Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE] 'Debugger' = 'D:\RECYCLER\????8.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
Creates or modifies the following files
- %WINDIR%\tasks\at1.job
- %WINDIR%\tasks\at2.job
- %WINDIR%\tasks\at3.job
- %WINDIR%\tasks\at4.job
- %WINDIR%\tasks\at5.job
- %WINDIR%\tasks\at6.job
Creates the following files on removable media
- <Drive name for removable media>:\recyclep\pagefile.exe
- <Drive name for removable media>:\autorun.inf
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
blocks execution of the following system utilities:
- Windows Security Center
modifies the following system settings:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'DisallowRun' = '00000001'
Executes the following
- '<SYSTEM32>\at.exe' 9:23:08 PM %WINDIR%\Help\HelpCat.exe
- '<SYSTEM32>\net.exe' stop wscsvc /y
- '<SYSTEM32>\net.exe' stop wuauserv /y
- '<SYSTEM32>\net.exe' stop sharedaccess /y
- '<SYSTEM32>\at.exe' 9:22:10 PM %WINDIR%\Sysinf.bat
- '<SYSTEM32>\net.exe' stop srservice /y
- '<SYSTEM32>\at.exe' 9:25:10 PM %WINDIR%\Sysinf.bat
- '<SYSTEM32>\net.exe' stop 360timeprot /y
- '<SYSTEM32>\at.exe' 9:23:18 PM %WINDIR%\Help\HelpCat.exe
- '<SYSTEM32>\at.exe' 9:25:20 PM %WINDIR%\Sysinf.bat
- '<SYSTEM32>\at.exe' 9:22:20 PM %WINDIR%\Sysinf.bat
Modifies file system
Creates the following files
- C:\users\clouds~1\appdata\local\temp\lixbkh.exe
- <SYSTEM32>\option.bat
- C:\ntldr~6
- C:\ntldr~8
- %WINDIR%\system\kavupda.exe
- %WINDIR%\help\helpcat.exe
- %WINDIR%\sysinf.bat
- %WINDIR%\regedt32.sys
- C:\users\clouds~1\appdata\local\temp\lixbkh~4.exe
- D:\recyclep\pagefile.exe
- D:\autorun.inf
- C:\recyclep\pagefile.exe
- C:\autorun.inf
Sets the 'hidden' attribute to the following files
- <Drive name for removable media>:\recyclep\pagefile.exe
- <Drive name for removable media>:\autorun.inf
- C:\users\clouds~1\appdata\local\temp\lixbkh~4.exe
- D:\recyclep\pagefile.exe
- D:\autorun.inf
- C:\recyclep\pagefile.exe
- C:\autorun.inf
Deletes the following files
- %WINDIR%\regedt32.sys
- <Drive name for removable media>:\autorun.inf
- D:\autorun.inf
- C:\autorun.inf
Substitutes the following files
- %WINDIR%\regedt32.sys
- <Drive name for removable media>:\autorun.inf
- D:\autorun.inf
- C:\autorun.inf
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'RegEdit_RegEdit' WindowName: ''
Creates and executes the following
- 'C:\users\clouds~1\appdata\local\temp\lixbkh.exe'
- 'C:\users\clouds~1\appdata\local\temp\lixbkh~4.exe'
- '%WINDIR%\system\kavupda.exe'
- '<SYSTEM32>\cmd.exe' /c rmdir D:\Autorun.inf /s /q' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib -s -h -r D:\Autorun.inf\*.* /s /d' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c rmdir <Drive name for removable media>:\Autorun.inf /s /q' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib -s -h -r <Drive name for removable media>:\Autorun.inf\*.* /s /d' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c at 9:25:20 PM %WINDIR%\Sysinf.bat' (with hidden window)
- '<SYSTEM32>\at.exe' 9:23:18 PM %WINDIR%\Help\HelpCat.exe' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c at 9:22:20 PM %WINDIR%\Sysinf.bat' (with hidden window)
- '%WINDIR%\system\kavupda.exe' ' (with hidden window)
- '<SYSTEM32>\reg.exe' delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f' (with hidden window)
- '<SYSTEM32>\reg.exe' delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c rmdir C:\Autorun.inf /s /q' (with hidden window)
- '%WINDIR%\regedit.exe' /s %WINDIR%\regedt32.sys' (with hidden window)
- '<SYSTEM32>\sc.exe' config wscsvc start= disabled' (with hidden window)
- '<SYSTEM32>\sc.exe' config srservice start= disabled' (with hidden window)
- '<SYSTEM32>\net.exe' stop 360timeprot /y' (with hidden window)
- '<SYSTEM32>\net.exe' stop srservice /y' (with hidden window)
- '<SYSTEM32>\net.exe' stop sharedaccess /y' (with hidden window)
- '<SYSTEM32>\net.exe' stop wuauserv /y' (with hidden window)
- '<SYSTEM32>\net.exe' stop wscsvc /y' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c at 9:25:10 PM %WINDIR%\Sysinf.bat' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c at 9:22:10 PM %WINDIR%\Sysinf.bat' (with hidden window)
- '<SYSTEM32>\at.exe' 9:23:08 PM %WINDIR%\Help\HelpCat.exe' (with hidden window)
- '<SYSTEM32>\net.exe' start schedule /y' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c <SYSTEM32>\Option.bat' (with hidden window)
- '<SYSTEM32>\sc.exe' config SharedAccess start= disabled' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib -s -h -r C:\Autorun.inf\*.* /s /d' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c <SYSTEM32>\Option.bat
- '<SYSTEM32>\cmd.exe' /c rmdir C:\Autorun.inf /s /q
- '<SYSTEM32>\attrib.exe' -s -h -r D:\Autorun.inf\*.* /s /d
- '<SYSTEM32>\cmd.exe' /c rmdir D:\Autorun.inf /s /q
- '<SYSTEM32>\cmd.exe' /c attrib -s -h -r D:\Autorun.inf\*.* /s /d
- '<SYSTEM32>\attrib.exe' -s -h -r <Drive name for removable media>:\Autorun.inf\*.* /s /d
- '<SYSTEM32>\cmd.exe' /c rmdir <Drive name for removable media>:\Autorun.inf /s /q
- '<SYSTEM32>\cmd.exe' /c attrib -s -h -r <Drive name for removable media>:\Autorun.inf\*.* /s /d
- '<SYSTEM32>\cmd.exe' /c at 9:25:20 PM %WINDIR%\Sysinf.bat
- '<SYSTEM32>\cmd.exe' /c at 9:22:20 PM %WINDIR%\Sysinf.bat
- '<SYSTEM32>\reg.exe' delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
- '<SYSTEM32>\reg.exe' delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
- '<SYSTEM32>\cmd.exe' /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
- '%WINDIR%\regedit.exe' /s %WINDIR%\regedt32.sys
- '<SYSTEM32>\sc.exe' config SharedAccess start= disabled
- '<SYSTEM32>\net1.exe' stop srservice /y
- '<SYSTEM32>\sc.exe' config wscsvc start= disabled
- '<SYSTEM32>\net1.exe' stop wuauserv /y
- '<SYSTEM32>\net1.exe' stop sharedaccess /y
- '<SYSTEM32>\sc.exe' config srservice start= disabled
- '<SYSTEM32>\net1.exe' stop wscsvc /y
- '<SYSTEM32>\cmd.exe' /c at 9:25:10 PM %WINDIR%\Sysinf.bat
- '<SYSTEM32>\cmd.exe' /c at 9:22:10 PM %WINDIR%\Sysinf.bat
- '<SYSTEM32>\net1.exe' start schedule /y
- '<SYSTEM32>\net.exe' start schedule /y
- '<SYSTEM32>\net1.exe' stop 360timeprot /y
- '<SYSTEM32>\attrib.exe' -s -h -r C:\Autorun.inf\*.* /s /d
