Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'CardSpace Identity Management Shadow Experience' = '<SYSTEM32>\mjbwvqrjdzq.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Services Source Image Proxy Encrypting] 'ImagePath' = '<SYSTEM32>\mjbwvqrjdzq.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Services Source Image Proxy Encrypting] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Executes the following:
- '<SYSTEM32>\moakttnzw.exe' "<SYSTEM32>\mjbwvqrjdzq.exe"
- '%WINDIR%\Temp\qpsezbfag01gutuggb.exe' -r 36367 tcp
- '%TEMP%\qpsezbfaghocy7uggbez8wam.exe'
- '<SYSTEM32>\mjbwvqrjdzq.exe'
Modifies file system:
Creates the following files:
- <SYSTEM32>\qgrmttjy\run
- <SYSTEM32>\qgrmttjy\rng
- %WINDIR%\Temp\qpsezbfag01gutuggb.exe
- <SYSTEM32>\qgrmttjy\cfg
- %TEMP%\qpsezbfaghocy7uggbez8wam.exe
- <SYSTEM32>\qgrmttjy\tst
- <SYSTEM32>\moakttnzw.exe
- <SYSTEM32>\mjbwvqrjdzq.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\moakttnzw.exe
- <SYSTEM32>\mjbwvqrjdzq.exe
Deletes the following files:
- %WINDIR%\Temp\qpsezbfag01gutuggb.exe
- %TEMP%\qpsezbfaghocy7uggbez8wam.exe
Network activity:
Connects to:
- 'vi###horse.net':80
- 'sp###horse.net':80
- 'wa###horse.net':80
- 'fa###ctover.net':80
- 'vi###octover.ru':80
- 'sp###enjoy.net':80
- 'vi###enjoy.net':80
- 'vi####ctover.net':80
- 'sp####ctover.net':80
- '18#.#06.120.168':80
- 'wi###bout.net':80
- '13#.#2.139.16':80
- '17#.#36.150.135':8080
- 're####needle.net':80
- 'lo####thepings.ru':80
- 'wa###world.net':80
- 'ri###nstorm.net':80
- 'er#####udesymphony.net':80
TCP:
HTTP GET requests:
- http://sp###horse.net/index.php
- http://vi###octover.ru/index.php
- http://fa###ctover.net/index.php
- http://vi###horse.net/index.php
- http://sp###enjoy.net/index.php
- http://vi###enjoy.net/index.php
- http://vi####ctover.net/index.php
- http://sp####ctover.net/index.php
- http://wa###horse.net/index.php
- http://wi###bout.net/index.php
- http://re####needle.net/index.php
- http://13#.#2.139.16/index.php
- http://18#.#06.120.168/index.php
- http://lo####thepings.ru/index.php
- http://wa###world.net/index.php
- http://ri###nstorm.net/index.php
- http://er#####udesymphony.net/index.php
UDP:
- DNS ASK mu###gives.net
- DNS ASK ya###ives.net
- DNS ASK mu###allow.net
- DNS ASK sp###taste.net
- DNS ASK sp###taste.ru
- DNS ASK we###aste.net
- DNS ASK ya###arth.net
- DNS ASK mu###taste.net
- DNS ASK ya###aste.net
- DNS ASK ya###llow.net
- DNS ASK ya###llow.ru
- DNS ASK mu###earth.net
- DNS ASK we###arth.net
- DNS ASK fr###earth.net
- DNS ASK of###taste.net
- DNS ASK fr###taste.net
- DNS ASK fr###allow.net
- DNS ASK of###earth.net
- DNS ASK of###earth.ru
- DNS ASK sp###allow.net
- DNS ASK we###llow.net
- DNS ASK sp###earth.net
- DNS ASK sp###gives.net
- DNS ASK we###ives.net
- DNS ASK we###ives.ru
- DNS ASK wr###kill.net
- DNS ASK ma###tood.net
- DNS ASK wr###stood.net
- DNS ASK ma###irst.ru
- DNS ASK wr###first.net
- DNS ASK ma###ill.net
- DNS ASK ro###irst.net
- DNS ASK de###irst.net
- DNS ASK ro###ill.net
- DNS ASK wr###stood.ru
- DNS ASK ro###uess.net
- DNS ASK de###uess.net
- DNS ASK ma###irst.net
- DNS ASK ha###llow.net
- DNS ASK hu###allow.net
- DNS ASK ha###arth.net
- DNS ASK ha###ives.net
- DNS ASK ha###ives.ru
- DNS ASK hu###gives.net
- DNS ASK hu###taste.net
- DNS ASK ma###uess.net
- DNS ASK wr###guess.net
- DNS ASK hu###earth.net
- DNS ASK hu###earth.ru
- DNS ASK ha###aste.net
- DNS ASK of###allow.net
- DNS ASK ma###llow.net
- DNS ASK wr###allow.net
- DNS ASK ma###arth.net
- DNS ASK ma###ives.net
- DNS ASK wr###gives.net
- DNS ASK wr###gives.ru
- DNS ASK wr###taste.net
- DNS ASK ro###ives.net
- DNS ASK de###ives.net
- DNS ASK wr###earth.net
- DNS ASK ma###aste.net
- DNS ASK ma###aste.ru
- DNS ASK hu###weight.net
- DNS ASK ya###eight.ru
- DNS ASK ha###erve.net
- DNS ASK hu###nerve.net
- DNS ASK ya###ook.net
- DNS ASK mu###weight.net
- DNS ASK ya###eight.net
- DNS ASK ha##took.ru
- DNS ASK hu###took.net
- DNS ASK ha###eight.net
- DNS ASK ha###ome.net
- DNS ASK hu###come.net
- DNS ASK ha###ook.net
- DNS ASK jo###aste.net
- DNS ASK se####bergives.net
- DNS ASK se####berallow.net
- DNS ASK jo###arth.net
- DNS ASK jo###arth.ru
- DNS ASK wi###aste.net
- DNS ASK of###gives.net
- DNS ASK ha###aste.ru
- DNS ASK fr###gives.net
- DNS ASK se####berallow.ru
- DNS ASK se####berearth.net
- DNS ASK se####bertaste.net
- DNS ASK wi###arth.net
- DNS ASK ro###arth.net
- DNS ASK de###arth.net
- DNS ASK ro###aste.net
- DNS ASK ro###llow.net
- DNS ASK de###llow.net
- DNS ASK de###llow.ru
- DNS ASK jo###ives.net
- DNS ASK wi###llow.net
- DNS ASK jo###llow.net
- DNS ASK de###aste.net
- DNS ASK wi###ives.net
- DNS ASK wi###ives.ru
- DNS ASK mu###took.net
- DNS ASK fa###orse.net
- DNS ASK gr####ctover.net
- DNS ASK eq###enjoy.net
- DNS ASK dr###octover.ru
- DNS ASK fa###njoy.net
- DNS ASK th###orse.net
- DNS ASK fa###orse.ru
- DNS ASK ha###tood.ru
- DNS ASK eq###world.net
- DNS ASK th###njoy.net
- DNS ASK hu###stood.net
- DNS ASK gr###enjoy.ru
- DNS ASK dr####ctover.net
- DNS ASK ha###tood.net
- DNS ASK dr###horse.net
- DNS ASK wa####ctover.net
- DNS ASK hu###first.net
- DNS ASK ha###ill.net
- DNS ASK hu###kill.net
- DNS ASK dr###enjoy.net
- DNS ASK th###ctover.net
- DNS ASK fa###orld.net
- DNS ASK th###orld.net
- DNS ASK wa###enjoy.net
- DNS ASK dr###world.net
- DNS ASK fa###ctover.net
- DNS ASK wa###horse.net
- DNS ASK wa###world.net
- DNS ASK vi###octover.ru
- DNS ASK sp###horse.net
- DNS ASK vi###horse.net
- DNS ASK re####needle.net
- DNS ASK wi###bout.net
- DNS ASK ro##kill.ru
- DNS ASK lo####thepings.ru
- DNS ASK er#####udesymphony.net
- DNS ASK ri###nstorm.net
- DNS ASK vi####ctover.net
- DNS ASK wa###enjoy.ru
- DNS ASK vi###world.net
- DNS ASK gr###enjoy.net
- DNS ASK gr###horse.net
- DNS ASK sp###world.ru
- DNS ASK eq###horse.net
- DNS ASK vi###enjoy.net
- DNS ASK sp###enjoy.net
- DNS ASK sp####ctover.net
- DNS ASK gr###world.net
- DNS ASK sp###world.net
- DNS ASK eq####ctover.net
- DNS ASK ha###irst.net
- DNS ASK se####berkill.net
- DNS ASK se####berstood.net
- DNS ASK of###guess.net
- DNS ASK se####berguess.net
- DNS ASK se####berfirst.net
- DNS ASK ha###irst.ru
- DNS ASK fr###first.net
- DNS ASK of###kill.net
- DNS ASK fr###kill.net
- DNS ASK of###guess.ru
- DNS ASK fr###guess.net
- DNS ASK of###first.net
- DNS ASK jo###tood.net
- DNS ASK wi###uess.net
- DNS ASK jo###uess.net
- DNS ASK jo###uess.ru
- DNS ASK de###ill.net
- DNS ASK ro###tood.net
- DNS ASK de###tood.net
- DNS ASK jo###ill.net
- DNS ASK wi###tood.net
- DNS ASK wi###tood.ru
- DNS ASK wi###irst.net
- DNS ASK jo###irst.net
- DNS ASK wi###ill.net
- DNS ASK ya###irst.net
- DNS ASK mu###kill.net
- DNS ASK mu###kill.ru
- DNS ASK mu###guess.net
- DNS ASK ya###uess.net
- DNS ASK mu###first.net
- DNS ASK ha###uess.net
- DNS ASK hu###guess.net
- DNS ASK hu###guess.ru
- DNS ASK ya###ill.net
- DNS ASK mu###stood.net
- DNS ASK ya###tood.net
- DNS ASK we###tood.ru
- DNS ASK sp###guess.net
- DNS ASK we###uess.net
- DNS ASK sp###first.net
- DNS ASK fr###kill.ru
- DNS ASK of###stood.net
- DNS ASK fr###stood.net
- DNS ASK we###ill.net
- DNS ASK sp###stood.net
- DNS ASK we###tood.net
- DNS ASK sp###first.ru
- DNS ASK we###irst.net
- DNS ASK sp###kill.net
- '23#.#55.255.250':1900
