Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\QuickDownload Service] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\QuickDownload Agent] 'Start' = '00000002'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\QuickDownloadService\qdownservice.exe' = '%PROGRAM_FILES%\QuickDownloadService\qdownservice.exe:*:Enabled:QuickDownloadSvc'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\QuickDownloadService\qdownservice.exe' = '%PROGRAM_FILES%\QuickDownloadService\qdownservice.exe:*:Enabled:QuickDownloadService'
Creates and executes the following:
- '%PROGRAM_FILES%\QuickDownloadService\sc.exe' DELETE "QuickDownload Service"
- '%PROGRAM_FILES%\QuickDownloadService\sc.exe' DELETE "QuickDownload Agent"
- '%PROGRAM_FILES%\QuickDownloadService\sc.exe' DELETE "QuickDownload Update"
- '%PROGRAM_FILES%\QuickDownloadService\qdownservice.exe'
- '%PROGRAM_FILES%\QuickDownloadService\qdownagent.exe'
- '%PROGRAM_FILES%\QuickDownloadService\sc.exe' STOP "QuickDownload Update"
- '%PROGRAM_FILES%\QuickDownloadService\ElevationWrap.exe'
- '%TEMP%\is-T8I09.tmp\<Virus name>.tmp' /SL5="$30092,217115,53248,<Full path to virus>"
- '%PROGRAM_FILES%\QuickDownloadService\StopMegaService.exe'
- '%PROGRAM_FILES%\QuickDownloadService\sc.exe' STOP "QuickDownload Service"
- '%PROGRAM_FILES%\QuickDownloadService\sc.exe' STOP "QuickDownload Agent"
Executes the following:
- '<SYSTEM32>\sc.exe' FAILURE "QuickDownload Agent" reset= 180 actions= "restart/180000/restart/180000/restart/180000"
- '<SYSTEM32>\sc.exe' start "QuickDownload Service"
- '<SYSTEM32>\sc.exe' FAILURE "QuickDownload Service" reset= 180 actions= "restart/180000/restart/180000/restart/180000"
- '<SYSTEM32>\sc.exe' description "QuickDownload Service" "ДБЕЩГч ґЩїо·ОµеЅГ ґЩїо·Оµе јУµµ Зв»уА» А§ЗС јєсЅєё¦ Б¦°шЗХґПґЩ."
- '<SYSTEM32>\sc.exe' description "QuickDownload Agent" "ДБЕЩГч ґЩїо·ОµеЅГ ґЩїо·Оµе јУµµ Зв»уА» А§ЗС јєсЅєё¦ Б¦°шЗХґПґЩ."
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%PROGRAMFILES%\QuickDownloadService\qdownservice.exe" "QuickDownloadService" ENABLE
- '<SYSTEM32>\wscript.exe' "%PROGRAM_FILES%\QuickDownloadService\Firewall.vbs"
- '<SYSTEM32>\sc.exe' create "QuickDownload Agent" binPath= "%PROGRAM_FILES%\QuickDownloadService\qdownagent.exe" start= auto error= ignore
- '<SYSTEM32>\sc.exe' start "QuickDownload Agent"
- '<SYSTEM32>\sc.exe' create "QuickDownload Service" binPath= "%PROGRAM_FILES%\QuickDownloadService\qdownservice.exe" start= auto error= ignore
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\QuickDownloadService\conf\data3.cfg
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\maxuploadspeed[1].txt
- %PROGRAM_FILES%\QuickDownloadService\unins000.dat
- %PROGRAM_FILES%\QuickDownloadService\is-O8V6O.tmp
- %PROGRAM_FILES%\QuickDownloadService\conf\is-FVGIT.tmp
- %PROGRAM_FILES%\QuickDownloadService\conf\data2.tmp
- %PROGRAM_FILES%\QuickDownloadService\conf\data2.cfg
- %PROGRAM_FILES%\QuickDownloadService\conf\data6.tmp
- %PROGRAM_FILES%\QuickDownloadService\maxuploadspeed.txt
- %PROGRAM_FILES%\QuickDownloadService\conf\data4.cfg
- %PROGRAM_FILES%\QuickDownloadService\is-NOTT5.tmp
- %PROGRAM_FILES%\QuickDownloadService\is-D72HK.tmp
- %PROGRAM_FILES%\QuickDownloadService\is-T27JB.tmp
- %TEMP%\is-TMROH.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-T8I09.tmp\<Virus name>.tmp
- %TEMP%\is-TMROH.tmp\_isetup\_RegDLL.tmp
- %PROGRAM_FILES%\QuickDownloadService\is-LM865.tmp
- %PROGRAM_FILES%\QuickDownloadService\is-RA5E9.tmp
- %PROGRAM_FILES%\QuickDownloadService\is-2R9UD.tmp
- %PROGRAM_FILES%\QuickDownloadService\is-38OH3.tmp
- %PROGRAM_FILES%\QuickDownloadService\is-M0BG3.tmp
Deletes the following files:
- %TEMP%\is-T8I09.tmp\<Virus name>.tmp
- %TEMP%\is-TMROH.tmp\_isetup\_shfoldr.dll
- %PROGRAM_FILES%\QuickDownloadService\conf\data4.cfg
- %PROGRAM_FILES%\QuickDownloadService\conf\data2.tmp
- %PROGRAM_FILES%\QuickDownloadService\conf\data6.tmp
- %PROGRAM_FILES%\QuickDownloadService\StopMegaService.exe
- %PROGRAM_FILES%\QuickDownloadService\conf\data3.cfg
- %PROGRAM_FILES%\QuickDownloadService\sc.exe
- %TEMP%\is-TMROH.tmp\_isetup\_RegDLL.tmp
- %PROGRAM_FILES%\QuickDownloadService\Firewall.vbs
Moves the following files:
- from %PROGRAM_FILES%\QuickDownloadService\is-RA5E9.tmp to %PROGRAM_FILES%\QuickDownloadService\HoleAddon.dll
- from %PROGRAM_FILES%\QuickDownloadService\is-LM865.tmp to %PROGRAM_FILES%\QuickDownloadService\sc.exe
- from %PROGRAM_FILES%\QuickDownloadService\is-NOTT5.tmp to %PROGRAM_FILES%\QuickDownloadService\qdownagent.exe
- from %PROGRAM_FILES%\QuickDownloadService\conf\is-FVGIT.tmp to %PROGRAM_FILES%\QuickDownloadService\conf\Version.cfg
- from %PROGRAM_FILES%\QuickDownloadService\is-O8V6O.tmp to %PROGRAM_FILES%\QuickDownloadService\qdownservice.exe
- from %PROGRAM_FILES%\QuickDownloadService\is-T27JB.tmp to %PROGRAM_FILES%\QuickDownloadService\Firewall.vbs
- from %PROGRAM_FILES%\QuickDownloadService\is-D72HK.tmp to %PROGRAM_FILES%\QuickDownloadService\unins000.exe
- from %PROGRAM_FILES%\QuickDownloadService\is-38OH3.tmp to %PROGRAM_FILES%\QuickDownloadService\ElevationWrap.exe
- from %PROGRAM_FILES%\QuickDownloadService\is-2R9UD.tmp to %PROGRAM_FILES%\QuickDownloadService\StopMegaService.exe
- from %PROGRAM_FILES%\QuickDownloadService\is-M0BG3.tmp to %PROGRAM_FILES%\QuickDownloadService\Firewall.exe
Network activity:
Connects to:
- 'in##cdn.com':80
- 'sv##.#imesis.co.kr':30294
- 'localhost':1040
- '11#.0.0.0':30555
TCP:
HTTP GET requests:
- in##cdn.com/service/maxuploadspeed.txt
UDP:
- DNS ASK sv##.#imesis.co.kr
- DNS ASK in##cdn.com
- DNS ASK gl#.##mesys.co.kr
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
