Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,,%ProgramFiles%\microsoft\watermark.exe'
Infects the following executable files:
- C:\Far2\Plugins\MacroView\MacroView.dll
- C:\Far2\Plugins\Network\Network.dll
- C:\Far2\Plugins\HlfViewer\HlfViewer.dll
- C:\Far2\Plugins\FarCmds\FARCmds.dll
- C:\Far2\Plugins\FTP\FarFtp.dll
- C:\Far2\Plugins\ProcList\Proclist.dll
- %CommonProgramFiles%\System\Ole DB\MSDAIPP.DLL
- %ProgramFiles%\FireFox\AccessibleMarshal.dll
- %CommonProgramFiles%\Microsoft Shared\VC\msdia80.dll
- C:\Far2\Plugins\TmpPanel\TmpPanel.dll
- C:\Far2\Plugins\WinSCP\WinSCP.dll
- C:\Far2\Plugins\EMenu\EMenu.dll
- C:\Far2\FExcept\FExcept.dll
- C:\Far2\Plugins\7-Zip\7-ZipFar.dll
- C:\Far2\FExcept\ExcDump.dll
- C:\Far2\Far.exe
- C:\Far2\FExcept\demangle32.dll
- C:\Far2\Plugins\arclite\7z.dll
- C:\Far2\Plugins\Compare\Compare.dll
- C:\Far2\Plugins\DrawLine\DrawLine.dll
- C:\Far2\Plugins\Colorer\bin\colorer.dll
- C:\Far2\Plugins\arclite\arclite.dll
- C:\Far2\Plugins\Brackets\Brackets.dll
Creates the following files on removable media:
- <Drive name for removable media>:\RECYCLER\S-1-0-51-5214400023-6047880161-545187356-1177\gpSvobMr.cpl
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\RECYCLER\S-1-0-51-5214400023-6047880161-545187356-1177\bjSPYdfL.exe
Malicious functions:
Executes the following:
- '<SYSTEM32>\svchost.exe'
- '<SYSTEM32>\msiexec.exe' /V
- '<SYSTEM32>\msiexec.exe' -Embedding 5C8147C18CD3DFD085E9A4897DDC1881 C
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE'
- '%TEMP%\o1R8.exe'
- '%TEMP%\o4Q2Ks.exe'
- '<SYSTEM32>\msiexec.exe' /i "%TEMP%\Ln93DoF.msi"
- '%ProgramFiles%\Microsoft\WaterMark.exe'
- '%TEMP%\o4Q2Ksmgr.exe'
Injects code into
the following system processes:
- <SYSTEM32>\ctfmon.exe
- <SYSTEM32>\spoolsv.exe
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\alg.exe
- <SYSTEM32>\msiexec.exe
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\smss.exe
- System
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\csrss.exe
- <SYSTEM32>\lsass.exe
- <SYSTEM32>\services.exe
- <SYSTEM32>\winlogon.exe
a large number of user processes.
Modifies file system:
Creates the following files:
- <SYSTEM32>\dllcache\msadcfr.dll.new
- <SYSTEM32>\dllcache\msadcf.dll.new
- <SYSTEM32>\dllcache\msadcer.dll.new
- <SYSTEM32>\dllcache\msadcs.dll.new
- <SYSTEM32>\dllcache\msadcor.dll.new
- <SYSTEM32>\dllcache\msadco.dll.new
- <SYSTEM32>\dllcache\msadrh15.dll.new
- <SYSTEM32>\dllcache\msadox.dll.new
- <SYSTEM32>\dllcache\msador15.dll.new
- <SYSTEM32>\dllcache\msadce.dll.new
- <SYSTEM32>\dllcache\directdb.dll.new
- <SYSTEM32>\dllcache\msjro.dll.new
- <SYSTEM32>\dllcache\msadds.dll.new
- <SYSTEM32>\dllcache\msdaer.dll.new
- <SYSTEM32>\dllcache\msdaenum.dll.new
- <SYSTEM32>\dllcache\msdadc.dll.new
- <SYSTEM32>\dllcache\msdaosp.dll.new
- <SYSTEM32>\dllcache\msdaorar.dll.new
- <SYSTEM32>\dllcache\msdaora.dll.new
- <SYSTEM32>\dllcache\msdaprst.dll.new
- <SYSTEM32>\dllcache\msdaprsr.dll.new
- <SYSTEM32>\dllcache\msaddsr.dll.new
- <SYSTEM32>\dllcache\msdfmap.dll.new
- <SYSTEM32>\dllcache\msdaremr.dll.new
- <SYSTEM32>\dllcache\msdarem.dll.new
- <SYSTEM32>\dllcache\msadomd.dll.new
- %TEMP%\CFG3.tmp
- %TEMP%\MSI2.tmp
- <SYSTEM32>\dmlconf.dat
- <SYSTEM32>\dllcache\msinfo32.exe.new
- <SYSTEM32>\dllcache\dao360.dll.new
- %TEMP%\MSI4.tmp
- %TEMP%\o1R8.exe
- %TEMP%\o4Q2Ks.exe
- %TEMP%\Ln93DoF.msi
- %ProgramFiles%\Microsoft\WaterMark.exe
- %TEMP%\1f7a9.msi
- %TEMP%\o4Q2Ksmgr.exe
- <SYSTEM32>\dllcache\spcplui.dll.new
- <SYSTEM32>\dllcache\spcommon.dll.new
- <SYSTEM32>\dllcache\wisc10.dll.new
- <SYSTEM32>\dllcache\mssoapr.dll.new
- <SYSTEM32>\dllcache\msado15.dll.new
- <SYSTEM32>\dllcache\msader15.dll.new
- <SYSTEM32>\dllcache\spttseng.dll.new
- <SYSTEM32>\dllcache\triedit.dll.new
- <SYSTEM32>\dllcache\sapisvr.exe.new
- <SYSTEM32>\dllcache\sapi.dll.new
- <SYSTEM32>\dllcache\mssoap1.dll.new
- <SYSTEM32>\dllcache\fp4autl.dll.new
- <SYSTEM32>\dllcache\vgx.dll.new
Deletes the following files:
- %TEMP%\MSI4.tmp
- %TEMP%\MSI2.tmp
Network activity:
Connects to:
- 'er#####dthetcwerc.com':443
- 'rv####eitwjeitv.com':443
- '91.##0.62.30':443
- '74.##5.232.51':80
UDP:
- DNS ASK er#####dthetcwerc.com
- DNS ASK rv####eitwjeitv.com
- DNS ASK google.com
- DNS ASK rt######tutnrsbberve.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: ''
