Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PrintChaser' = '%ProgramFiles%\PrintChaser\PCLoginAgent.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PcAgent' = '%ProgramFiles%\PrintChaser\proxtrac.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] '{2A2DD81F-FC0C-44FD-BC58-E95F742CF97A}' = 'PCShl'
Substitutes the following executable system files:
- <SYSTEM32>\gdiplus.dll with <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\GdiPlus.dll
Malicious functions:
Executes the following:
- '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles%\PrintChaser\Pcshl.dll"
- '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles%\PrintChaser\WsDsCtrl.dll"
- '%ProgramFiles%\PrintChaser\PCLoginAgent.exe'
- '%ProgramFiles%\PrintChaser\Proxtrac.exe'
- '%ProgramFiles%\PrintChaser\FontsAdd.exe'
Modifies file system:
Creates the following files:
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\WwHttpUtil.dll
- %ProgramFiles%\PrintChaser\WwHttpUtil.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\Qrmaker.ocx
- %ProgramFiles%\PrintChaser\Qrmaker.ocx
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\ps.dat
- %ProgramFiles%\PrintChaser\ps.dat
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\verinfo.ini
- %ProgramFiles%\PrintChaser\verinfo.ini
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\commagent.dll
- %ProgramFiles%\PrintChaser\commagent.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\AgentBridge.dll
- %ProgramFiles%\PrintChaser\AgentBridge.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\Pcshl.dll
- %ProgramFiles%\PrintChaser\Pcshl.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PcInterface.dll
- %ProgramFiles%\PrintChaser\PcInterface.dll
- %APPDATA%\Microsoft\Pcdata\ps.dat
- %ALLUSERSPROFILE%\Start Menu\Programs\PrintAgent\Б¤ГҐ ѕчµҐАМЖ®.lnk
- %ProgramFiles%\PrintChaser\PcUninst.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\prshelp.exe
- <SYSTEM32>\prshelp.exe
- %TEMP%\nst4.tmp\FontName.dll
- %TEMP%\nst4.tmp\System.dll
- C:\3of9_new.ttf
- %WINDIR%\Fonts\3of9_new.ttf
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\pc_product.png
- <SYSTEM32>\pc_product.png
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\pc_company.png
- <SYSTEM32>\pc_company.png
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PcStartUn.exe
- <SYSTEM32>\PcStartUn.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PcInstAd.exe
- <SYSTEM32>\PcInstAd.exe
- %ProgramFiles%\PrintChaser\IEPrsuper.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\MakeQRCode.dll
- %ProgramFiles%\PrintChaser\FontsAdd.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\IEPrsuper.dll
- %ProgramFiles%\PrintChaser\PcHpLogin.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PcHwpObject.dll
- %ProgramFiles%\PrintChaser\MakeQRCode.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PcHpLogin.dll
- %TEMP%\nsb2.tmp\Input_LC.ini
- %TEMP%\nsb2.tmp\GetPcLicense.vbs
- %TEMP%\nsb2.tmp\System.dll
- %TEMP%\nsb2.tmp\WwNisPlug.dll
- %ProgramFiles%\PrintChaser\druver.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\FontsAdd.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\GdiPlus.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\druver.dll
- %ProgramFiles%\PrintChaser\PcHwpObject.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\Proxtrac.exe
- %ProgramFiles%\PrintChaser\Proxtrac.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PrintDoc.exe
- %ProgramFiles%\PrintChaser\PrintDoc.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\WsDsCtrl.dll
- %ProgramFiles%\PrintChaser\WsDsCtrl.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\WHtmlParser.dll
- %ProgramFiles%\PrintChaser\WHtmlParser.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PCLoginClient.dll
- %ProgramFiles%\PrintChaser\PCLoginClient.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PCLoginAgent.exe
- %ProgramFiles%\PrintChaser\PCLoginAgent.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\pcsw.dll
- %ProgramFiles%\PrintChaser\pcsw.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\pcsg.dll
- %ProgramFiles%\PrintChaser\pcsg.dll
Deletes the following files:
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\ps.dat
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\prshelp.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\verinfo.ini
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\Qrmaker.ocx
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\pc_product.png
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\pc_company.png
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\Proxtrac.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PrintDoc.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\WHtmlParser.dll
- %TEMP%\nsb2.tmp\WwNisPlug.dll
- %TEMP%\nsb2.tmp\System.dll
- %TEMP%\nst4.tmp\System.dll
- %TEMP%\nst4.tmp\FontName.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\WwHttpUtil.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\WsDsCtrl.dll
- %TEMP%\nsb2.tmp\Input_LC.ini
- %TEMP%\nsb2.tmp\GetPcLicense.vbs
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\IEPrsuper.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\GdiPlus.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PcHpLogin.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\MakeQRCode.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\commagent.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\AgentBridge.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\FontsAdd.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\druver.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PcHwpObject.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\Pcshl.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\pcsg.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\pcsw.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PcStartUn.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PcInterface.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PcInstAd.exe
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PCLoginClient.dll
- <SYSTEM32>\WWISM_TMP\IN_TMP\{DFF3D2B9-C161-4486-B656-FB2E4204594D}\PCLoginAgent.exe
Network activity:
Connects to:
- 'mp####-c.lge.com':443
UDP:
- DNS ASK mp####-c.lge.com
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: 'PCAGENT_4828539'
- ClassName: '' WindowName: 'PCLoginAgent'
- ClassName: 'Shell_TrayWnd' WindowName: ''
