Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows System Controler' = '%WINDIR%\smss.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows System Controler' = '%WINDIR%\smss.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows System Controler' = '%WINDIR%\smss.exe'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '%WINDIR%\smss.exe:*:Enabled:Windows System Controler'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:Windows System Controler'
Creates and executes the following:
- %WINDIR%\smss.exe
Executes the following:
- %WINDIR%\explorer.exe http://br#####sers.myspace.com/Browse/Browse.aspx
- <SYSTEM32>\netsh.exe firewall add allowedprogram 1.exe 1 ENABLE
Terminates or attempts to terminate
the following user processes:
- AVP.EXE
- ekrn.exe
Searches for windows to
detect programs and games:
- ClassName: 'MSNHiddenWindowClass' WindowName: ''
- ClassName: '_Oscar_StatusNotify' WindowName: ''
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\Browse[1].aspx
- %WINDIR%\smss.exe
Sets the 'hidden' attribute to the following files:
- %WINDIR%\smss.exe
- <Full path to virus>
Network activity:
Connects to:
- 'br#####sers.myspace.com':80
- '23#.#60.147.53':5050
- 'localhost':1038
- '24#.#56.38.241':5050
TCP:
HTTP GET requests:
- br#####sers.myspace.com/Browse/Browse.aspx
UDP:
- DNS ASK we#####trafficspy.com
- DNS ASK ol#.###gjuyt2tugas.com
- DNS ASK ve###tek.com
- DNS ASK go###eads.com
- DNS ASK mc##.#vengine.com
- DNS ASK in####highered.com
- DNS ASK ma#.#730ip.com
- DNS ASK as###.ic.ac.uk
- DNS ASK qu#.51.com
- DNS ASK www.sh###man.com
- DNS ASK mm#.###balatrust.org
- DNS ASK sh###tyle.com
- DNS ASK ma#.##lamontada.com
- DNS ASK ol#.#ouku.com
- DNS ASK mi#.###naturistclub.com
- DNS ASK sc####idyscrubs.com
- DNS ASK ma#.#osbank.com
- DNS ASK ma#.##chivum.info
- DNS ASK pr#.##ndmines.org
- DNS ASK ma#.#time.com
- DNS ASK tr####ationale.org
- DNS ASK re#####-action.org.uk
- DNS ASK tr###dvisor.com
- DNS ASK ma#.###gosbakugan.net
- DNS ASK er####rlounge.de
- DNS ASK mi####astpost.org
- DNS ASK ma#.#guia.cl
- DNS ASK op#.##nin.irf.se
- DNS ASK st###ntime.info
- DNS ASK jo####ls.lww.com
- DNS ASK ma#.##ivie.ac.at
- DNS ASK de#####mccloskey.org
- DNS ASK xx#.##opklatka.pl
- DNS ASK jo######faccountancy.com
- DNS ASK m.###chdns.org
- DNS ASK uk#.##nkedin.com
- DNS ASK pr#.aps.org
- DNS ASK un###fed.com
- DNS ASK br#####sers.myspace.com
- DNS ASK at#.##coctelera.net
- DNS ASK ol#.###temofadown.com
- DNS ASK al#.##kibili.com
- DNS ASK op#.####andathletics.com
- DNS ASK xx#.#agdcom.de
- DNS ASK mi#.###ce-erotske.in.rs
- DNS ASK su#####uni-sw.eesp.ch
- DNS ASK hr#.uh.edu
- DNS ASK al#####shistory.info
- DNS ASK so####mpton.ac.uk
- DNS ASK he####ger.x-y.net
- DNS ASK jb.#sm.org
- DNS ASK ep#.##nmablog.jp
- DNS ASK sc####service.com
- DNS ASK be##.neogen.ro
Miscellaneous:
Searches for the following windows:
- ClassName: 'Message Session' WindowName: ''
- ClassName: 'TskMultiChatForm.UnicodeClass' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '__oxFrame.class__' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
