Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'wextract_cleanup0' = 'rundll32.exe <SYSTEM32>\advpack.dll,DelNodeRunDLL32 "%TEMP%\IXP000.TMP\"'
Malicious functions:
Executes the following:
- '%TEMP%\Symo Player\symo.exe'
- '%TEMP%\IXP000.TMP\SYMOPL~1.EXE'
Searches for registry branches where third party applications store passwords:
- [<HKLM>\SOFTWARE\Nullsoft\Winamp]
Modifies file system:
Creates the following files:
- %TEMP%\WASE5E6.tmp\balance.bmp
- %TEMP%\Symo Player\tataki.dll
- %TEMP%\Symo Player\Plugins\tataki.dll
- %TEMP%\WASE5E6.tmp\cbuttons.bmp
- %TEMP%\WASE5E6.tmp\gen.bmp
- %TEMP%\WASE5E6.tmp\eqmain.bmp
- %TEMP%\WASE5E6.tmp\eq_ex.bmp
- %TEMP%\Symo Player\Plugins\read_file.dll
- %TEMP%\Symo Player\libsndfile.dll
- %TEMP%\Symo Player\libFLAC.dll
- %TEMP%\Symo Player\Plugins\in_wm.dll
- %TEMP%\Symo Player\nde.dll
- %TEMP%\Symo Player\Plugins\out_ds.dll
- %TEMP%\Symo Player\Plugins\nscrt.dll
- %TEMP%\Symo Player\nscrt.dll
- %TEMP%\WASE5E6.tmp\genex.bmp
- %TEMP%\WASE5E6.tmp\text.bmp
- %TEMP%\WASE5E6.tmp\shufrep.bmp
- %TEMP%\WASE5E6.tmp\README.txt
- %TEMP%\WASE5E6.tmp\titlebar.bmp
- %TEMP%\WASE5E6.tmp\volume.bmp
- %TEMP%\WASE5E6.tmp\VISCOLOR.txt
- %TEMP%\WASE5E6.tmp\video.bmp
- %TEMP%\WASE5E6.tmp\posbar.bmp
- %TEMP%\WASE5E6.tmp\monoster.bmp
- %TEMP%\WASE5E6.tmp\mb.bmp
- %TEMP%\WASE5E6.tmp\main.bmp
- %TEMP%\WASE5E6.tmp\nums_ex.bmp
- %TEMP%\WASE5E6.tmp\PLEDIT.txt
- %TEMP%\WASE5E6.tmp\pledit.bmp
- %TEMP%\WASE5E6.tmp\playpaus.bmp
- %TEMP%\Symo Player\Plugins\in_wave.dll
- %TEMP%\Symo Player\Winamp.q1
- %TEMP%\Symo Player\ini\Winamp.q1
- %TEMP%\Symo Player\Winamp.pic
- %TEMP%\Symo Player\System\aacPlusDecoder.w5s
- %TEMP%\Symo Player\System\jnetlib.w5s
- %TEMP%\Symo Player\System\filereader.w5s
- %TEMP%\Symo Player\System\dlmgr.w5s
- %TEMP%\Symo Player\ini\Winamp.pic
- %TEMP%\Symo Player\Winamp.ini
- %TEMP%\Symo Player\ini\Winamp.ini
- %TEMP%\IXP000.TMP\SYMOPL~1.EXE
- %TEMP%\Symo Player\ini\Winamp.m3u
- %TEMP%\Symo Player\Winamp.m3u8
- %TEMP%\Symo Player\ini\Winamp.m3u8
- %TEMP%\Symo Player\Winamp.m3u
- %TEMP%\Symo Player\System\playlist.w5s
- %TEMP%\Symo Player\Plugins\in_midi.dll
- %TEMP%\Symo Player\Plugins\in_linein.dll
- %TEMP%\Symo Player\Plugins\in_flac.dll
- %TEMP%\Symo Player\Plugins\in_mod.dll
- %TEMP%\Symo Player\Plugins\in_vorbis.dll
- %TEMP%\Symo Player\Plugins\in_nsv.dll
- %TEMP%\Symo Player\Plugins\in_mp3.dll
- %TEMP%\Symo Player\Plugins\in_cdda.dll
- %TEMP%\Symo Player\Plugins\freeform\wacs\freetype\freetype.wac
- %TEMP%\Symo Player\System\xml.w5s
- %TEMP%\Symo Player\System\tagz.w5s
- %TEMP%\Symo Player\Skins\black.wsz
- %TEMP%\Symo Player\symo.exe
- %TEMP%\Symo Player\studio.xnf
- %TEMP%\Symo Player\ini\studio.xnf
Sets the 'hidden' attribute to the following files:
- %TEMP%\Symo Player\Plugins\in_mp3.dll
- %TEMP%\Symo Player\Plugins\in_mod.dll
- %TEMP%\Symo Player\Plugins\in_nsv.dll
- %TEMP%\Symo Player\Plugins\in_wave.dll
- %TEMP%\Symo Player\Plugins\in_vorbis.dll
- %TEMP%\Symo Player\Plugins\in_cdda.dll
- %TEMP%\Symo Player\studio.xnf
- %TEMP%\Symo Player\Plugins\in_flac.dll
- %TEMP%\Symo Player\Plugins\in_midi.dll
- %TEMP%\Symo Player\Plugins\in_linein.dll
- %TEMP%\Symo Player\Plugins\out_ds.dll
- %TEMP%\Symo Player\Plugins\nscrt.dll
- %TEMP%\Symo Player\Plugins\read_file.dll
- %TEMP%\Symo Player\tataki.dll
- %TEMP%\Symo Player\Plugins\tataki.dll
- %TEMP%\Symo Player\libFLAC.dll
- %TEMP%\Symo Player\Plugins\in_wm.dll
- %TEMP%\Symo Player\libsndfile.dll
- %TEMP%\Symo Player\nscrt.dll
- %TEMP%\Symo Player\nde.dll
- %TEMP%\Symo Player\ini\Winamp.pic
- %TEMP%\Symo Player\Winamp.m3u8
- %TEMP%\Symo Player\Winamp.pic
- %TEMP%\Symo Player\Winamp.q1
- %TEMP%\Symo Player\ini\Winamp.q1
- %TEMP%\Symo Player\Winamp.ini
- %TEMP%\Symo Player\ini\Winamp.ini
- %TEMP%\Symo Player\ini\Winamp.m3u
- %TEMP%\Symo Player\ini\Winamp.m3u8
- %TEMP%\Symo Player\Winamp.m3u
- %TEMP%\Symo Player\System\xml.w5s
- %TEMP%\Symo Player\System\tagz.w5s
- %TEMP%\Symo Player\Plugins\freeform\wacs\freetype\freetype.wac
- %TEMP%\Symo Player\ini\studio.xnf
- %TEMP%\Symo Player\Skins\black.wsz
- %TEMP%\Symo Player\System\dlmgr.w5s
- %TEMP%\Symo Player\System\aacPlusDecoder.w5s
- %TEMP%\Symo Player\System\filereader.w5s
- %TEMP%\Symo Player\System\playlist.w5s
- %TEMP%\Symo Player\System\jnetlib.w5s
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
