Technical Information
Malicious functions:
Creates and executes the following:
- '%TEMP%\nsf3.tmp\SoHuVA_4.2.0.0-c204900009-ng-s-run-x.exe'
- '%TEMP%\nsf3.tmp\kuping_s_51022.exe'
- '%TEMP%\nsf3.tmp\pipi_dae_274.exe'
- '%TEMP%\nsf3.tmp\pczh_155.exe'
- '%TEMP%\nsf3.tmp\setup_t10110.exe'
- '%TEMP%\nsf3.tmp\shenmatv_dae_300.exe'
- '%TEMP%\nsf3.tmp\setup_3155.exe'
- '%TEMP%\nsf3.tmp\setup_open_4127.exe'
- '%TEMP%\nsf3.tmp\92046_al.exe'
- '%TEMP%\nsf3.tmp\setups30112.exe'
- '%TEMP%\nsf3.tmp\setup_qd206.exe'
- '%TEMP%\nsf3.tmp\mx_4zengjie.exe'
- '%TEMP%\nsf3.tmp\vmmc_70208.exe'
- '%TEMP%\nsf3.tmp\setup1146568.exe'
- '%TEMP%\nsf3.tmp\vxdpwbw_30071.exe'
- '%TEMP%\nsf3.tmp\dianxin_silent[108].exe'
- '%TEMP%\nsf3.tmp\pczh_155.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\mx_4zengjie.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\setup_t10110.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\dianxin_silent[108].exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\shenmatv_dae_300.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\setup_3155.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\vmmc_70208.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\setup1146568.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\setup_qd206.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\vxdpwbw_30071.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\setups30112.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\setup_open_4127.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\92046_al.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\kuping_s_51022.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\pipi_dae_274.exe' (downloaded from the Internet)
- '%TEMP%\nsf3.tmp\SoHuVA_4.2.0.0-c204900009-ng-s-run-x.exe' (downloaded from the Internet)
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\wuji[1].gif
- %TEMP%\nsf3.tmp\kuping_s_51022.exe
- %TEMP%\nsf3.tmp\setup_open_4127.exe
- %TEMP%\nsf3.tmp\92046_al.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ailiao[1].gif
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\kuping[1].gif
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\pipi_dae_274[1].txt
- %TEMP%\nsf3.tmp\setup1146568.exe
- %TEMP%\nsf3.tmp\pipi_dae_274.exe
- %TEMP%\nsf3.tmp\SoHuVA_4.2.0.0-c204900009-ng-s-run-x.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\SoHuVA_4.0.0.73-c204900009-ng-s-run-x[1].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\yinyue[1].gif
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\dianxin[1].gif
- %TEMP%\nsf3.tmp\pczh_155.exe
- %TEMP%\nsf3.tmp\dianxin_silent[108].exe
- %TEMP%\nsf3.tmp\mx_4zengjie.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\mx_4zengjie[1].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\zhihui[1].gif
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\shenma[1].gif
- %TEMP%\nsf3.tmp\setup_3155.exe
- %TEMP%\nsf3.tmp\shenmatv_dae_300.exe
- %TEMP%\nsf3.tmp\setup_t10110.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\xiaoxin[1].gif
- %HOMEPATH%\Start Menu\Programs\FFµзУ°\FFµзУ°.lnk
- %PROGRAM_FILES%\FFµзУ°\play.exe
- %HOMEPATH%\Desktop\FFµзУ°.lnk
- %PROGRAM_FILES%\FFµзУ°\uninst.exe
- %HOMEPATH%\Start Menu\Programs\FFµзУ°\Uninstall.lnk
- %TEMP%\nsf3.tmp\FindProcDLL.dll
- %TEMP%\nsf3.tmp\inetc.dll
- %TEMP%\nsf2.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\fip[1].php
- <Current directory>\nsa4.tmp
- <Current directory>\back.htm
- %TEMP%\nsf3.tmp\System.dll
- %TEMP%\nsf3.tmp\setup_qd206.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\setup_qd206[1].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\baiduweishi[1].gif
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\ruixing[1].gif
- %TEMP%\nsf3.tmp\vmmc_70208.exe
- %TEMP%\nsf3.tmp\setups30112.exe
- %PROGRAM_FILES%\FFµзУ°\back.htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ff[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\baidushadu[1].gif
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\gongju[1].gif
- %TEMP%\nsf3.tmp\vxdpwbw_30071.exe
Deletes the following files:
- <Current directory>\nsa4.tmp
Network activity:
Connects to:
- 'dl.#ipi.cn':80
- 'd.##dtw.com':80
- 'mk.##xthon.cn':80
- 'do##.guangsu.cn':80
- 'fp.##zsjt.com':80
- 'yu##.yyjdpm.net':80
- 'sh####.yyjdpm.net':80
TCP:
HTTP GET requests:
- sh####.yyjdpm.net/yinyue.gif
- sh####.yyjdpm.net/shenma.gif
- sh####.yyjdpm.net/wuji.gif
- sh####.yyjdpm.net/ailiao.gif
- sh####.yyjdpm.net/dianxin.gif
- mk.##xthon.cn/max4/zxr/mx_4zengjie.txt
- sh####.yyjdpm.net/xiaoxin.gif
- sh####.yyjdpm.net/zhihui.gif
- sh####.yyjdpm.net/kuping.gif
- sh####.yyjdpm.net/gongju.gif
- do##.guangsu.cn/qdn/setup_qd206.txt
- fp.##zsjt.com/fip.php
- sh####.yyjdpm.net/baidushadu.gif
- dl.#ipi.cn/pipi_dae_274.txt
- d.##dtw.com/exe/SoHuVA_4.0.0.73-c204900009-ng-s-run-x.txt
- sh####.yyjdpm.net/baiduweishi.gif
- sh####.yyjdpm.net/ruixing.gif
HTTP POST requests:
- yu##.yyjdpm.net/ff.php
UDP:
- DNS ASK dl.#ipi.cn
- DNS ASK d.##dtw.com
- DNS ASK mk.##xthon.cn
- DNS ASK do##.guangsu.cn
- DNS ASK fp.##zsjt.com
- DNS ASK yu##.yyjdpm.net
- DNS ASK sh####.yyjdpm.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
