Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'fgBivkxK' = '%LOCALAPPDATA%\Programs\BKnEJiHs.exe'
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\fgbivkxk.lnk
Creates the following files on removable media
- <Drive name for removable media>:\tree_view.htm
- <Drive name for removable media>:\hanni_umami_chapter.doc
- <Drive name for removable media>:\tunpersonalca1.pem
- <Drive name for removable media>:\default.bmp
- <Drive name for removable media>:\trivial-merge.html
- <Drive name for removable media>:\applicantform_en.doc
- <Drive name for removable media>:\2015-02-worms-nanoparticle-toxicity.pdf
- <Drive name for removable media>:\sdszfo.docx
- <Drive name for removable media>:\file_p_00000000_1371597592.docx
- <Drive name for removable media>:\13.jpeg
- <Drive name for removable media>:\pushkin.jpg
- <Drive name for removable media>:\about.htm
- <Drive name for removable media>:\3.jpeg
- <Drive name for removable media>:\210252809.jpg
- <Drive name for removable media>:\pushkin.jpeg
- <Drive name for removable media>:\irgeek.pem
- <Drive name for removable media>:\1189.jpeg
- <Drive name for removable media>:\aoc_saq_d_v3_merchant.docx
- <Drive name for removable media>:\parnas_01.jpeg
- <Drive name for removable media>:\2.jpg
- <Drive name for removable media>:\split.avi
- <Drive name for removable media>:\adhd_and_obesity.docx
- <Drive name for removable media>:\contractualdeadlines.zip
- <Drive name for removable media>:\block.png
- <Drive name for removable media>:\hhhlcert.pem
- <Drive name for removable media>:\ck.pem
- <Drive name for removable media>:\dag2_panel1_320_ref.mov
- <Drive name for removable media>:\about.html
- <Drive name for removable media>:\contoso_1.cer
- <Drive name for removable media>:\pmd.cer
- <Drive name for removable media>:\ituneshelpunavailable.html
- <Drive name for removable media>:\advice_process.htm
- <Drive name for removable media>:\contoso.cer
- <Drive name for removable media>:\dashborder_120.bmp
- <Drive name for removable media>:\sdkfailsafeemulator.cer
- <Drive name for removable media>:\alert.html
- <Drive name for removable media>:\testee.cer
- <Drive name for removable media>:\browse.htm
- <Drive name for removable media>:\excel_example.zip
- <Drive name for removable media>:\spib_pima.pdf
- <Drive name for removable media>:\tree_view.html
- <Drive name for removable media>:\alert.htm
- <Drive name for removable media>:\browse.html
- <Drive name for removable media>:\coffee.bmp
- <Drive name for removable media>:\holycrosschurchinstructions.docx
- <Drive name for removable media>:\ck_ugo.pem
- <Drive name for removable media>:\dial.bmp
- <Drive name for removable media>:\ituneshelpunavailable.htm
- <Drive name for removable media>:\thlps_keeper_mayer_1965.docx
- <Drive name for removable media>:\delongcacert.pem
- <Drive name for removable media>:\background.png
- <Drive name for removable media>:\iisstart.htm
- <Drive name for removable media>:\iisstart.html
- <Drive name for removable media>:\breakpoint.png
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\alert.htm
- %HOMEPATH%\desktop\garden.htm
- %HOMEPATH%\desktop\pmd.cer
- %HOMEPATH%\desktop\trivial-merge.htm
- %HOMEPATH%\desktop\testee.cer
- %HOMEPATH%\desktop\sdszfo.docx
- %HOMEPATH%\desktop\sdkfailsafeemulator.cer
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\issi2013_template_for_posters.docx
- %HOMEPATH%\desktop\howto-index.html
- %HOMEPATH%\desktop\glidescope_review_rev_010.docx
- %HOMEPATH%\desktop\delete.avi
- %HOMEPATH%\desktop\dashborder_192.bmp
- %HOMEPATH%\desktop\dashborder_144.bmp
- %HOMEPATH%\desktop\dashborder_120.bmp
- %HOMEPATH%\desktop\cveuropeo.doc
- %HOMEPATH%\desktop\correct.avi
- %HOMEPATH%\desktop\applicantform_en.doc
- %HOMEPATH%\desktop\api-hashmap.html
- %HOMEPATH%\desktop\browse.htm
- %HOMEPATH%\desktop\archer.avi
- %HOMEPATH%\desktop\alert.html
- %HOMEPATH%\desktop\sdksampleprivdeveloper.cer
- %HOMEPATH%\desktop\february_catalogue__2015.doc
Modifies file system
Creates the following files
- %LOCALAPPDATA%\programs\bknejihs.exe
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1238866942-1249195528-555854008-1000\14d26bb548df3e2785adc7d69b3c1c5c_d4602615-9d50-4880-be41-678935e93eaa
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1238866942-1249195528-555854008-1000\61afa557a46a7b1d1c9ccf695b4cf55b_d4602615-9d50-4880-be41-678935e93eaa
Sets the 'hidden' attribute to the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\fgbivkxk.lnk
Deletes the following files
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1238866942-1249195528-555854008-1000\14d26bb548df3e2785adc7d69b3c1c5c_d4602615-9d50-4880-be41-678935e93eaa
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1238866942-1249195528-555854008-1000\61afa557a46a7b1d1c9ccf695b4cf55b_d4602615-9d50-4880-be41-678935e93eaa
Modifies the following files
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1238866942-1249195528-555854008-1000\f58155b4b1d5a524ca0261c3ee99fb50_d4602615-9d50-4880-be41-678935e93eaa
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\propsww2.cab
- %LOCALAPPDATA%\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\owow32ww.cab
- %LOCALAPPDATA%\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\office32ww.msi
- %LOCALAPPDATA%\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms
- %LOCALAPPDATA%\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms
- %LOCALAPPDATA%\microsoft\feeds\feedsstore.feedsdb-ms
- %LOCALAPPDATA%\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from USA~dgov~.feed-ms
- <Drive name for removable media>:\indogerman2010.pptx
- <Drive name for removable media>:\samieee_obiee_presentation.pptx
- <Drive name for removable media>:\gruenspecht_02172016.pptx
- <Drive name for removable media>:\iso27k_isms_implementation_and_certification_process_overview_v2.pptx
- <Drive name for removable media>:\waterresourcesag.pptx
- <Drive name for removable media>:\stoc13_ml_quoc_le.pptx
- D:\system volume information\tracking.log
- C:\kms\kms_vl_all_aio_debug.log
- D:\install.log
- C:\kms\kms_vl_all_aio.cmd
- %HOMEPATH%\desktop\cveuropeo.doc
- %HOMEPATH%\desktop\correct.avi
- %HOMEPATH%\desktop\applicantform_en.doc
- %HOMEPATH%\desktop\api-hashmap.html
- %HOMEPATH%\desktop\alert.html
- %HOMEPATH%\desktop\browse.htm
- %HOMEPATH%\desktop\archer.avi
- %HOMEPATH%\desktop\alert.htm
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\proplusww.msi
- %LOCALAPPDATA%\microsoft\media player\sync playlists\en-us\0003b056\02_music_added_in_the_last_month.wpl
Modifies multiple files.
Substitutes the following files
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1238866942-1249195528-555854008-1000\14d26bb548df3e2785adc7d69b3c1c5c_d4602615-9d50-4880-be41-678935e93eaa
Modifies user data files (Trojan.Encoder).
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\vssadmin.exe' delete shadows /all /Quiet' (with hidden window)
