Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%WINDIR%\svchost.exe'
- [HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'System' = '%WINDIR%\svchost.exe'
- [HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '%WINDIR%\SysWOW64\userinit.exe,%WINDIR%\SysWOW64\windll.exe'
Modifies file system
Creates the following files
- <Current directory>\patchhack.exe
- %TEMP%\mmbplayer\loginph.dll
- %TEMP%\mmbplayer\loginkg.dll
- %TEMP%\mmbplayer\localph.dll
- %TEMP%\mmbplayer\localkg.dll
- %TEMP%\mmbplayer\kg.dll
- %TEMP%\mmbplayer\fwph.dll
- %TEMP%\mmbplayer\fwkg.dll
- %TEMP%\mmbplayer\chathack.exe
- %TEMP%\mmbplayer\huongdancfvn.txt
- %TEMP%\mmbplayer\thoatcfvn.exe
- %TEMP%\mmbplayer\hackcfvn.exe
- %WINDIR%\syswow64\windll.exe
- %WINDIR%\svchost.exe
- %TEMP%\mznfdxf
- %TEMP%\aut6c3a.tmp
- %TEMP%\gweizop
- %TEMP%\aut691e.tmp
- <Current directory>\modxcfvn.exe
- <Current directory>\fixcf.exe
- %TEMP%\mmbplayer\ph.dll
- %LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012025013020250131\index.dat
Deletes the following files
- %TEMP%\aut691e.tmp
- %TEMP%\gweizop
- %TEMP%\aut6c3a.tmp
- %TEMP%\mznfdxf
Network activity
Connects to
- 'cf##.net':80
- 'cf##.net':443
TCP
HTTP GET requests
- http://www.cf##.net/passbyking
- http://www.cf##.net/lander
Other
- 'cf##.net':443
UDP
- DNS ASK bo#.#nhheo.com
- DNS ASK cf##.net
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '<Current directory>\patchhack.exe'
- '<Current directory>\fixcf.exe'
- '<Current directory>\modxcfvn.exe'
Executes the following
- '<Current directory>\fixcf.exe' ' (with hidden window)
