Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Classes\KuGoo.KFS\Shell\Open\Command] '' = '"%PROGRAM_FILES%\KuGou\KuGou2011\KuGoo.exe" /ApplySkin "%1"'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\KuGoo] 'CLSID' = '{6AC4FBC7-AA38-45EC-9634-D6D20B679EFC}'
- [<HKLM>\SOFTWARE\Classes\PROTOCOLS\Handler\KuGoo3] 'CLSID' = '{6AC4FBC7-AA38-45EC-9634-D6D20B679EFC}'
Malicious functions:
Creates and executes the following:
- '%PROGRAM_FILES%\KuGou\KuGou2011\KuGoo.exe' RegFileType
- '%PROGRAM_FILES%\KuGou\KuGou2011\KuGoo.exe' Import
- '%TEMP%\is-EQB51.tmp\<Virus name>.tmp' /SL5="$30130,8508496,334336,<Full path to virus>"
Executes the following:
- '<SYSTEM32>\regsvr32.exe' /s "<SYSTEM32>\KuGoo3DownXControl.ocx"
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-7T0P9.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-4OK22.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-H15MM.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-D3PTI.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-QSH5A.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-LU07I.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\Skins\Subject\is-M84NO.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-EGQ9N.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-PM64V.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-5K53N.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-U2FA0.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-MB5J6.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-JBNLT.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\DSPPlugins\is-68DFK.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-OPGQH.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-IJ1DB.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-AC4B4.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-Q3UGQ.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\ver.ini
- %PROGRAM_FILES%\KuGou\KuGou2011\Install.ini
- %PROGRAM_FILES%\KuGou\KuGou2011\unins000.dat
- %PROGRAM_FILES%\KuGou\KuGou2011\config.ini
- %PROGRAM_FILES%\KuGou\KuGou2011\LastStatus.dat
- \Device\Mup\BVNSEUHJ*\MAILSLOT\NET\NETLOGON
- %PROGRAM_FILES%\KuGou\KuGou2011\KuGoo.xml
- %PROGRAM_FILES%\KuGou\KuGou2011\KGData.db-journal
- %PROGRAM_FILES%\KuGou\KuGou2011\KGData.db
- %PROGRAM_FILES%\KuGou\KuGou2011\is-ITMRI.tmp
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\їб№·ТфАЦ\їб№·ТфАЦ2011\їб№·ТфАЦ2011.lnk
- %PROGRAM_FILES%\KuGou\KuGou2011\is-GLDP0.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-NKVGC.tmp
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\їб№·ТфАЦ\їб№·ТфАЦ2011\Р¶ФШїб№·ТфАЦ2011.lnk
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\їб№·ТфАЦ2011.lnk
- %APPDATA%\Roaming\Microsoft\Internet Explorer\Quick Launch\їб№·ТфАЦ2011.lnk
- %HOMEPATH%\Desktop\їб№·ТфАЦ2011.lnk
- C:\ProgramData\Microsoft\Windows\Start Menu\їб№·ТфАЦ2011.lnk
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-ELMST.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-19BQS.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-L4TKS.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-P14KH.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-ICSBH.tmp
- <SYSTEM32>\is-D5KP3.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-Q38F0.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-OOPMN.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-H66PF.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-UD0JG.tmp
- %TEMP%\is-77VJ6.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-77VJ6.tmp\isx.dll
- %TEMP%\is-EQB51.tmp\<Virus name>.tmp
- %TEMP%\is-77VJ6.tmp\_isetup\_RegDLL.tmp
- %TEMP%\is-77VJ6.tmp\Title.bmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-1N1JT.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-QBC2V.tmp
- %TEMP%\is-77VJ6.tmp\Highlight.txt
- %TEMP%\is-77VJ6.tmp\WhatsNew.txt
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-RN3R3.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-QTDVE.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\HotImages\is-NQNON.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-T2G63.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-BSFTD.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-FJCU8.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-A4NQG.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-55DSG.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-B7H68.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-8AEG2.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-45L72.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-3A9KF.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-IU1TH.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-A25TA.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-0LF7V.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-THR8N.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-J2CSM.tmp
- %PROGRAM_FILES%\KuGou\KuGou2011\is-1JPAR.tmp
Deletes the following files:
- %TEMP%\is-77VJ6.tmp\WhatsNew.txt
- %TEMP%\is-77VJ6.tmp\Title.bmp
- %TEMP%\is-77VJ6.tmp\_isetup\_RegDLL.tmp
- %TEMP%\is-EQB51.tmp\<Virus name>.tmp
- %TEMP%\is-77VJ6.tmp\_isetup\_shfoldr.dll
- %PROGRAM_FILES%\KuGou\KuGou2011\KGData.db-journal
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\їб№·ТфАЦ2011.lnk
- %PROGRAM_FILES%\KuGou\KuGou2011\LastStatus.dat
- %TEMP%\is-77VJ6.tmp\isx.dll
- %TEMP%\is-77VJ6.tmp\Highlight.txt
Moves the following files:
- from %PROGRAM_FILES%\KuGou\KuGou2011\DSPPlugins\is-68DFK.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\DSPPlugins\dsp_DEE.DLL
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-U2FA0.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_mpc.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-5K53N.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_rm.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-OPGQH.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\20100628194735144.png
- from %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-Q3UGQ.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\20100628191540898.png
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-AC4B4.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\KGData.db
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-A4NQG.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_flac.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-FJCU8.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_dmo.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-B7H68.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_asf.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-JBNLT.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_ogg.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-MB5J6.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_mp4.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-ELMST.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_lame.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-IJ1DB.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\20101103165555266.png
- from %PROGRAM_FILES%\KuGou\KuGou2011\Skins\Subject\is-M84NO.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\Skins\Subject\Template.skn
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-LU07I.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\MPCVideoDec.ax
- from %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-PM64V.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\20110323175900176.png
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-ITMRI.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\RunGame.exe
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-NKVGC.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\KuGouMusic.ico
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-GLDP0.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\isx.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-7T0P9.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\20110228174604197.gif
- from %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-D3PTI.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\20110224102604698.png
- from %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-H15MM.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\20110221134045686.png
- from %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-EGQ9N.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\20110311153319553.png
- from %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-QSH5A.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\20110311152925448.png
- from %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\is-4OK22.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AddIns\20110311152311829.png
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-55DSG.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_ape.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-UD0JG.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\login.wav
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-H66PF.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\Perfect.SVC
- from <SYSTEM32>\is-D5KP3.tmp to <SYSTEM32>\KuGoo3DownXControl.ocx
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-3A9KF.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AppStore.ini
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-OOPMN.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\optionv5.inicfg
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-Q38F0.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\optionv5.ini
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-P14KH.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\MobileAssist.exe
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-QBC2V.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\KuGoo.exe
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-1N1JT.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\unins000.exe
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-L4TKS.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\KuGoo3DownXControl.ocx
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-19BQS.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\SkinRes.skn
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-ICSBH.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\KGPlayer.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-IU1TH.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AppStore.inicfg
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-T2G63.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_aac.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\HotImages\is-NQNON.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\HotImages\kugou2010.jpg
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-THR8N.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\KGDaemon.exe
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-BSFTD.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_aiff.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-QTDVE.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_adpcm.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\is-RN3R3.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\AudioPlugins\kg_ac3dts.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-A25TA.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\TopSinger.bin
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-45L72.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\SingerList.bin
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-8AEG2.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\SingerRes.zip
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-0LF7V.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\msdmo.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-1JPAR.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\wmadmod.dll
- from %PROGRAM_FILES%\KuGou\KuGou2011\is-J2CSM.tmp to %PROGRAM_FILES%\KuGou\KuGou2011\CrashReporter.exe
Network activity:
UDP:
- DNS ASK so####at.kugou.com
- DNS ASK dn#.##ftncsi.com
- DNS ASK in####l.kugou.com
- DNS ASK my####ne.kugou.com
- DNS ASK op#.#ugou.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
