Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Counter' = '"%PROGRAM_FILES%\Counter\Counter.exe"'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE' = '%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer'
Creates and executes the following:
- '%TEMP%\SETUP.exe'
- '%TEMP%\1231.exe'
- '%PROGRAM_FILES%\Counter\counter.exe'
- '%PROGRAM_FILES%\Microsoft Office\SYSTEM\sysbar.exe'
- '%TEMP%\taskmgr.exe'
- '%TEMP%\10085.exe'
- '<Current directory>\cdd\readme.exe'
- '%TEMP%\ad7287.exe'
- '%TEMP%\msn055.exe'
Executes the following:
- '<SYSTEM32>\cmd.exe' /c %TEMP%\tmp93.bat
- '<SYSTEM32>\cmd.exe' /c %TEMP%\tmp.bat
- '<SYSTEM32>\regsvr32.exe' /s "%CommonProgramFiles%\CPUSH\cpush.dll"
Modifies file system :
Creates the following files:
- %TEMP%\nsg11.tmp
- %TEMP%\nsw12.tmp\System.dll
- %TEMP%\nsrF.tmp\System.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\_inimac
- %TEMP%\nsb15.tmp\System.dll
- %TEMP%\nsm17.tmp
- %TEMP%\tmp.bat
- %TEMP%\nsg14.tmp
- %TEMP%\nsuC.tmp\System.dll
- %ALLUSERSPROFILE%\Start Menu\Programs\јЖЛгЖч\јЖЛгЖч.lnk
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~З§ДкИэVIPХКєЕЧўІбТіГжЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~БъЖпКїVIPХКєЕЧўІбТіГжЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %TEMP%\nsg7.tmp\Senddata.dll
- %TEMP%\nshE.tmp
- %ALLUSERSPROFILE%\Start Menu\Programs\јЖЛгЖч\јЖЛгЖчР¶ФШ.lnk
- %PROGRAM_FILES%\Microsoft Office\SYSTEM\30.exe
- %TEMP%\nsc18.tmp\System.dll
- %TEMP%\nsc24.tmp\System.dll
- %TEMP%\tmp93.bat
- %TEMP%\nsp21.tmp\System.dll
- %TEMP%\nsc23.tmp
- %TEMP%\nsi29.tmp
- %TEMP%\nsj2A.tmp\System.dll
- %TEMP%\nsp26.tmp
- %TEMP%\nsv27.tmp\System.dll
- <SYSTEM32>\Com\1.1.6\WndHook.dll
- <SYSTEM32>\Com\Config.cfg
- %TEMP%\nsn1A.tmp
- %TEMP%\nsi1B.tmp\System.dll
- %TEMP%\nsx1E.tmp\System.dll
- %TEMP%\nsp20.tmp
- <SYSTEM32>\comarshal.dat
- %TEMP%\nsb1D.tmp
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~ІФМмVIPХКєЕЧўІбТіГжЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %TEMP%\taskmgr.exe
- %TEMP%\1231.exe
- %TEMP%\msn055.exe
- %TEMP%\ad7287.exe
- %PROGRAM_FILES%\Counter\EULA.txt
- %PROGRAM_FILES%\Counter\HtmlPeek.dll
- %TEMP%\nsq4.tmp
- %TEMP%\nsv5.tmp\System.dll
- <Current directory>\cdd\CS_007.exe
- <Current directory>\cdd\default.cfg
- <Current directory>\cdd\007.dll
- <Current directory>\cdd\cdhack.cfg
- %TEMP%\nsu2.tmp
- %TEMP%\10085.exe
- <Current directory>\cdd\readme.exe
- <Current directory>\cdd\新建 文本文档.txt
- %TEMP%\SETUP.exe
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~ІКєзµєVIPХКєЕЧўІбТіГжЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~РВУўРЫДкґъVIPХКєЕЧўІбТіГжЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~ИИСЄґ«ЖжVIPХКєЕЧўІбТіГжЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~ГО»Г№ъ¶ИVIPХКєЕЧўІбТіГжЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~БъЙсґ«ЛµVIPХКєЕЧўІбТіГжЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~µПКїДбVIPХКєЕЧўІбТіГжЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~·иїсИьіµVIPХКєЕЧўІбТіГжЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~ИИСЄУўєАVIPХКєЕЧўІбТіГжЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %TEMP%\nsi9.tmp
- %CommonProgramFiles%\CPUSH\Uninst.exe
- %PROGRAM_FILES%\Counter\counter.exe
- %PROGRAM_FILES%\Counter\uninstall.exe
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~QQёцРФ-QQїХјдґъВл-QQЗ©ГыЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %HOMEPATH%\Favorites\ЁxЁyЁzЁ{ЁЁ}Ё~ґ«ЖжКАЅзVIPХКєЕЧўІбТіГжЁ~Ё}ЁЁ{ЁzЁyЁx.url
- %CommonProgramFiles%\CPUSH\cpush.dll
- %HOMEPATH%\Favorites\¦а¦а¦аТЅС§№Еј®Ў¶ТЅЧЪЅрјшЎ·ФЪПЯФД¶Б¦а¦а¦а.url
Deletes the following files:
- %TEMP%\nsi1B.tmp\System.dll
- %TEMP%\nsx1E.tmp\System.dll
- %TEMP%\nsg7.tmp\Senddata.dll
- %PROGRAM_FILES%\Microsoft Office\SYSTEM\sysbar.exe
- %TEMP%\nsv27.tmp\System.dll
- %TEMP%\nsj2A.tmp\System.dll
- %TEMP%\nsp21.tmp\System.dll
- %TEMP%\nsc24.tmp\System.dll
- %TEMP%\nsrF.tmp\System.dll
- %TEMP%\SETUP.exe
- %TEMP%\nsuC.tmp\System.dll
- %TEMP%\nsv5.tmp\System.dll
- %TEMP%\nsb15.tmp\System.dll
- %TEMP%\nsc18.tmp\System.dll
- %TEMP%\nsw12.tmp\System.dll
- %TEMP%\tmp.bat
Moves the following files:
- from %PROGRAM_FILES%\Microsoft Office\SYSTEM\30.exe to %PROGRAM_FILES%\Microsoft Office\SYSTEM\sysbar.exe
Network activity:
Connects to:
- 'localhost':1042
- 'localhost':1043
- 'localhost':1036
- 'www.1c#t.cn':80
TCP:
HTTP POST requests:
- www.1c#t.cn/in.php
UDP:
- DNS ASK up####.cpushpop.com
- DNS ASK www.qq##sqq.com
- DNS ASK r.###ntech.com
- DNS ASK pu##.#pushpop.com
- DNS ASK www.1c#t.cn
- DNS ASK ms#.#lone.cn
- DNS ASK lo####.51edm.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'IEFrame' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: '' WindowName: '(null)'
