Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Plug User-mode Counter TPM Removal' = '<SYSTEM32>\glxkgvhxbbnc.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Fax Routing Microsoft Policy Bluetooth Modules] 'ImagePath' = '<SYSTEM32>\glxkgvhxbbnc.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Fax Routing Microsoft Policy Bluetooth Modules] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Executes the following:
- '<SYSTEM32>\gnxorlqzjtuu.exe' "<SYSTEM32>\glxkgvhxbbnc.exe"
- '%WINDIR%\Temp\xcors4nc313yih2u.exe' -r 21675 tcp
- '%TEMP%\xcors4nc2ofcih2unjfnklin.exe'
- '<SYSTEM32>\glxkgvhxbbnc.exe'
Modifies file system:
Creates the following files:
- <SYSTEM32>\qasryzdwj\run
- <SYSTEM32>\qasryzdwj\rng
- %WINDIR%\Temp\xcors4nc313yih2u.exe
- <SYSTEM32>\qasryzdwj\cfg
- <SYSTEM32>\gnxorlqzjtuu.exe
- %TEMP%\xcors4nc2ofcih2unjfnklin.exe
- <SYSTEM32>\qasryzdwj\tst
- <SYSTEM32>\glxkgvhxbbnc.exe
- <SYSTEM32>\qasryzdwj\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\gnxorlqzjtuu.exe
- <SYSTEM32>\glxkgvhxbbnc.exe
Deletes the following files:
- %WINDIR%\Temp\xcors4nc313yih2u.exe
- <DRIVERS>\etc\hosts
- %TEMP%\xcors4nc2ofcih2unjfnklin.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'dr###horse.net':80
- 'th###ctover.net':80
- 'dr####ctover.net':80
- 'ha###tood.net':80
- 'hu###stood.net':80
- 'th###orse.net':80
- 'th###njoy.net':80
- 'fa###orse.net':80
- 'wa###horse.net':80
- 'fa###ctover.net':80
- 'dr###enjoy.net':80
- 'th###orld.net':80
- 'dr###world.net':80
- 'mu###kill.net':80
- 'ya###ill.net':80
- 'mu###stood.net':80
- 'ya###uess.net':80
- 'mu###first.net':80
- 'ya###irst.net':80
- 'ya###tood.net':80
- 'hu###first.net':80
- 'ha###ill.net':80
- 'hu###kill.net':80
- 'ha###uess.net':80
- 'hu###guess.net':80
- 'ha###irst.net':80
- 'eq####ctover.net':80
- 'gr###enjoy.net':80
- 'eq###enjoy.net':80
- 'gr###horse.net':80
- 'eq###horse.net':80
- 'gr####ctover.net':80
- 'gr###world.net':80
- 'be##lxc.com':80
- 'af###sllc.com':80
- 'ri###nstorm.net':80
- 'eq###world.net':80
- 'ta###horse.net':80
- 'de###lxc.com':80
- 'fa###orld.net':80
- 'wa###world.net':80
- 'vi###horse.net':80
- 'wa####ctover.net':80
- 'fa###njoy.net':80
- 'wa###enjoy.net':80
- 'sp###horse.net':80
- 'sp###enjoy.net':80
- 'vi###world.net':80
- 'sp###world.net':80
- 'vi####ctover.net':80
- 'sp####ctover.net':80
- 'vi###enjoy.net':80
TCP:
HTTP GET requests:
- http://dr###horse.net/index.php
- http://th###ctover.net/index.php
- http://dr####ctover.net/index.php
- http://ha###tood.net/index.php
- http://hu###stood.net/index.php
- http://th###orse.net/index.php
- http://th###njoy.net/index.php
- http://fa###orse.net/index.php
- http://wa###horse.net/index.php
- http://fa###ctover.net/index.php
- http://dr###enjoy.net/index.php
- http://th###orld.net/index.php
- http://dr###world.net/index.php
- http://mu###kill.net/index.php
- http://ya###ill.net/index.php
- http://mu###stood.net/index.php
- http://ya###uess.net/index.php
- http://mu###first.net/index.php
- http://ya###irst.net/index.php
- http://ya###tood.net/index.php
- http://hu###first.net/index.php
- http://ha###ill.net/index.php
- http://hu###kill.net/index.php
- http://ha###uess.net/index.php
- http://hu###guess.net/index.php
- http://ha###irst.net/index.php
- http://eq####ctover.net/index.php
- http://gr###enjoy.net/index.php
- http://eq###enjoy.net/index.php
- http://gr###horse.net/index.php
- http://eq###horse.net/index.php
- http://gr####ctover.net/index.php
- http://gr###world.net/index.php
- http://be##lxc.com/index.php
- http://af###sllc.com/index.php
- http://ri###nstorm.net/index.php
- http://eq###world.net/index.php
- http://ta###horse.net/index.php
- http://de###lxc.com/index.php
- http://fa###orld.net/index.php
- http://wa###world.net/index.php
- http://vi###horse.net/index.php
- http://wa####ctover.net/index.php
- http://fa###njoy.net/index.php
- http://wa###enjoy.net/index.php
- http://sp###horse.net/index.php
- http://sp###enjoy.net/index.php
- http://vi###world.net/index.php
- http://sp###world.net/index.php
- http://vi####ctover.net/index.php
- http://sp####ctover.net/index.php
- http://vi###enjoy.net/index.php
UDP:
- DNS ASK dr###horse.net
- DNS ASK th###ctover.net
- DNS ASK dr####ctover.net
- DNS ASK ha###tood.net
- DNS ASK hu###stood.net
- DNS ASK th###orse.net
- DNS ASK th###njoy.net
- DNS ASK fa###orse.net
- DNS ASK wa###horse.net
- DNS ASK fa###ctover.net
- DNS ASK dr###enjoy.net
- DNS ASK th###orld.net
- DNS ASK dr###world.net
- DNS ASK hu###kill.net
- DNS ASK ya###irst.net
- DNS ASK mu###kill.net
- DNS ASK ya###ill.net
- DNS ASK mu###guess.net
- DNS ASK ya###uess.net
- DNS ASK mu###first.net
- DNS ASK mu###stood.net
- DNS ASK ha###irst.net
- DNS ASK hu###first.net
- DNS ASK ha###ill.net
- DNS ASK ya###tood.net
- DNS ASK ha###uess.net
- DNS ASK hu###guess.net
- DNS ASK eq####ctover.net
- DNS ASK gr###enjoy.net
- DNS ASK eq###enjoy.net
- DNS ASK gr###horse.net
- DNS ASK eq###horse.net
- DNS ASK gr####ctover.net
- DNS ASK gr###world.net
- DNS ASK be##lxc.com
- DNS ASK af###sllc.com
- DNS ASK ri###nstorm.net
- DNS ASK eq###world.net
- DNS ASK ta###horse.net
- DNS ASK de###lxc.com
- DNS ASK fa###orld.net
- DNS ASK wa###world.net
- DNS ASK vi###horse.net
- DNS ASK wa####ctover.net
- DNS ASK fa###njoy.net
- DNS ASK wa###enjoy.net
- DNS ASK sp###horse.net
- DNS ASK sp###enjoy.net
- DNS ASK vi###world.net
- DNS ASK sp###world.net
- DNS ASK vi####ctover.net
- DNS ASK sp####ctover.net
- DNS ASK vi###enjoy.net
- '23#.#55.255.250':1900
