Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = '<SYSTEM32>\ctfmon.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'GrpConv' = 'grpconv -o'
Malicious functions:
Executes the following:
- '%TEMP%\beaztyz.exe' /HomeRegAccess10
- '%TEMP%\pchlrdk.exe' /HomeRegAccess10
- '%TEMP%\qsryhmt.exe' /HomeRegAccess10
- '%TEMP%\mkidmgz.exe' /HomeRegAccess10
- '%TEMP%\inctzwz.exe' /HomeRegAccess10
- '<SYSTEM32>\rundll32.exe' setupapi,InstallHinfSection DefaultInstall 132 %TEMP%\~bhtfrpa.inf
- '<SYSTEM32>\runonce.exe' -r
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system:
Creates the following files:
- %HOMEPATH%\Favorites\体育赛事.url
- %HOMEPATH%\Favorites\links\免费电影.url
- %HOMEPATH%\Favorites\链接\免费电影.url
- %HOMEPATH%\Favorites\链接\体育赛事.url
- %TEMP%\mkidmgz.exe
- %TEMP%\~bhtfrpa.inf
- %HOMEPATH%\Favorites\links\体育赛事.url
- %HOMEPATH%\Favorites\links\女性网.url
- %HOMEPATH%\Favorites\链接\女性网.url
- %HOMEPATH%\Favorites\女性网.url
- %HOMEPATH%\Favorites\小游戏.url
- %HOMEPATH%\Favorites\免费电影.url
- %HOMEPATH%\Favorites\links\小游戏.url
- %HOMEPATH%\Favorites\链接\小游戏.url
- %TEMP%\aut4.tmp
- %TEMP%\~jikxqvd.tmp
- %TEMP%\3044sxngtwu
- %TEMP%\aut6.tmp
- %TEMP%\qsryhmt.exe
- %TEMP%\~mrbrbzf.tmp
- %TEMP%\3096gsqvpas
- %TEMP%\aut7.tmp
- %TEMP%\beaztyz.exe
- %TEMP%\~bjrcshr.tmp
- %TEMP%\2960jjhinxk
- %TEMP%\aut5.tmp
- %TEMP%\pchlrdk.exe
- %TEMP%\~xirltjh.tmp
- %TEMP%\3004ozzsvqw
- %HOMEPATH%\Favorites\链接\百度.url
- %HOMEPATH%\Favorites\百度.url
- %TEMP%\~aehwdbo.tmp
- %HOMEPATH%\Favorites\links\百度.url
- %HOMEPATH%\Favorites\links\淘宝网.url
- %HOMEPATH%\Favorites\链接\淘宝网.url
- %HOMEPATH%\Favorites\淘宝网.url
- %TEMP%\aut2.tmp
- %TEMP%\2860mvvahcs
- %TEMP%\aut1.tmp
- %ProgramFiles%\360\360safe\deepscan\speedmem2.hg
- %TEMP%\2900oyhqigh
- %TEMP%\aut3.tmp
- %TEMP%\inctzwz.exe
- %HOMEPATH%\Favorites\京东商城.url
- %HOMEPATH%\Favorites\链接\手机游戏.url
- %HOMEPATH%\Favorites\手机游戏.url
- %HOMEPATH%\Favorites\links\9.9包邮.url
- %HOMEPATH%\Favorites\links\手机游戏.url
- %HOMEPATH%\Favorites\links\美女图片.url
- %HOMEPATH%\Favorites\链接\美女图片.url
- %HOMEPATH%\Favorites\美女图片.url
- %HOMEPATH%\Favorites\天猫精选.url
- %HOMEPATH%\Favorites\links\京东商城.url
- %HOMEPATH%\Favorites\链接\京东商城.url
- %HOMEPATH%\Favorites\链接\天猫精选.url
- %HOMEPATH%\Favorites\链接\9.9包邮.url
- %HOMEPATH%\Favorites\9.9包邮.url
- %HOMEPATH%\Favorites\links\天猫精选.url
Deletes the following files:
- %TEMP%\~xirltjh.tmp
- %TEMP%\aut6.tmp
- %TEMP%\3044sxngtwu
- %TEMP%\aut5.tmp
- %TEMP%\3004ozzsvqw
- %TEMP%\beaztyz.exe
- %TEMP%\3096gsqvpas
- %TEMP%\qsryhmt.exe
- %TEMP%\~mrbrbzf.tmp
- %TEMP%\pchlrdk.exe
- %TEMP%\~jikxqvd.tmp
- %TEMP%\aut7.tmp
- %TEMP%\aut3.tmp
- %TEMP%\2900oyhqigh
- %TEMP%\~aehwdbo.tmp
- %TEMP%\aut1.tmp
- %TEMP%\2860mvvahcs
- %TEMP%\aut2.tmp
- %TEMP%\2960jjhinxk
- %TEMP%\mkidmgz.exe
- %TEMP%\~bjrcshr.tmp
- %TEMP%\inctzwz.exe
- %TEMP%\~bhtfrpa.inf
- %TEMP%\aut4.tmp
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
