Technical Information
Malicious functions:
Creates and executes the following:
- <Current directory>\poruka.exe 3 "Auto instalacija CCleaner" "automatsko иiљжenje Windows-a"
- <Current directory>\poruka.exe 3 "Auto instalacija moda Foxit" "najbrћi i najmanji PDF reader"
- <Current directory>\poruka.exe 3 "Auto instalacija xPlorer2" "dupli explorer za Windows"
- <Current directory>\poruka.exe 3 "Auto instalacija HWInfo32" "brz pregled i 'benchmark' vaљeg hardware-a"
- <Current directory>\poruka.exe 3 "Auto instalacija Bkp2Srv 5" "zaљtita podataka, oblak i virtualni pisaи"
- <Current directory>\poruka.exe 3 "Auto instalacija moda ImgBurn" "program za snimanje CD/DVD medija"
- <Current directory>\poruka.exe 3 "Auto instalacija moda Gizmo" "program automatski optimizira rad Windows-a!"
- <Current directory>\poruka.exe 3 "Auto instalacija moda FSViewer" "preglednik slika i manja obrada slika"
- <Current directory>\poruka.exe 3 "Auto instalacija moda PhotoFiltre" "vrlo mali i brz program za obradu slika"
- <Current directory>\poruka.exe (downloaded from the Internet)
Executes the following:
- <SYSTEM32>\wscript.exe "%WINDIR%\$$$.vbs"
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- <Current directory>\xplorer2_18014_pakirano.exe
- <Current directory>\ccleaner_mod3.exe
- <Current directory>\Foxit431c_pakirano.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\dboxlinks[1].htm
- <Current directory>\hwinfo32_mod3.exe
- <Current directory>\bkp2srv4_mod3.exe
- <Current directory>\gizmo_pakirano.exe
- %WINDIR%\$$$.vbs
- <Current directory>\poruka.exe
- <Current directory>\FSViewer47_pakirano.exe
- <Current directory>\PhotoFiltre653_pakirano.exe
- <Current directory>\ImgBurn2570_pakirano.exe
Deletes the following files:
- <Current directory>\ccleaner_mod3.exe
- <Current directory>\Foxit431c_pakirano.exe
- <Current directory>\xplorer2_18014_pakirano.exe
- <Current directory>\hwinfo32_mod3.exe
- <Current directory>\bkp2srv4_mod3.exe
- <Current directory>\gizmo_pakirano.exe
- %WINDIR%\$$$.vbs
- <Current directory>\ImgBurn2570_pakirano.exe
- <Current directory>\FSViewer47_pakirano.exe
- <Current directory>\PhotoFiltre653_pakirano.exe
Network activity:
Connects to:
- 'localhost':1046
- 'en####o.zapto.org':80
- 'en##igo.com':80
TCP:
HTTP GET requests:
- en##igo.com/sartic/mod/xplorer2_18014_pakirano.exe
- en####o.zapto.org/klub/ccleaner_mod3.exe
- en####o.zapto.org/klub/bkp2srv4_mod3.exe
- en####o.zapto.org/klub/dboxlinks.htm
- en####o.zapto.org/klub/hwinfo32_mod3.exe
- en##igo.com/sartic/mod/Foxit431c_pakirano.exe
- en####o.zapto.org/klub/gizmo_pakirano.exe
- en##igo.com/obnova/poruka.exe
- en##igo.com/sartic/mod/ImgBurn2570_pakirano.exe
- en##igo.com/sartic/mod/FSViewer47_pakirano.exe
- en##igo.com/sartic/mod/PhotoFiltre653_pakirano.exe
UDP:
- DNS ASK en####o.zapto.org
- DNS ASK en##igo.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
