Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] '' = '"<LS_APPDATA>\uuy.exe" -a "%ProgramFiles%\Internet Explorer\iexplore.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '529369239' = '<LS_APPDATA>\uuy.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = '<SYSTEM32>\ctfmon.exe'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
blocks the following features:
- Windows Security Center
Executes the following:
- '<LS_APPDATA>\uuy.exe' -gav <Full path to file>
Terminates or attempts to terminate
the following user processes:
- safari.exe
- opera.exe
- chrome.exe
- iexplore.exe
- firefox.exe
Modifies file system:
Creates the following files:
- <LS_APPDATA>\q4876628a0k5171q0n2n84o
- %TEMP%\omf8.tmp
- %TEMP%\omf7.tmp
- %HOMEPATH%\Templates\q4876628a0k5171q0n2n84o
- %TEMP%\q4876628a0k5171q0n2n84o
- %ALLUSERSPROFILE%\Application Data\q4876628a0k5171q0n2n84o
- %TEMP%\omf6.tmp
- %TEMP%\omf3.tmp
- %TEMP%\omf2.tmp
- %TEMP%\omf1.tmp
- %TEMP%\omf5.tmp
- <LS_APPDATA>\uuy.exe
- %TEMP%\omf4.tmp
Deletes the following files:
- %TEMP%\omf6.tmp
- %TEMP%\omf5.tmp
- %TEMP%\omf8.tmp
- %TEMP%\omf7.tmp
- %TEMP%\omf2.tmp
- %TEMP%\omf1.tmp
- %TEMP%\omf4.tmp
- %TEMP%\omf3.tmp
Deletes itself.
Network activity:
Connects to:
- 'hy###ucugi.com':80
- 'qa###alomo.com':80
- 'va###uzozuq.com':80
- 'wa###opani.com':80
- 'na####hohuly.com':80
- 'co###irebu.com':80
- 'zo####kimewut.com':80
- 'xa###iwehiw.com':80
- 'wu###osux.com':80
- 'dy####gymasasu.com':80
- 'xe####wunikyle.com':80
- 'di####jubeka.com':80
UDP:
- DNS ASK le####bunosu.com
- DNS ASK ny####wafyfa.com
- DNS ASK pe###ukos.com
- DNS ASK xy###yquk.com
- DNS ASK pu####pageta.com
- DNS ASK ne###ezyjih.com
- DNS ASK za####dixahok.com
- DNS ASK cy####jyvidiwi.com
- DNS ASK ro####zanasi.com
- DNS ASK so###urepu.com
- DNS ASK vo####dacyfyki.com
- DNS ASK wu###omovom.com
- DNS ASK xe####kawuhady.com
- DNS ASK microsoft.com
- DNS ASK zy####movyxy.com
- DNS ASK mu###ahyxar.com
- DNS ASK zo###ymiz.com
- DNS ASK ly####wotucoh.com
- DNS ASK va###uzozuq.com
- DNS ASK dy####gymasasu.com
- DNS ASK hy###ucugi.com
- DNS ASK qa###alomo.com
- DNS ASK xe####wunikyle.com
- DNS ASK xa###iwehiw.com
- DNS ASK wu###osux.com
- DNS ASK di####jubeka.com
- DNS ASK zo####kimewut.com
- DNS ASK ma####noralibu.com
- DNS ASK hi###umala.com
- DNS ASK to###uwace.com
- DNS ASK lo####hosywaw.com
- DNS ASK pi####caciqil.com
- DNS ASK na####hohuly.com
- DNS ASK co###irebu.com
- DNS ASK ku###idewar.com
- DNS ASK wa###opani.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'msascui_class' WindowName: ''
