Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\uvnc_service] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\uvnc_service] 'ImagePath' = '"%ProgramFiles%\uvnc bvba\UltraVNC\winvnc.exe" -service'
Creates the following services
- 'uvnc_service' "%ProgramFiles%\uvnc bvba\UltraVNC\winvnc.exe" -service
Malicious functions
Executes the following
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 5900 vnc5900
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 5800 vnc5800
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%ProgramFiles%\uvnc bvba\UltraVNC\winvnc.exe" "winvnc.exe" ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%ProgramFiles%\uvnc bvba\UltraVNC\vncviewer.exe" "vncviewer.exe" ENABLE ALL
Modifies file system
Creates the following files
- %TEMP%\8d6.tmp\8d7.bat
- %ProgramFiles%\uvnc bvba\ultravnc\is-79f8l.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-elit7.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-lt3kb.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-ohnp3.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-3t775.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-oahso.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-982l0.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-vm7be.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-r6rdu.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\ultravnc.ini
- %ProgramFiles%\uvnc bvba\ultravnc\is-g5mlk.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-vrgn0.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-ls72n.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-ui14i.tmp
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ultravnc\ultravnc viewer.lnk
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ultravnc\ultravnc launcher.lnk
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ultravnc\ultravnc server.lnk
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ultravnc\ultravnc viewer\run ultravnc viewer (listen mode).lnk
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ultravnc\ultravnc viewer\run ultravnc viewer (listen mode encrypt)).lnk
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ultravnc\edit settings.lnk
- %ProgramFiles%\uvnc bvba\ultravnc\is-oa9mi.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-kde56.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-n9ke9.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-7hagl.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-13q90.tmp
- %TEMP%\8d6.tmp\schook.dll
- %TEMP%\8d6.tmp\schook64.dll
- %TEMP%\8d6.tmp\securevncplugin.dsm
- %TEMP%\8d6.tmp\securevncplugin64.dsm
- %TEMP%\8d6.tmp\ultravnc_1_2_16_x64_setup.exe
- %TEMP%\8d6.tmp\ultravnc_1_2_16_x86_setup.exe
- %TEMP%\8d6.tmp\ultravnc32.ini
- %TEMP%\8d6.tmp\ultravnc64.ini
- %TEMP%\8d6.tmp\vncserver.inf
- %ProgramFiles%\uvnc bvba\ultravnc\unins000.msg
- %ProgramFiles%\uvnc bvba\ultravnc\is-ntp4a.tmp
- %TEMP%\8d6.tmp\aclktb.txt
- %ProgramFiles%\uvnc bvba\ultravnc\schook64.dll
- %ProgramFiles%\uvnc bvba\ultravnc\acl.txt
- %ProgramFiles%\uvnc bvba\ultravnc\securevncplugin64.dsm
- %TEMP%\is-5sv89.tmp\ultravnc_1_2_16_x64_setup.tmp
- %TEMP%\is-a5k1e.tmp\_isetup\_setup64.tmp
- %TEMP%\is-a5k1e.tmp\isskin.dll
- %TEMP%\is-a5k1e.tmp\vista.cjstyles
- %ProgramFiles%\uvnc bvba\ultravnc\is-f55r5.tmp
- %ProgramFiles%\uvnc bvba\ultravnc\is-fr9jt.tmp
- %TEMP%\8d6.tmp\aclktbcs.txt
- %ProgramFiles%\uvnc bvba\ultravnc\schook.dll
- %ProgramFiles%\uvnc bvba\ultravnc\unins000.dat
Deletes the following files
- %ProgramFiles%\uvnc bvba\ultravnc\setpasswd.exe
- %TEMP%\8d6.tmp\vncserver.inf
- %TEMP%\8d6.tmp\ultravnc64.ini
- %TEMP%\8d6.tmp\ultravnc32.ini
- %TEMP%\8d6.tmp\ultravnc_1_2_16_x86_setup.exe
- %TEMP%\8d6.tmp\ultravnc_1_2_16_x64_setup.exe
- %TEMP%\8d6.tmp\securevncplugin64.dsm
- %TEMP%\8d6.tmp\securevncplugin.dsm
- %TEMP%\8d6.tmp\schook64.dll
- %TEMP%\8d6.tmp\schook.dll
- %TEMP%\8d6.tmp\aclktbcs.txt
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ultravnc\ultravnc viewer.lnk
- %TEMP%\is-5sv89.tmp\ultravnc_1_2_16_x64_setup.tmp
- %TEMP%\is-a5k1e.tmp\_isetup\_setup64.tmp
- %TEMP%\is-a5k1e.tmp\vista.cjstyles
- %TEMP%\is-a5k1e.tmp\isskin.dll
- %TEMP%\8d6.tmp\aclktb.txt
- %TEMP%\8d6.tmp\8d7.bat
Moves the following files
- from %ProgramFiles%\uvnc bvba\ultravnc\is-f55r5.tmp to %ProgramFiles%\uvnc bvba\ultravnc\unins000.exe
- from %ProgramFiles%\uvnc bvba\ultravnc\is-ntp4a.tmp to %ProgramFiles%\uvnc bvba\ultravnc\setpasswd.exe
- from %ProgramFiles%\uvnc bvba\ultravnc\is-g5mlk.tmp to %ProgramFiles%\uvnc bvba\ultravnc\setcad.exe
- from %ProgramFiles%\uvnc bvba\ultravnc\is-r6rdu.tmp to %ProgramFiles%\uvnc bvba\ultravnc\uvnc_launch.exe
- from %ProgramFiles%\uvnc bvba\ultravnc\is-vm7be.tmp to %ProgramFiles%\uvnc bvba\ultravnc\vncviewer.exe
- from %ProgramFiles%\uvnc bvba\ultravnc\is-982l0.tmp to %ProgramFiles%\uvnc bvba\ultravnc\mslogonacl.exe
- from %ProgramFiles%\uvnc bvba\ultravnc\is-oahso.tmp to %ProgramFiles%\uvnc bvba\ultravnc\authssp.dll
- from %ProgramFiles%\uvnc bvba\ultravnc\is-3t775.tmp to %ProgramFiles%\uvnc bvba\ultravnc\ldapauth9x.dll
- from %ProgramFiles%\uvnc bvba\ultravnc\is-ohnp3.tmp to %ProgramFiles%\uvnc bvba\ultravnc\ldapauthnt4.dll
- from %ProgramFiles%\uvnc bvba\ultravnc\is-lt3kb.tmp to %ProgramFiles%\uvnc bvba\ultravnc\ldapauth.dll
- from %ProgramFiles%\uvnc bvba\ultravnc\is-elit7.tmp to %ProgramFiles%\uvnc bvba\ultravnc\workgrpdomnt4.dll
- from %ProgramFiles%\uvnc bvba\ultravnc\is-79f8l.tmp to %ProgramFiles%\uvnc bvba\ultravnc\authadmin.dll
- from %ProgramFiles%\uvnc bvba\ultravnc\is-kde56.tmp to %ProgramFiles%\uvnc bvba\ultravnc\logging.dll
- from %ProgramFiles%\uvnc bvba\ultravnc\is-oa9mi.tmp to %ProgramFiles%\uvnc bvba\ultravnc\vnchooks.dll
- from %ProgramFiles%\uvnc bvba\ultravnc\is-n9ke9.tmp to %ProgramFiles%\uvnc bvba\ultravnc\winvnc.exe
- from %ProgramFiles%\uvnc bvba\ultravnc\is-7hagl.tmp to %ProgramFiles%\uvnc bvba\ultravnc\readme.txt
- from %ProgramFiles%\uvnc bvba\ultravnc\is-13q90.tmp to %ProgramFiles%\uvnc bvba\ultravnc\licence.rtf
- from %ProgramFiles%\uvnc bvba\ultravnc\is-fr9jt.tmp to %ProgramFiles%\uvnc bvba\ultravnc\whatsnew.rtf
- from %ProgramFiles%\uvnc bvba\ultravnc\is-vrgn0.tmp to %ProgramFiles%\uvnc bvba\ultravnc\uvnc_settings.exe
- from %ProgramFiles%\uvnc bvba\ultravnc\is-ls72n.tmp to %ProgramFiles%\uvnc bvba\ultravnc\testauth.exe
Substitutes the following files
- %ProgramFiles%\uvnc bvba\ultravnc\setpasswd.exe
Network activity
Connects to
- 'localhost':5900
Miscellaneous
Creates and executes the following
- '%TEMP%\8d6.tmp\ultravnc_1_2_16_x64_setup.exe' /norestart /VERYSILENT /components=ultravnc_server_s,ultravnc_viewer
- '%TEMP%\is-5sv89.tmp\ultravnc_1_2_16_x64_setup.tmp' /SL5="$2600A4,2928187,350720,%TEMP%\8D6.tmp\UltraVNC_1_2_16_X64_Setup.exe" /norestart /VERYSILENT /components=ultravnc_server_s,ultravnc_viewer
- '%ProgramFiles%\uvnc bvba\ultravnc\setpasswd.exe'
- '%ProgramFiles%\uvnc bvba\ultravnc\setcad.exe'
- '%ProgramFiles%\uvnc bvba\ultravnc\winvnc.exe' -install
- '%ProgramFiles%\uvnc bvba\ultravnc\winvnc.exe' -service
- '%ProgramFiles%\uvnc bvba\ultravnc\winvnc.exe' -service_run
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\8D6.tmp\8D7.bat <Full path to file>"' (with hidden window)
- '%ProgramFiles%\uvnc bvba\ultravnc\setpasswd.exe' ' (with hidden window)
- '%ProgramFiles%\uvnc bvba\ultravnc\setcad.exe' ' (with hidden window)
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 5900 vnc5900' (with hidden window)
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 5800 vnc5800' (with hidden window)
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%ProgramFiles%\uvnc bvba\UltraVNC\winvnc.exe" "winvnc.exe" ENABLE ALL' (with hidden window)
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%ProgramFiles%\uvnc bvba\UltraVNC\vncviewer.exe" "vncviewer.exe" ENABLE ALL' (with hidden window)
- '<SYSTEM32>\net.exe' start "uvnc_service"' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\8D6.tmp\8D7.bat <Full path to file>"
- '<SYSTEM32>\cmd.exe' /S /D /c" ver "
- '<SYSTEM32>\find.exe' "XP"
- '<SYSTEM32>\net.exe' start "uvnc_service"
- '<SYSTEM32>\net1.exe' start "uvnc_service"
