Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Classes\.\shell\open\command] '' = 'rundll32.exe %WINDIR%\staticial\cmss.jyc,scanMiddle'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\5DУОП·ґуМь.lnk
Malicious functions:
Creates and executes the following:
- '%PROGRAM_FILES%\5DGame\WebGame.exe'
- '%PROGRAM_FILES%\staticial\bibibei.exe' /S
- '%TEMP%\is-9II1U.tmp\<Virus name>.tmp' /SL5="$40036,1052764,53248,<Full path to virus>"
Executes the following:
- '<SYSTEM32>\rundll32.exe' %PROGRAM_FILES%\staticial\cmss.jyc,scanbegin
- '<SYSTEM32>\rundll32.exe' %PROGRAM_FILES%\staticial\csrg.jpc,scanbegin
- '<SYSTEM32>\regsvr32.exe' "%PROGRAM_FILES%\5DGame\fancygame.ocx" /s
- '<SYSTEM32>\rundll32.exe' "%PROGRAM_FILES%\staticial\smes.jel" staticflow
- '%WINDIR%\regedit.exe' -s "%PROGRAM_FILES%\staticial\haohao.err"
- '%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE' Explorer\iexplore.exe http://12#.##4.9.113:8022/Insertbz.aspx?mc#######################################
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\5DGame\skin\default\top_close01.png
- %PROGRAM_FILES%\5DGame\skin\default\top_close02.png
- %PROGRAM_FILES%\5DGame\skin\default\top_big03.png
- %PROGRAM_FILES%\5DGame\skin\default\top_big01.png
- %PROGRAM_FILES%\5DGame\skin\default\top_big02.png
- %PROGRAM_FILES%\5DGame\skin\default\top_close03.png
- %PROGRAM_FILES%\5DGame\skin\default\top_prev01.png
- %PROGRAM_FILES%\5DGame\skin\default\top_prev02.png
- %PROGRAM_FILES%\5DGame\skin\default\top_next03.png
- %PROGRAM_FILES%\5DGame\skin\default\top_next01.png
- %PROGRAM_FILES%\5DGame\skin\default\top_next02.png
- %PROGRAM_FILES%\5DGame\skin\default\nav_close02.png
- %PROGRAM_FILES%\5DGame\skin\default\nav_close03.png
- %PROGRAM_FILES%\5DGame\skin\default\nav_close01.png
- %PROGRAM_FILES%\5DGame\skin\default\nav_bg01.png
- %PROGRAM_FILES%\5DGame\skin\default\nav_bg02.png
- %PROGRAM_FILES%\5DGame\skin\default\pop_close01.png
- %PROGRAM_FILES%\5DGame\skin\default\toolbar_nav02.png
- %PROGRAM_FILES%\5DGame\skin\default\toolbar_nav03.png
- %PROGRAM_FILES%\5DGame\skin\default\toolbar_bg01.png
- %PROGRAM_FILES%\5DGame\skin\default\pop_close02.png
- %PROGRAM_FILES%\5DGame\skin\default\skin.xml
- %HOMEPATH%\Desktop\5DУОП·ґуМь.lnk
- %HOMEPATH%\Desktop\МмјН-3DТіУО.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\5DУОП·ґуМь.lnk
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\default[1].html
- %HOMEPATH%\Start Menu\Programs\5DGame\5DУОП·ґуМь.lnk
- %PROGRAM_FILES%\5DGame\5DУОП·ґуМь.url
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\config[1].xml
- %PROGRAM_FILES%\Internet Explorer\HMMAPIS.DLL
- %PROGRAM_FILES%\5DGame\uninst.exe
- %HOMEPATH%\Start Menu\Programs\5DGame\5D№ЩНш.lnk
- %HOMEPATH%\Start Menu\Programs\5DGame\Uninstall.lnk
- %PROGRAM_FILES%\5DGame\skin\default\top_restore03.png
- %PROGRAM_FILES%\5DGame\skin\default\top_small01.png
- %PROGRAM_FILES%\5DGame\skin\default\top_restore02.png
- %PROGRAM_FILES%\5DGame\skin\default\top_prev03.png
- %PROGRAM_FILES%\5DGame\skin\default\top_restore01.png
- %PROGRAM_FILES%\5DGame\skin\default\top_small02.png
- %PROGRAM_FILES%\5DGame\WebGame.exe
- %PROGRAM_FILES%\5DGame\fancygame.ocx
- %PROGRAM_FILES%\5DGame\tj.ico
- %PROGRAM_FILES%\5DGame\skin\default\top_small03.png
- %PROGRAM_FILES%\5DGame\5d.ico
- %PROGRAM_FILES%\5DGame\skin\default\icon_yxdt.png
- %WINDIR%\staticial\cmss.jyc
- %WINDIR%\staticial\config.ini
- %WINDIR%\staticial\bibibei.exe
- %PROGRAM_FILES%\staticial\is-JP6SL.tmp
- %PROGRAM_FILES%\staticial\unins000.dat
- %WINDIR%\staticial\csrg.jpc
- %WINDIR%\staticial\unins000.dat
- %WINDIR%\staticial\unins000.exe
- %WINDIR%\staticial\taobao.ico
- %WINDIR%\staticial\haohao.err
- %WINDIR%\staticial\smes.jel
- %PROGRAM_FILES%\staticial\is-P0894.tmp
- %PROGRAM_FILES%\staticial\is-66MF2.tmp
- %TEMP%\is-1MSG6.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-9II1U.tmp\<Virus name>.tmp
- %TEMP%\is-1MSG6.tmp\_isetup\_RegDLL.tmp
- %PROGRAM_FILES%\staticial\is-KE5R1.tmp
- %PROGRAM_FILES%\staticial\is-4E6AJ.tmp
- %PROGRAM_FILES%\staticial\is-8B02T.tmp
- %PROGRAM_FILES%\staticial\is-JMK9J.tmp
- %PROGRAM_FILES%\staticial\is-JE4U4.tmp
- %PROGRAM_FILES%\staticial\is-J23HR.tmp
- %PROGRAM_FILES%\5DGame\skin\default\icon_gdyx.png
- %PROGRAM_FILES%\5DGame\skin\default\icon_gw.png
- %PROGRAM_FILES%\5DGame\skin\default\icon_cz.png
- %PROGRAM_FILES%\5DGame\skin\default\btn_more02.png
- %PROGRAM_FILES%\5DGame\skin\default\btn_more03.png
- %PROGRAM_FILES%\5DGame\skin\default\icon_ht.png
- %PROGRAM_FILES%\5DGame\skin\default\icon_qp.png
- %PROGRAM_FILES%\5DGame\skin\default\icon_sx.png
- %PROGRAM_FILES%\5DGame\skin\default\icon_qj.png
- %PROGRAM_FILES%\5DGame\skin\default\icon_kfzx.png
- %PROGRAM_FILES%\5DGame\skin\default\icon_lt.png
- %PROGRAM_FILES%\5DGame\skin\default\Thumbs.db
- %PROGRAM_FILES%\5DGame\skin\default\bg_hide.png
- %TEMP%\nsc3.tmp\System.dll
- %WINDIR%\staticial\xianjian.ico
- %TEMP%\nsh2.tmp
- %PROGRAM_FILES%\5DGame\skin\default\bg_main.png
- %PROGRAM_FILES%\5DGame\skin\default\btn_kefu03.png
- %PROGRAM_FILES%\5DGame\skin\default\btn_more01.png
- %PROGRAM_FILES%\5DGame\skin\default\btn_kefu02.png
- %PROGRAM_FILES%\5DGame\skin\default\bg_popup.png
- %PROGRAM_FILES%\5DGame\skin\default\bg_today.png
Deletes the following files:
- %TEMP%\nsc3.tmp\System.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\config[1].xml
- %TEMP%\is-9II1U.tmp\<Virus name>.tmp
- %TEMP%\is-1MSG6.tmp\_isetup\_RegDLL.tmp
- %TEMP%\is-1MSG6.tmp\_isetup\_shfoldr.dll
Moves the following files:
- from %PROGRAM_FILES%\staticial\is-4E6AJ.tmp to %PROGRAM_FILES%\staticial\smes.jel
- from %PROGRAM_FILES%\staticial\is-JMK9J.tmp to %PROGRAM_FILES%\staticial\haohao.err
- from %PROGRAM_FILES%\staticial\is-JP6SL.tmp to %PROGRAM_FILES%\staticial\xianjian.ico
- from %PROGRAM_FILES%\staticial\is-8B02T.tmp to %PROGRAM_FILES%\staticial\taobao.ico
- from %PROGRAM_FILES%\staticial\is-J23HR.tmp to %PROGRAM_FILES%\staticial\config.ini
- from %PROGRAM_FILES%\staticial\is-66MF2.tmp to %PROGRAM_FILES%\staticial\bibibei.exe
- from %PROGRAM_FILES%\staticial\is-P0894.tmp to %PROGRAM_FILES%\staticial\unins000.exe
- from %PROGRAM_FILES%\staticial\is-JE4U4.tmp to %PROGRAM_FILES%\staticial\cmss.jyc
- from %PROGRAM_FILES%\staticial\is-KE5R1.tmp to %PROGRAM_FILES%\staticial\csrg.jpc
Network activity:
Connects to:
- 'se###r.3653.com':80
- 'localhost':1042
- 'www.xi###i189.com':80
- 'localhost':1036
- '12#.#24.9.113':8022
TCP:
HTTP GET requests:
- se###r.3653.com/data/config/config.xml
- www.xi###i189.com/new/bf02/default.html?fr#########
HTTP POST requests:
- se###r.3653.com/server/
UDP:
- DNS ASK se###r.3653.com
- DNS ASK www.xi###i189.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'IEFrame' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: '5DCLIENT_CLASS' WindowName: ''
- ClassName: 'CabinetWClass' WindowName: ''
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: '' WindowName: ''
