Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'userinit' = '<SYSTEM32>\userinit.exe,%WINDIR%\apppatch\hbmdha.exe,'
Malicious functions:
Injects code into
the following system processes:
- <SYSTEM32>\cscript.exe
a large number of user processes.
Searches for windows to
bypass different anti-viruses:
- ClassName: '____AVP.Root' WindowName: ''
Modifies file system :
Creates the following files:
- %WINDIR%\AppPatch\hbmdha.exe
Moves itself:
- from <Full path to virus> to %TEMP%\1.tmp
Deletes itself.
Network activity:
Connects to:
- 'www.bing.com':80
UDP:
- DNS ASK si###yso.info
- DNS ASK bo###acy.info
- DNS ASK si###yha.info
- DNS ASK ci###oki.info
- DNS ASK si###yse.info
- DNS ASK we###oly.info
- DNS ASK no###eky.info
- DNS ASK pu###ela.info
- DNS ASK vo###ame.info
- DNS ASK ma###umi.info
- DNS ASK pu###evo.info
- DNS ASK fo###iza.info
- DNS ASK zy###uro.info
- DNS ASK ty###aqo.info
- DNS ASK xu###ixe.info
- DNS ASK qe###ivo.info
- DNS ASK ci###ota.info
- DNS ASK ci###afy.info
- DNS ASK wy###ogu.info
- DNS ASK do###uba.info
- DNS ASK qe###uvy.info
- DNS ASK bo###eko.info
- DNS ASK go###ihe.info
- DNS ASK we###ila.info
- DNS ASK vi###ami.info
- DNS ASK ke###exa.info
- DNS ASK ci###ofo.info
- DNS ASK di###uwo.info
- DNS ASK ma###utu.info
- DNS ASK di###ywy.info
- DNS ASK fo###izi.info
- DNS ASK je###enu.info
- DNS ASK pu###yly.info
- DNS ASK je###ana.info
- DNS ASK xu###ijy.info
- DNS ASK ke###eje.info
- DNS ASK tu###aqe.info
- DNS ASK vi###atu.info
- DNS ASK ma###yte.info
- DNS ASK zu###una.info
- DNS ASK fo###iby.info
- DNS ASK ga###oso.info
- DNS ASK ly###ydo.info
- DNS ASK www.bing.com
- DNS ASK ci###ifu.info
- DNS ASK bo###eci.info
- DNS ASK zu###inu.info
- DNS ASK xu###ixi.info
- DNS ASK ry###ope.info
- DNS ASK ry###apu.info
- DNS ASK si###yhi.info
- DNS ASK ha###awo.info
- DNS ASK je###exi.info
- DNS ASK na###yfu.info
- DNS ASK di###usi.info
- DNS ASK ky###yji.info
- DNS ASK qe###uqe.info
- DNS ASK ha###ose.info
- DNS ASK ly###uru.info
- DNS ASK na###yfa.info
- DNS ASK tu###avy.info
- DNS ASK ga###ohi.info
- DNS ASK ly###ydy.info
- DNS ASK ry###oga.info
- DNS ASK ha###owu.info
- '<Private IP address>':1034
