Technical Information
Malicious functions:
Injects code into
the following system processes:
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system:
Creates the following files:
- %WINDIR%\taCjUSY.dll
- %WINDIR%\VsRRiW\b62ef49.exe
- %WINDIR%\YQOuTtjG.dll
- %WINDIR%\MYITeS\gGrhNsa.dll
- %ProgramFiles%\YUswHtI\LlbEGXg.dll
- %ProgramFiles%\YUswHtI\ItvvYgy.dll
- %WINDIR%\MYITeS\rKOYCcNb.dll
- %WINDIR%\MYITeS\xvWJPFj.tmp
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\8PWPYZ2L\desktop.ini
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\WLAVC1E3\desktop.ini
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\UPAE8LT9\desktop.ini
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\RPJ0YE6G\desktop.ini
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\8PWPYZ2L\desktop.ini
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\WLAVC1E3\desktop.ini
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\UPAE8LT9\desktop.ini
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\RPJ0YE6G\desktop.ini
Deletes the following files:
- %WINDIR%\taCjUSY.dll
- %WINDIR%\YQOuTtjG.dll
- %WINDIR%\MYITeS\gGrhNsa.dll
- %ProgramFiles%\YUswHtI\LlbEGXg.dll
- %WINDIR%\MYITeS\xvWJPFj.tmp
- %WINDIR%\VsRRiW\b62ef49.exe
- %WINDIR%\MYITeS\rKOYCcNb.dll
Moves the following files:
- from %WINDIR%\VsRRiW\b62ef49.exe to %WINDIR%\VsRRiW\3406b62ef49.exe
- from %WINDIR%\MYITeS\rKOYCcNb.dll to %WINDIR%\MYITeS\3406rKOYCcNb.dll
Substitutes the following files:
- %WINDIR%\MYITeS\gGrhNsa.dll
- %WINDIR%\VsRRiW\b62ef49.exe
- %HOMEPATH%\Local Settings\<INETFILES>\desktop.ini
Network activity:
Connects to:
- 'cf.##media.com':80
- 'cf.##7wan.com':80
- 'cf.##9wan.com':80
- 'r.###gyou.com':80
- 'us###.qzone.qq.com':80
- 'gc.#b51.com':80
- 'ba#####l.58media.com':80
- '36####.58media.com':80
- 'ud#.#xwan.com':80
- 'ai####l.58media.com':80
- 'ip##8.com':80
- 'ip.cn':80
- 'ip.##sexit.com':80
TCP:
HTTP GET requests:
- http://cf.##media.com/cf/gz?id######
- http://cf.##7wan.com/cf/gz?id######
- http://cf.##9wan.com/cf/gz?id######
- http://r.###gyou.com/fcg-bin/cgi_get_portrait.fcg?ui############
- http://us###.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?ui############
- http://gc.#b51.com/cf/gz?id######
- http://ud#.#xwan.com/index/getcfg?id######
- http://www.ip##8.com/ via ip##8.com
- http://www.ip.cn/ via ip.cn
- http://ip.##sexit.com/
UDP:
- DNS ASK cf.##media.com
- DNS ASK cf.##7wan.com
- DNS ASK cf.##9wan.com
- DNS ASK r.###gyou.com
- DNS ASK us###.qzone.qq.com
- DNS ASK gc.#b51.com
- DNS ASK ba#####l.58media.com
- DNS ASK 36####.58media.com
- DNS ASK ud#.#xwan.com
- DNS ASK ai####l.58media.com
- DNS ASK www.ip##8.com
- DNS ASK www.ip.cn
- DNS ASK ip.##sexit.com
- '25#.#55.255.255':6880
Miscellaneous:
Searches for the following windows:
- ClassName: 'Progman' WindowName: 'Program Manager'
- ClassName: 'SHELLDLL_DefView' WindowName: ''
- ClassName: 'SysListView32' WindowName: 'FolderView'
- ClassName: 'TApplication' WindowName: 'eyoorun'
- ClassName: 'ReBarWindow32' WindowName: ''
- ClassName: 'ToolbarWindow32' WindowName: ''
- ClassName: 'hqghumeayln' WindowName: 'hqghumeayln'
- ClassName: 'RTGameMenuUI' WindowName: '??????????????????'
- ClassName: 'RTGameMenuUI' WindowName: 'ИсЖр°ЛЧ¦УгУОП·ІЛµҐ'
Creates and executes the following:
- '%WINDIR%\VsRRiW\b62ef49.exe'
