Technical Information
Malicious functions:
Creates and executes the following:
- '%HOMEPATH%\Desktop\Packed.exe'
Terminates or attempts to terminate
the following user processes:
- iexplore.exe
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- <Current directory>\0404heixin\浙江1[278].txt
- <Current directory>\0404heixin\浙江2[109].txt
- <Current directory>\0404heixin\浙江3[64].txt
- <Current directory>\0404heixin\河南4[236].txt
- <Current directory>\0404heixin\河南5[202].txt
- <Current directory>\0404heixin\河南6[291].txt
- <Current directory>\0404heixin\浙江6[25].txt
- <Current directory>\0404heixin\湖北3[238].txt
- <Current directory>\0404heixin\湖北4[203].txt
- <Current directory>\0404heixin\湖北5[158].txt
- <Current directory>\0404heixin\浙江7[54].txt
- <Current directory>\0404heixin\湖北1[520].txt
- <Current directory>\0404heixin\湖北2[264].txt
- <Current directory>\0404heixin\江苏8[92].txt
- <Current directory>\0404heixin\江西1[619].txt
- <Current directory>\0404heixin\江西2[121].txt
- <Current directory>\0404heixin\江苏3[145].txt
- <Current directory>\0404heixin\江苏4[122].txt
- <Current directory>\0404heixin\江苏6[107].txt
- <Current directory>\0404heixin\江西3[277].txt
- <Current directory>\0404heixin\河南1[946].txt
- <Current directory>\0404heixin\河南2[726].txt
- <Current directory>\0404heixin\河南3[389].txt
- <Current directory>\0404heixin\河北1[447].txt
- <Current directory>\0404heixin\河北4[78].txt
- <Current directory>\0404heixin\河北5[33].txt
- <Current directory>\0404heixin\贵州1[680].txt
- <Current directory>\0404heixin\辽宁1[367].txt
- <Current directory>\0404heixin\辽宁2[117].txt
- <Current directory>\0404heixin\西南1[1264].txt
- <Current directory>\0404heixin\西南2[452].txt
- <Current directory>\0404heixin\西南3[105].txt
- <Current directory>\0404heixin\辽宁3[60].txt
- <Current directory>\0404heixin\黑龙江1[388].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\loading[1].html
- %WINDIR%\Fonts\Guanggaopz.ini
- <Current directory>\0404heixin\重庆1[567].txt
- <Current directory>\0404heixin\重庆2[143].txt
- <Current directory>\0404heixin\陕西1[1094].txt
- <Current directory>\0404heixin\湖南1[607].txt
- <Current directory>\0404heixin\湖南2[375].txt
- <Current directory>\0404heixin\湖南3[251].txt
- <Current directory>\0404heixin\湖北6[90].txt
- <Current directory>\0404heixin\湖北7[55].txt
- <Current directory>\0404heixin\湖北8[112].txt
- <Current directory>\0404heixin\湖南4[211].txt
- <Current directory>\0404heixin\福建1[345].txt
- <Current directory>\0404heixin\福建2[194].txt
- <Current directory>\0404heixin\西北1[538].txt
- <Current directory>\0404heixin\湖南5[275].txt
- <Current directory>\0404heixin\湖南6[154].txt
- <Current directory>\0404heixin\湖南7[364].txt
- <Current directory>\0404heixin\华北4[91].txt
- <Current directory>\0404heixin\四川1[710].txt
- <Current directory>\0404heixin\四川2[366].txt
- <Current directory>\0404heixin\华北1[233].txt
- <Current directory>\0404heixin\华北2[169].txt
- <Current directory>\0404heixin\华北3[54].txt
- <Current directory>\0404heixin\四川3[258].txt
- <Current directory>\0404heixin\天津1[84].txt
- <Current directory>\0404heixin\安徽1[816].txt
- <Current directory>\0404heixin\安徽2[346].txt
- <Current directory>\0404heixin\四川4[280].txt
- <Current directory>\0404heixin\四川5[224].txt
- <Current directory>\0404heixin\四川6[229].txt
- <Current directory>\0404heixin\上海1[295].txt
- <Current directory>\0404heixin\上海2[156].txt
- <Current directory>\0404heixin\上海3[120].txt
- %HOMEPATH%\Desktop\ТщµґІҐУ°КУµјєЅ.html
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\97jianzhan.taobao[1]
- %HOMEPATH%\Desktop\Packed.exe
- <Current directory>\0404heixin\东北1[284].txt
- <Current directory>\0404heixin\内蒙古1[84].txt
- <Current directory>\0404heixin\北京1[243].txt
- <Current directory>\0404heixin\北京3[31].txt
- <Current directory>\0404heixin\东北2[237].txt
- <Current directory>\0404heixin\云南1[227].txt
- <Current directory>\0404heixin\云贵1[85].txt
- <Current directory>\0404heixin\广东6[222].txt
- <Current directory>\0404heixin\广东7[193].txt
- <Current directory>\0404heixin\广东8[244].txt
- <Current directory>\0404heixin\广东3[382].txt
- <Current directory>\0404heixin\广东4[229].txt
- <Current directory>\0404heixin\广东5[204].txt
- <Current directory>\0404heixin\广东9[99].txt
- <Current directory>\0404heixin\新疆1[85].txt
- <Current directory>\0404heixin\江苏1[297].txt
- <Current directory>\0404heixin\江苏2[217].txt
- <Current directory>\0404heixin\广西1[922].txt
- <Current directory>\0404heixin\广西3[629].txt
- <Current directory>\0404heixin\广西5[65].txt
- <Current directory>\0404heixin\山东4[47].txt
- <Current directory>\0404heixin\山东5[95].txt
- <Current directory>\0404heixin\山东6[93].txt
- <Current directory>\0404heixin\安徽3[250].txt
- <Current directory>\0404heixin\山东1[406].txt
- <Current directory>\0404heixin\山东3[116].txt
- <Current directory>\0404heixin\山西1[344].txt
- <Current directory>\0404heixin\广东12[138].txt
- <Current directory>\0404heixin\广东1[517].txt
- <Current directory>\0404heixin\广东2[438].txt
- <Current directory>\0404heixin\山西2[55].txt
- <Current directory>\0404heixin\广东10[48].txt
- <Current directory>\0404heixin\广东11[113].txt
Deletes the following files:
- %HOMEPATH%\Desktop\Packed.exe
Network activity:
Connects to:
- 'www.97##g.com':80
- '97#####han.taobao.com':80
- 'localhost':1035
TCP:
HTTP GET requests:
- www.97##g.com/7298dy/loading.html
- 97#####han.taobao.com/
UDP:
- DNS ASK www.97##g.com
- DNS ASK 97#####han.taobao.com
Miscellaneous:
Searches for the following windows:
- ClassName: '#32770' WindowName: '????????????????'
- ClassName: '' WindowName: 'iexplore.exe'
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Internet Explorer_TridentDlgFrame' WindowName: 'Internet Explorer ????????'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
