Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\net.exe' stop "Kingsoft AntiVirus Service"
Injects code into
the following user processes:
- iexplore.exe
Modifies file system
Creates the following files
- <Current directory>\virdll.dll
Modifies the HOSTS file.
Network activity
Connects to
- '<LOCALNET>.37.1':445
- '<LOCALNET>.37.1':139
- '<LOCALNET>.37.1':80
UDP
- DNS ASK sz##k.com
Miscellaneous
Searches for the following windows
- ClassName: 'RavMonClass' WindowName: 'RavMon.exe'
- ClassName: 'Tapplication' WindowName: 'ÌìÍø·À»ðǽ¸öÈË°æ'
- ClassName: 'Tapplication' WindowName: 'ÌìÍø·À»ðǽÆóÒµ°æ'
- ClassName: 'TForm1' WindowName: ''
- ClassName: 'TfLockDownMain' WindowName: ''
- ClassName: 'ZAFrameWnd' WindowName: 'ZoneAlarm'
Creates and executes the following
- '<SYSTEM32>\net.exe' stop "Kingsoft AntiVirus Service"' (with hidden window)
Executes the following
- '<SYSTEM32>\net1.exe' stop "Kingsoft AntiVirus Service"
