Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Control Panel\Desktop] 'SCRNSAVE.EXE' = '%APPDATA%\Microsoft\Windows\Hadley.scr'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Ulises Byron Germayne' = '%WINDIR%\Ulises Byron Germayne.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Kenny Eben' = '%APPDATA%\Kenny Eben\Kenny Eben.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Lief' = 'cmd.exe /c %APPDATA%\Lief\Lief.Lief'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Huberto' = 'cmd.exe /c %WINDIR%\Huberto.Huberto'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] 'AppInit_DLLs' = '%WINDIR%\9dd29b2546a08fa71f8ebe3b10fb8175.dll'
Malicious functions:
Creates and executes the following:
- %APPDATA%\Microsoft\Windows\Hadley.scr /s
Executes the following:
- <SYSTEM32>\attrib.exe -R -H -S "%APPDATA%\Microsoft\Windows\Hadley.scr"
- <SYSTEM32>\attrib.exe +R +H +S "%APPDATA%\Microsoft\Windows\Hadley.scr"
- <SYSTEM32>\reg.exe ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%APPDATA%\Microsoft\Windows\Hadley.scr" /f
- <SYSTEM32>\reg.exe ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
- <SYSTEM32>\reg.exe ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\Ulises Byron Germayne.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\Ulises Byron Germayne.exe"
- <SYSTEM32>\reg.exe ADD "HKLM\software\microsoft\windows\currentversion\run" /v "Ulises Byron Germayne" /t REG_SZ /d "%WINDIR%\Ulises Byron Germayne.exe" /f
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\Jakie Darrick Mahmud"
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\Jakie Darrick Mahmud\Jakie Darrick Mahmud.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\Jakie Darrick Mahmud\Jakie Darrick Mahmud.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\Jakie Darrick Mahmud"
- <SYSTEM32>\sc.exe create "Jakie Darrick Mahmud" binPath= "%WINDIR%\Jakie Darrick Mahmud\Jakie Darrick Mahmud.exe" start= auto DisplayName= "Huberto" description= "Ulises Byron Germayne"
- <SYSTEM32>\sc.exe start "Huberto"
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\Bentlee"
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\Bentlee\Bentlee.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\Bentlee\Bentlee.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\Bentlee"
- <SYSTEM32>\schtasks.exe /create /F /RL HIGHEST /tn "Bentlee" /tr "<Full path to virus>" /sc onlogon
- <SYSTEM32>\attrib.exe -R -H -S "%APPDATA%\Kenny Eben"
- <SYSTEM32>\attrib.exe -R -H -S "%APPDATA%\Kenny Eben\Kenny Eben.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%APPDATA%\Kenny Eben\Kenny Eben.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%APPDATA%\Kenny Eben"
- <SYSTEM32>\reg.exe ADD "HKCU\software\microsoft\windows\currentversion\run" /v "Kenny Eben" /t REG_SZ /d "%APPDATA%\Kenny Eben\Kenny Eben.exe" /f
- <SYSTEM32>\attrib.exe -R -H -S "%APPDATA%\Lief"
- <SYSTEM32>\attrib.exe -R -H -S "%APPDATA%\Lief\Lief.Lief"
- <SYSTEM32>\attrib.exe +R +H +S "%APPDATA%\Lief\Lief.Lief"
- <SYSTEM32>\attrib.exe +R +H +S "%APPDATA%\Lief"
- <SYSTEM32>\reg.exe ADD "HKCU\software\microsoft\windows\currentversion\run" /v "Lief" /t REG_SZ /d "cmd.exe /c %APPDATA%\Lief\Lief.Lief" /f
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\Huberto.Huberto"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\Huberto.Huberto"
- <SYSTEM32>\reg.exe ADD "HKLM\software\microsoft\windows\currentversion\run" /v "Huberto" /t REG_SZ /d "cmd.exe /c %WINDIR%\Huberto.Huberto" /f
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\9dd29b2546a08fa71f8ebe3b10fb8175.dll"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\9dd29b2546a08fa71f8ebe3b10fb8175.dll"
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "%WINDIR%\9dd29b2546a08fa71f8ebe3b10fb8175.dll" /f
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "LoadAppInit_DLLs" /t REG_DWORD /d 1 /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
- <SYSTEM32>\netsh.exe firewall add allowedprogram "<Full path to virus>" "winhttpsvc" ENABLE
- <SYSTEM32>\netsh.exe advfirewall firewall add rule name="winhttpsvc" profile=public,private,domain dir=in action=allow program="<Full path to virus>" enable=yes
- <SYSTEM32>\sc.exe create "Hadley" binPath= "<Full path to virus>" start= auto DisplayName= "Huberto" description= "Ulises Byron Germayne"
- <SYSTEM32>\schtasks.exe /create /F /RL HIGHEST /tn "Ulises Byron Germayne" /tr "<Full path to virus>" /sc onlogon
- <SYSTEM32>\netsh.exe firewall set opmode DISABLE
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
- <SYSTEM32>\sc.exe config upnphost start= auto
- <SYSTEM32>\sc.exe config SSDPSRV start= auto
- <SYSTEM32>\sc.exe config browser start= auto
- <SYSTEM32>\reg.exe ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
- <SYSTEM32>\reg.exe ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
- <SYSTEM32>\reg.exe ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
- <SYSTEM32>\reg.exe ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
- <SYSTEM32>\reg.exe DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
- <SYSTEM32>\reg.exe DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f
- <SYSTEM32>\reg.exe /s
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\smss.exe
- <SYSTEM32>\csrss.exe
- <SYSTEM32>\winlogon.exe
- <SYSTEM32>\services.exe
- <SYSTEM32>\spoolsv.exe
- <SYSTEM32>\ctfmon.exe
- <SYSTEM32>\alg.exe
- <SYSTEM32>\cscript.exe
a large number of user processes.
Terminates or attempts to terminate
the following user processes:
- WebMoney.exe
a large number of user processes.
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:31769'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyOverride' = 'local'
- [<HKLM>\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
Modifies file system :
Creates the following files:
- %TEMP%\aut1.tmp
- %TEMP%\say63hase.bgs
- %APPDATA%\Microsoft\Windows\Hadley.scr
- %WINDIR%\Ulises Byron Germayne.exe
- %WINDIR%\Jakie Darrick Mahmud\Jakie Darrick Mahmud.exe
- %WINDIR%\Bentlee\Bentlee.exe
- %APPDATA%\Kenny Eben\Kenny Eben.exe
- %APPDATA%\Lief\Lief.Lief
- %WINDIR%\Huberto.Huberto
- %APPDATA%\Danie.dll
- %WINDIR%\9dd29b2546a08fa71f8ebe3b10fb8175.dll
- %APPDATA%\9dd29b2546a08fa71f8ebe3b10fb8175.HjHBjQmL
- %WINDIR%\RGI4.tmp
- <SYSTEM32>\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6YQRA29M\illili[1].htm
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4DCTA78H\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\49U7O5IF\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\34WOBH45\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4L8RMVG5\desktop.ini
Sets the 'hidden' attribute to the following files:
- %APPDATA%\Microsoft\Windows\Hadley.scr
- %WINDIR%\Ulises Byron Germayne.exe
- %WINDIR%\Jakie Darrick Mahmud\Jakie Darrick Mahmud.exe
- %WINDIR%\Bentlee\Bentlee.exe
- %APPDATA%\Kenny Eben\Kenny Eben.exe
- %APPDATA%\Lief\Lief.Lief
- %WINDIR%\Huberto.Huberto
- %WINDIR%\9dd29b2546a08fa71f8ebe3b10fb8175.dll
- %APPDATA%\Danie.dll
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4DCTA78H\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\49U7O5IF\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\34WOBH45\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4L8RMVG5\desktop.ini
Deletes the following files:
- %TEMP%\aut1.tmp
Network activity:
Connects to:
- 'localhost':31769
- 'sp###test.net':80
- 'il##li.in':80
- 'localhost':385
- 'localhost':11149
- 'localhost':32600
TCP:
HTTP GET requests:
- sp###test.net/
HTTP POST requests:
- il##li.in/
UDP:
- DNS ASK sp###test.net
- DNS ASK il##li.in
- '23#.#55.255.250':1900
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'System Restore'
- ClassName: '' WindowName: 'Registry Editor'
- ClassName: '' WindowName: 'Registry'
- ClassName: '' WindowName: 'RegAlyzer'
- ClassName: '' WindowName: 'RegCool'
- ClassName: '' WindowName: 'System Configuration'
- ClassName: '' WindowName: 'Windows Task Manager'
