Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Crypted' = 'wscript.exe //B "%TEMP%\Crypted.vbs"'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Crypted' = 'wscript.exe //B "%TEMP%\Crypted.vbs"'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\Crypted.vbs
Creates the following files on removable media:
- <Drive name for removable media>:\Crypted.vbs
Modifies file system:
Creates the following files:
- %TEMP%\nsp2.tmp
- %APPDATA%\Crypted.vbs
- %APPDATA%\openvpn-client.msi
- %TEMP%\29030.msi
- %TEMP%\Cab3.tmp
- %TEMP%\Crypted.vbs
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\Crypted.vbs
Deletes the following files:
- %TEMP%\Cab3.tmp
Network activity:
Connects to:
- 'wp#d':80
- 'download.windowsupdate.com':80
- 'crl.verisign.com':80
- 'csc3-2009-2-crl.verisign.com':80
- 'localhost':1043
- 'ah#####ar123.ddns.net':1178
TCP:
HTTP GET requests:
- http://11#.#11.111.1/wpad.dat via wp#d
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt via download.windowsupdate.com
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab via download.windowsupdate.com
- http://crl.verisign.com/pca3.crl
- http://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl
UDP:
- DNS ASK wp#d
- DNS ASK www.download.windowsupdate.com
- DNS ASK crl.verisign.com
- DNS ASK csc3-2009-2-crl.verisign.com
- DNS ASK ah#####ar123.ddns.net
Miscellaneous:
Creates and executes the following:
- '<SYSTEM32>\wscript.exe' "%APPDATA%\Crypted.vbs"
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\Crypted.vbs"
Executes the following:
- '<SYSTEM32>\msiexec.exe' /i "%APPDATA%\openvpn-client.msi"
- '<SYSTEM32>\msiexec.exe' /V
