Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\403BA372] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\403BA372] 'ImagePath' = '<SYSTEM32>\svchost.exe -k LocalService'
- [<HKLM>\SYSTEM\ControlSet001\services\403BA372] 'ImagePath' = '<SYSTEM32>\svchost.exe -k LocalService�'
- [<HKLM>\SYSTEM\ControlSet001\services\403BA372\Parameters] 'ServiceDll' = '%PROGRAMDATA%\403BA372\4FA8E721.dll�'
- [<HKLM>\SYSTEM\ControlSet001\services\403BA372] 'Start' = '00000002'
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\services.exe
- %WINDIR%\syswow64\rundll32.exe
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\syswow64\rundll32.exe
the following user processes:
- firefox.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\SOFTWARE\Mirabilis\ICQ\NewOwners]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar]
- [<HKCU>\Software\FlashFXP\3]
- [<HKCU>\Software\FlashFXP]
- [<HKLM>\Software\Wow6432Node\FlashFXP\3]
- [<HKLM>\Software\Wow6432Node\FlashFXP]
- [<HKCU>\Software\FileZilla]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKCU>\Software\FTP Explorer\Profiles]
- [<HKCU>\Software\VanDyke\SecureFX]
- [<HKCU>\Software\Cryer\WebSitePublisher]
- [<HKCU>\Software\ExpanDrive\Sessions]
- [<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKLM>\SOFTWARE\Wow6432Node\NCH Software\Fling\Accounts]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\TurboFTP]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar]
- [<HKCU>\Software\Yahoo\Pager]
- [<HKCU>\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users]
- [<HKCU>\Software\Google\Google Talk\Accounts]
- [<HKCU>\Software\Paltalk]
- [<HKCU>\Software\AIM\AIMPro]
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
- [<HKCU>\Software\RimArts\B2\Settings]
- [<HKCU>\SOFTWARE\RIT\The Bat!]
- [<HKCU>\SOFTWARE\RIT\The Bat!\Users depot]
- [<HKCU>\Software\Microsoft\Internet Account Manager\Accounts]
- [<HKCU>\Software\Microsoft\MSNMessenger]
- [<HKLM>\Software\Wow6432Node\Microsoft\Internet Account Manager]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
- [<HKCU>\SOFTWARE\Far\Plugins\FTP\Hosts]
- [<HKCU>\SOFTWARE\Far2\Plugins\FTP\Hosts]
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\Wow6432Node\Ghisler\Windows Commander]
- [<HKLM>\Software\Wow6432Node\Ghisler\Total Commander]
- [<HKCU>\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
- [<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
Reads files which store third party applications passwords
- %APPDATA%\mozilla\firefox\profiles.ini
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\thunderbird\profiles.ini
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
Modifies settings of Windows Internet Explorer
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080�'
- [\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080�'
- [\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080�'
- [<HKCU>_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKCU>_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080�'
- [<HKCU>\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080'
Modifies file system
Creates the following files
- <Full path to file>
- %TEMP%\1110921.tmp
- %TEMP%\1111406.tmp
- %TEMP%\1111421.tmp
- %TEMP%\1111421.tmp-shm
- %TEMP%\1112046.tmp
- %TEMP%\1112125.tmp
- %TEMP%\1112140.tmp
- %TEMP%\1105046.tmp
- %TEMP%\1110906.tmp
- %TEMP%\1112140.tmp-shm
- %TEMP%\1113406.tmp
- %TEMP%\1113421.tmp
- %TEMP%\1113468.tmp
- %TEMP%\1113828.tmp
- %TEMP%\1113843.tmp
- %TEMP%\1113968.tmp
- %TEMP%\1113968.tmp-shm
- %TEMP%\1112671.tmp
- %TEMP%\1112671.tmp-shm
- %TEMP%\1104750.tmp
- %TEMP%\1104703.tmp
- %TEMP%\1104437.tmp
- %PROGRAMDATA%\403ba372\8840aaf5.dll
- %PROGRAMDATA%\403ba372\4fa8e721.dll
- %PROGRAMDATA%\403ba372\177fefd2\4ed8ef38fd304ffe75362963ee1271a6
- %PROGRAMDATA%\403ba372\b1430fc8
- %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\130e6acd6fb4cf505861a1cde768572a_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %PROGRAMDATA%\403ba372\615af403\9ab758034483f26dfe719920580a0a84.zip
- %WINDIR%\syswow64\config\systemprofile\favorites\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\desktop.ini
- %PROGRAMDATA%\403ba372\445d6ccb
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\low\history.ie5\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\fxuzwbib\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\mu2rjyj8\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\idaqio59\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\7z2y60at\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\low\index.dat
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\low\history.ie5\index.dat
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\low\desktop.ini
- %TEMP%\1114140.tmp
- %TEMP%\1114140.tmp-shm
Sets the 'hidden' attribute to the following files
- %PROGRAMDATA%\403ba372\8840aaf5.dll
- %PROGRAMDATA%\403ba372\4fa8e721.dll
- %WINDIR%\syswow64\config\systemprofile\favorites\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\fxuzwbib\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\mu2rjyj8\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\idaqio59\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\7z2y60at\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\low\history.ie5\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\low\desktop.ini
Deletes the following files
- <Full path to file>
- %PROGRAMDATA%\403ba372\b1430fc8
- %PROGRAMDATA%\403ba372\615af403\9ab758034483f26dfe719920580a0a84.zip
- %PROGRAMDATA%\403ba372\177fefd2\4ed8ef38fd304ffe75362963ee1271a6
- %TEMP%\1111421.tmp-shm
- %TEMP%\1112140.tmp-shm
- %TEMP%\1112671.tmp-shm
- %TEMP%\1113968.tmp-shm
- %TEMP%\1114140.tmp-shm
Substitutes the following files
- %PROGRAMDATA%\403ba372\b1430fc8
Network activity
TCP
- '2.##.213.39':443
Miscellaneous
Adds a root certificate
Searches for the following windows
- ClassName: '862E203C' WindowName: '862E203C'
Creates and executes the following
- '%WINDIR%\syswow64\regsvr32.exe' -s <Full path to file> f1 <Full path to file>@1296' (with hidden window)
- '%WINDIR%\syswow64\rundll32.exe' <Full path to file>,f0' (with hidden window)
- '%WINDIR%\syswow64\rundll32.exe' %ProgramFiles%\403BA372\4FA8E721.dll,f1 <Full path to file>@2140' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\regsvr32.exe' -s <Full path to file> f1 <Full path to file>@1296
- '%WINDIR%\syswow64\rundll32.exe' <Full path to file>,f0
- '%WINDIR%\syswow64\rundll32.exe' %ProgramFiles%\403BA372\4FA8E721.dll,f1 <Full path to file>@2140
- '<SYSTEM32>\rundll32.exe' %ProgramFiles%\403BA372\4FA8E721.dll,f1 <Full path to file>@2140
- '<SYSTEM32>\rundll32.exe' %PROGRAMDATA%\403BA372\4FA8E721.dll,f2 1FCAAAC36182D72B5B244331A7421701
- '<SYSTEM32>\svchost.exe' -k LocalService
- '%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\403BA372\8840AAF5.dll,f3
- '%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\403BA372\8840AAF5.dll,f7
- '%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\403BA372\8840AAF5.dll,f2 E48E292D52AA1264BCBA6B30A9CB2113
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\wininet.dll",DispatchAPICall 1
