Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Cryptvc] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Microsoftbill] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- <SYSTEM32>\spool\NTSVC.exe config "Microsoftbill" DisplayName= "Windows Managements Instrumentation Drivers"
- <SYSTEM32>\wins\NAI.exe stop Cryptvc
- <SYSTEM32>\spool\NTSVC.exe description Microsoftbill "Component Object Model (COM +) components of the configuration and tracking. If you stop the service, most COM +-based components will not work correctly. If you disable the service, any explicit dependence on its service will not start."
- <SYSTEM32>\wins\NTSVC.exe stop Cryptvc
- <SYSTEM32>\spool\NTSVC.exe create Microsoftbill binpath= "<SYSTEM32>\spool\svchost.exe -service" start= auto Displayname= "Windows Managements Instrumentation Drivers"
- <SYSTEM32>\spool\NTSVC.exe stop Microsoftbill
- <SYSTEM32>\wins\NTSVC.exe delete LogicalDisk
- <SYSTEM32>\wins\NTSVC.exe stop LogicalDisk
- <SYSTEM32>\wins\NTSVC.exe create Cryptvc binpath= "<SYSTEM32>\wins\svchost.exe -service" start= auto Displayname= "Remote Access Auto Connection Managers"
- <SYSTEM32>\wins\NAI.exe start Cryptvc
- <SYSTEM32>\wins\NTSVC.exe description Cryptvc "No matter what, when a program or a reference to a remote DNS NetBIOS name or address will create a long-range network connections to"
- <SYSTEM32>\wins\NTSVC.exe start Cryptvc
- <SYSTEM32>\wins\svchost.exe -service
- <SYSTEM32>\spool\svchost.exe -service
- <SYSTEM32>\spool\NTSVC.exe start Microsoftbill
- <SYSTEM32>\spool\KZ.exe start Microsoftbill
- <SYSTEM32>\wins\NTSVC.exe config "Cryptvc" DisplayName= "Remote Access Auto Connection Managers"
- <SYSTEM32>\wins\NAI.exe stop LogicalDisk
- <Current directory>\a1g.exe delete RasAuto
- <Current directory>\a1g.exe stop RasAuto
- <SYSTEM32>\spool\basic.exe
- <SYSTEM32>\wins\delphi.exe
- <Current directory>\a1g.exe delete LogicalDisk
- <Current directory>\a1g.exe stop LogicalDisk
- <Current directory>\a1g.exe stop Microsoftbill
- <Current directory>\a1g.exe stop Cryptvc
- <Current directory>\a1g.exe config Microsoftbill start= auto
- <SYSTEM32>\spool\KZ.exe stop Microsoftbill
- <SYSTEM32>\wins\NAI.exe stop RasAuto
- <SYSTEM32>\wins\NTSVC.exe delete RasAuto
- <SYSTEM32>\wins\NTSVC.exe stop RasAuto
- <Current directory>\a1g.exe config Cryptvc start= auto
- <Current directory>\a1g.exe start Microsoftbill
- <Current directory>\a1g.exe start LogicalDisk
- <Current directory>\a1g.exe start Cryptvc
Executes the following:
- <SYSTEM32>\attrib.exe +s +h <SYSTEM32>\wins\CCProxy.ini
- <SYSTEM32>\attrib.exe +s +h <SYSTEM32>\wins\svchost.exe
- <SYSTEM32>\attrib.exe +s +h <SYSTEM32>\spool\AccInfo.ini
- <SYSTEM32>\net1.exe stop Cryptvc
- <SYSTEM32>\attrib.exe +s +h +r <SYSTEM32>\spool\Language
- <SYSTEM32>\attrib.exe +s +h <SYSTEM32>\spool\CDial.dll
- <SYSTEM32>\net1.exe start Cryptvc
- <SYSTEM32>\attrib.exe +s +h <SYSTEM32>\wins\AccInfo.ini
- <SYSTEM32>\attrib.exe +s +h <SYSTEM32>\wins\CDial.dll
- <SYSTEM32>\attrib.exe +s +h <SYSTEM32>\wins\uuid.dll
- <SYSTEM32>\attrib.exe +s +h <SYSTEM32>\wins\web
- <SYSTEM32>\net1.exe start LogicalDisk
- <SYSTEM32>\attrib.exe +s +h <SYSTEM32>\spool\CCProxy.ini
- <SYSTEM32>\net1.exe start Microsoftbill
- <SYSTEM32>\cmd.exe /c <SYSTEM32>\wins\WS.bat
- <SYSTEM32>\cmd.exe /c <SYSTEM32>\spool\SL.bat
- <SYSTEM32>\net1.exe stop RasAuto
- <SYSTEM32>\attrib.exe +s +h <SYSTEM32>\spool\svchost.exe
- <SYSTEM32>\attrib.exe +s +h <SYSTEM32>\spool\web
- <SYSTEM32>\net1.exe stop LogicalDisk
- <SYSTEM32>\attrib.exe +s +h <SYSTEM32>\spool\uuid.dll
- <SYSTEM32>\net1.exe stop Microsoftbill
Modifies file system :
Creates the following files:
- <SYSTEM32>\spool\web\log.htm
- <SYSTEM32>\wins\uuid.dll
- <SYSTEM32>\wins\WS.bat
- <SYSTEM32>\spool\web\settings.htm
- <SYSTEM32>\spool\web\list.htm
- <SYSTEM32>\spool\web\acclist.htm
- <SYSTEM32>\wins\svchost.exe
- <SYSTEM32>\spool\web\index.html
- <SYSTEM32>\spool\web\account.htm
- <SYSTEM32>\spool\AccInfo.ini
- <SYSTEM32>\spool\uuid.dll
- <SYSTEM32>\spool\svchost.exe
- <SYSTEM32>\dllcache\basic.exe
- <Current directory>\Km.bat
- <SYSTEM32>\spool\SL.bat
- <SYSTEM32>\spool\CDial.dll
- <SYSTEM32>\spool\CCProxy.ini
- <SYSTEM32>\spool\NTSVC.exe
- <SYSTEM32>\spool\KZ.exe
- <SYSTEM32>\spool\web\accheader.htm
- <SYSTEM32>\wins\web\accheader.htm
- <SYSTEM32>\wins\web\accadd.htm
- <SYSTEM32>\wins\web\account.htm
- <SYSTEM32>\wins\web\acclist.htm
- <SYSTEM32>\dllcache\delphi.exe
- <SYSTEM32>\wins\delphi.exe
- <Current directory>\a1g.exe
- <SYSTEM32>\spool\basic.exe
- <SYSTEM32>\wins\web\index.html
- <SYSTEM32>\wins\NAI.exe
- <SYSTEM32>\wins\CDial.dll
- <SYSTEM32>\spool\web\accadd.htm
- <SYSTEM32>\wins\NTSVC.exe
- <SYSTEM32>\wins\CCProxy.ini
- <SYSTEM32>\wins\web\log.htm
- <SYSTEM32>\wins\web\list.htm
- <SYSTEM32>\wins\AccInfo.ini
- <SYSTEM32>\wins\web\settings.htm
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\spool\CDial.dll
- <SYSTEM32>\wins\svchost.exe
- <SYSTEM32>\wins\uuid.dll
- <SYSTEM32>\wins\AccInfo.ini
- <SYSTEM32>\wins\CDial.dll
- <SYSTEM32>\spool\uuid.dll
- <SYSTEM32>\spool\CCProxy.ini
- <SYSTEM32>\spool\svchost.exe
- <SYSTEM32>\wins\CCProxy.ini
- <SYSTEM32>\spool\AccInfo.ini
Deletes the following files:
- <SYSTEM32>\spool\NTSVC.exe
- <SYSTEM32>\wins\NAI.exe
- <SYSTEM32>\wins\NTSVC.exe
- <SYSTEM32>\wins\delphi.exe
- <SYSTEM32>\spool\basic.exe
- <SYSTEM32>\spool\KZ.exe
Network activity:
Connects to:
- '67.##5.160.76':80
- '21#.#5.5.121':82
- 'localhost':1035
UDP:
- DNS ASK www.ya##o.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'C--WINDOWS-system32-spool-svchost.HLP' WindowName: ''
- ClassName: 'C--WINDOWS-system32-wins-svchost.HLP' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
