Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows System Devices Manager' = '%WINDIR%\csrss.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows System Devices Manager' = '%WINDIR%\csrss.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows System Devices Manager' = '%WINDIR%\csrss.exe'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '%WINDIR%\csrss.exe:*:Enabled:Windows System Devices Manager'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:Windows System Devices Manager'
Creates and executes the following:
- %WINDIR%\csrss.exe
Executes the following:
- <SYSTEM32>\sc.exe config MsMpSvc start= disabled
- <SYSTEM32>\sc.exe config wuauserv start= disabled
- <SYSTEM32>\net1.exe stop MsMpSvc
- <SYSTEM32>\net1.exe stop wuauserv
- %WINDIR%\explorer.exe http://br#####sers.myspace.com/Browse/Browse.aspx
- <SYSTEM32>\netsh.exe firewall add allowedprogram 1.exe 1 ENABLE
- <SYSTEM32>\net.exe stop MsMpSvc
- <SYSTEM32>\net.exe stop wuauserv
Searches for windows to
detect programs and games:
- ClassName: 'MSNHiddenWindowClass' WindowName: ''
- ClassName: '_Oscar_StatusNotify' WindowName: ''
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\Browse[1].aspx
- %WINDIR%\csrss.exe
Sets the 'hidden' attribute to the following files:
- %WINDIR%\csrss.exe
- <Full path to virus>
Network activity:
Connects to:
- '24#.#56.38.242':2866
- '85.##0.147.53':2866
- 'localhost':1038
- 'br#####sers.myspace.com':80
TCP:
HTTP GET requests:
- br#####sers.myspace.com/Browse/Browse.aspx
UDP:
- DNS ASK sc####service.com
- DNS ASK ma#.###gosbakugan.net
- DNS ASK er####rlounge.de
- DNS ASK he####ger.x-y.net
- DNS ASK ol#.###gjuyt2tugas.com
- DNS ASK xx#.#agdcom.de
- DNS ASK tr###dvisor.com
- DNS ASK ol#.###temofadown.com
- DNS ASK ma#.#time.com
- DNS ASK ma#.#osbank.com
- DNS ASK al#####shistory.info
- DNS ASK ma#.#guia.cl
- DNS ASK pr#.##ndmines.org
- DNS ASK ma#.##ivie.ac.at
- DNS ASK ma#.##lamontada.com
- DNS ASK be##.neogen.ro
- DNS ASK mi#.###naturistclub.com
- DNS ASK ep#.##nmablog.jp
- DNS ASK mi#.###ce-erotske.in.rs
- DNS ASK op#.####andathletics.com
- DNS ASK so####mpton.ac.uk
- DNS ASK jb.#sm.org
- DNS ASK op#.##nin.irf.se
- DNS ASK uk#.##nkedin.com
- DNS ASK sc####idyscrubs.com
- DNS ASK st###ntime.info
- DNS ASK ma#.#730ip.com
- DNS ASK tr####ationale.org
- DNS ASK at#.##coctelera.net
- DNS ASK in####highered.com
- DNS ASK www.sh###man.com
- DNS ASK al#.##kibili.com
- DNS ASK as###.ic.ac.uk
- DNS ASK br#####sers.myspace.com
- DNS ASK jo######faccountancy.com
- DNS ASK ve###tek.com
- DNS ASK fi###.jebac.net
- DNS ASK jo####ls.lww.com
- DNS ASK de#####mccloskey.org
- DNS ASK mc##.#vengine.com
- DNS ASK ma#.##chivum.info
- DNS ASK mi####astpost.org
- DNS ASK fi###.#abuka1234.com
- DNS ASK su#####uni-sw.eesp.ch
- DNS ASK qu#.51.com
- DNS ASK we#####trafficspy.com
- DNS ASK un###fed.com
- DNS ASK xx#.##opklatka.pl
- DNS ASK sh###tyle.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Address Band Root' WindowName: ''
- ClassName: 'msctls_statusbar32' WindowName: ''
- ClassName: 'ReBarWindow32' WindowName: ''
- ClassName: 'Internet Explorer_Server' WindowName: ''
- ClassName: 'WorkerW' WindowName: ''
- ClassName: 'TskMultiChatForm.UnicodeClass' WindowName: ''
- ClassName: 'Message Session' WindowName: ''
- ClassName: '__oxFrame.class__' WindowName: ''
- ClassName: 'ComboBoxEx32' WindowName: ''
- ClassName: 'ComboBox' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'TabWindowClass' WindowName: ''
- ClassName: 'Shell DocObject View' WindowName: ''
- ClassName: 'Frame Tab' WindowName: ''
- ClassName: 'HTMLSOURCEVIEW' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''
