Technical Information
Malicious functions:
Executes the following:
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\在线小游戏.lnk" /e /c /r "Authenticated Users"
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\在线小游戏.lnk" /e /c /r "%USERNAME%
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\在线小游戏.lnk" /e /c /r "Power Users"
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\淘宝购物.lnk" /e /c /r %USERNAME%s
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\淘宝购物.lnk" /e /c /G Everyone:r
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\在线小游戏.lnk" /e /c /G Everyone:r
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\我的上网主页.lnk" /e /c /r "Power Users"
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\在线小游戏.lnk" /e /c /r %USERNAME%s
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\在线小游戏.lnk" /e /c /r Users
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\在线小游戏.lnk" /e /c /r System
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\淘宝购物.lnk" /e /c /r System
- <SYSTEM32>\cacls.exe "%PROGRAM_FILES%\tb.ico" /e /c /r System
- <SYSTEM32>\cacls.exe "%PROGRAM_FILES%\tb.ico" /e /c /r %USERNAME%s
- <SYSTEM32>\cacls.exe "%PROGRAM_FILES%\tb.ico" /e /c /r Users
- <SYSTEM32>\cacls.exe "%PROGRAM_FILES%\tb.ico" /e /c /r "Authenticated Users"
- <SYSTEM32>\cacls.exe "%PROGRAM_FILES%\tb.ico" /e /c /r "%USERNAME%
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\淘宝购物.lnk" /e /c /r "%USERNAME%
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\淘宝购物.lnk" /e /c /r Users
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\淘宝购物.lnk" /e /c /r "Authenticated Users"
- <SYSTEM32>\cacls.exe "%PROGRAM_FILES%\tb.ico" /e /c /G Everyone:r
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\淘宝购物.lnk" /e /c /r "Power Users"
- <SYSTEM32>\cacls.exe "%HOMEPATH%\Desktop\Intrenet Explorer.lnk" /e /c /r "Authenticated Users"
- <SYSTEM32>\cacls.exe "%HOMEPATH%\Desktop\Intrenet Explorer.lnk" /e /c /r "%USERNAME%
- <SYSTEM32>\cacls.exe "%HOMEPATH%\Desktop\Intrenet Explorer.lnk" /e /c /r "Power Users"
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\Intrenet Explorer.lnk" /e /c /r %USERNAME%s
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\Intrenet Explorer.lnk" /e /c /G Everyone:r
- <SYSTEM32>\cacls.exe "%HOMEPATH%\Desktop\Intrenet Explorer.lnk" /e /c /G Everyone:r
- <SYSTEM32>\ipconfig.exe /all
- <SYSTEM32>\cacls.exe "%HOMEPATH%\Desktop\Intrenet Explorer.lnk" /e /c /r %USERNAME%s
- <SYSTEM32>\cacls.exe "%HOMEPATH%\Desktop\Intrenet Explorer.lnk" /e /c /r Users
- <SYSTEM32>\cacls.exe "%HOMEPATH%\Desktop\Intrenet Explorer.lnk" /e /c /r System
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\Intrenet Explorer.lnk" /e /c /r System
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\我的上网主页.lnk" /e /c /r System
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\我的上网主页.lnk" /e /c /r %USERNAME%s
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\我的上网主页.lnk" /e /c /r Users
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\我的上网主页.lnk" /e /c /r "Authenticated Users"
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\我的上网主页.lnk" /e /c /r "%USERNAME%
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\Intrenet Explorer.lnk" /e /c /r "%USERNAME%
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\Intrenet Explorer.lnk" /e /c /r Users
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\Intrenet Explorer.lnk" /e /c /r "Authenticated Users"
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\我的上网主页.lnk" /e /c /G Everyone:r
- <SYSTEM32>\cacls.exe "%ALLUSERSPROFILE%\Desktop\Intrenet Explorer.lnk" /e /c /r "Power Users"
Hides the following processes:
- <SYSTEM32>\cacls.exe
Modifies file system :
Creates the following files:
- %ALLUSERSPROFILE%\Start Menu\iiieee.lnk
- %WINDIR%\Temp\2012.tmp
- %PROGRAM_FILES%\tb.ico
Sets the 'hidden' attribute to the following files:
- %ALLUSERSPROFILE%\Desktop\Intrenet Explorer.lnk
- %PROGRAM_FILES%\tb.ico
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
