\{bac04afb-ff37-195d-d8df-8ac25f454953}\{bac04afb-ff37-195d-d8df-8ac25f454953}.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\{bac04afb-ff37-195d-d8df-8ac25f454953}] 'Start' = '00000002'
Malicious functions:
Injects code into
the following system processes:
- <SYSTEM32>\cscript.exe
a large number of user processes.
Modifies file system:
Creates the following files:
- C:\Documents and Settings\LocalService\{bac04afb-ff37-195d-d8df-8ac25f454953}\{bac04afb-ff37-195d-d8df-8ac25f454953}.exe
- %TEMP%\c3b65bc74c436efdcbf57e995a80457f2f1d37d2.pkg
- %WINDIR%\{bac04afb-ff37-195d-d8df-8ac25f454953}\{bac04afb-ff37-195d-d8df-8ac25f454953}.exe
- C:\Documents and Settings\NetworkService\{bac04afb-ff37-195d-d8df-8ac25f454953}\{bac04afb-ff37-195d-d8df-8ac25f454953}.exe
Network activity:
Connects to:
- 'in######uspromotions.com.au':80
- 'in###tyle.pl':80
- 'we####ehrmann.ch':80
- 'ek##ode.ch':80
- 'pa####plastics.com':80
TCP:
HTTP GET requests:
- http://in######uspromotions.com.au/wp-content/themes/salient/img/c3b65bc74c436efdcbf57e995a80457f2f1d37d2.gif
- http://in###tyle.pl/wp-content/themes/szablon/images/c3b65bc74c436efdcbf57e995a80457f2f1d37d2.gif
- http://we####ehrmann.ch/wp-admin/images/c3b65bc74c436efdcbf57e995a80457f2f1d37d2.gif
- http://ek##ode.ch/img/icons/c3b65bc74c436efdcbf57e995a80457f2f1d37d2.gif
- http://pa####plastics.com/img/icons/c3b65bc74c436efdcbf57e995a80457f2f1d37d2.gif
UDP:
- DNS ASK in######uspromotions.com.au
- DNS ASK in###tyle.pl
- DNS ASK we####ehrmann.ch
- DNS ASK ek##ode.ch
- DNS ASK pa####plastics.com
