Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Solutions Policy Studio Protection Registrar' = '%APPDATA%\sdspdoohly\ewjhoubgudvb.exe'
Malicious functions:
Creates and executes the following:
- '%APPDATA%\sdspdoohly\ndwhfhpgsq.exe' "%APPDATA%\sdspdoohly\ewjhoubgudvb.exe"
- '%APPDATA%\sdspdoohly\ewjhoubgudvb.exe'
Modifies file system :
Creates the following files:
- %APPDATA%\sdspdoohly\ewjhoubgudvb.t2egg
- %APPDATA%\sdspdoohly\ndwhfhpgsq.exe
- %APPDATA%\sdspdoohly\ewjhoubgudvb.exe
Sets the 'hidden' attribute to the following files:
- %APPDATA%\sdspdoohly\ndwhfhpgsq.exe
- %APPDATA%\sdspdoohly\ewjhoubgudvb.exe
Network activity:
Connects to:
- 'pr####ebridge.net':80
- 'de####except.net':80
- 'de####bridge.net':80
- 'de####bicycle.net':80
- 'pr####ebicycle.net':80
- 'pr####eexcept.net':80
- 'br####bicycle.net':80
- 're####bridge.net':80
- 're####bicycle.net':80
- 're###twhose.net':80
- 'br###nwhose.net':80
- 'pr####ewhose.net':80
- 'mo####ntwithout.net':80
- 'ou####ewagon.net':80
- 'ou####ewithout.net':80
- 'ou####ekitchen.net':80
- 'mo####ntkitchen.net':80
- 'mo####ntwagon.net':80
- 'st####thexcept.net':80
- 'de###ewhose.net':80
- 'st####thbridge.net':80
- 'st####thwhose.net':80
- 'st####thbicycle.net':80
- 'br####bridge.net':80
- 'mi###whose.net':80
- 'st###whose.net':80
- 'do####except.net':80
- 'do####bridge.net':80
- 'pr####except.net':80
- 'mi####icycle.net':80
- 'mi###except.net':80
- 'st###except.net':80
- 'st###bridge.net':80
- 'st####icycle.net':80
- 'mi###bridge.net':80
- 'pr####bridge.net':80
- 'fe###wwhose.net':80
- 'fe####bicycle.net':80
- 'do###ewhose.net':80
- 're####except.net':80
- 'br####except.net':80
- 'fe####bridge.net':80
- 'pr####bicycle.net':80
- 'do####bicycle.net':80
- 'do###rwhose.net':80
- 'fe####except.net':80
- 'pr###ywhose.net':80
TCP:
HTTP GET requests:
- pr####ebridge.net/forum/search.php?em######################################
- de####except.net/forum/search.php?em######################################
- de####bridge.net/forum/search.php?em######################################
- de####bicycle.net/forum/search.php?em######################################
- pr####ebicycle.net/forum/search.php?em######################################
- pr####eexcept.net/forum/search.php?em######################################
- br####bicycle.net/forum/search.php?em######################################
- re####bridge.net/forum/search.php?em######################################
- re####bicycle.net/forum/search.php?em######################################
- re###twhose.net/forum/search.php?em######################################
- br###nwhose.net/forum/search.php?em######################################
- pr####ewhose.net/forum/search.php?em######################################
- mo####ntwithout.net/forum/search.php?em######################################
- ou####ewagon.net/forum/search.php?em######################################
- ou####ewithout.net/forum/search.php?em######################################
- ou####ekitchen.net/forum/search.php?em######################################
- mo####ntkitchen.net/forum/search.php?em######################################
- mo####ntwagon.net/forum/search.php?em######################################
- st####thexcept.net/forum/search.php?em######################################
- de###ewhose.net/forum/search.php?em######################################
- st####thbridge.net/forum/search.php?em######################################
- st####thwhose.net/forum/search.php?em######################################
- st####thbicycle.net/forum/search.php?em######################################
- br####bridge.net/forum/search.php?em######################################
- mi###whose.net/forum/search.php?em######################################
- st###whose.net/forum/search.php?em######################################
- do####except.net/forum/search.php?em######################################
- do####bridge.net/forum/search.php?em######################################
- pr####except.net/forum/search.php?em######################################
- mi####icycle.net/forum/search.php?em######################################
- mi###except.net/forum/search.php?em######################################
- st###except.net/forum/search.php?em######################################
- st###bridge.net/forum/search.php?em######################################
- st####icycle.net/forum/search.php?em######################################
- mi###bridge.net/forum/search.php?em######################################
- pr####bridge.net/forum/search.php?em######################################
- fe###wwhose.net/forum/search.php?em######################################
- fe####bicycle.net/forum/search.php?em######################################
- do###ewhose.net/forum/search.php?em######################################
- re####except.net/forum/search.php?em######################################
- br####except.net/forum/search.php?em######################################
- fe####bridge.net/forum/search.php?em######################################
- pr####bicycle.net/forum/search.php?em######################################
- do####bicycle.net/forum/search.php?em######################################
- do###rwhose.net/forum/search.php?em######################################
- fe####except.net/forum/search.php?em######################################
- pr###ywhose.net/forum/search.php?em######################################
UDP:
- DNS ASK de####bridge.net
- DNS ASK pr####ebridge.net
- DNS ASK de####except.net
- DNS ASK pr####ewhose.net
- DNS ASK de####bicycle.net
- DNS ASK pr####ebicycle.net
- DNS ASK re####bicycle.net
- DNS ASK br####bicycle.net
- DNS ASK re####bridge.net
- DNS ASK pr####eexcept.net
- DNS ASK re###twhose.net
- DNS ASK br###nwhose.net
- DNS ASK ou####ewithout.net
- DNS ASK mo####ntwithout.net
- DNS ASK ou####ewagon.net
- DNS ASK mo#####tprobable.net
- DNS ASK ou####ekitchen.net
- DNS ASK mo####ntkitchen.net
- DNS ASK st####thbridge.net
- DNS ASK st####thexcept.net
- DNS ASK de###ewhose.net
- DNS ASK mo####ntwagon.net
- DNS ASK st####thwhose.net
- DNS ASK st####thbicycle.net
- DNS ASK do####except.net
- DNS ASK mi###whose.net
- DNS ASK st###whose.net
- DNS ASK pr####bridge.net
- DNS ASK do####bridge.net
- DNS ASK pr####except.net
- DNS ASK st###bridge.net
- DNS ASK mi###except.net
- DNS ASK st###except.net
- DNS ASK mi####icycle.net
- DNS ASK st####icycle.net
- DNS ASK mi###bridge.net
- DNS ASK do###ewhose.net
- DNS ASK fe###wwhose.net
- DNS ASK fe####bicycle.net
- DNS ASK br####bridge.net
- DNS ASK re####except.net
- DNS ASK br####except.net
- DNS ASK do###rwhose.net
- DNS ASK pr####bicycle.net
- DNS ASK do####bicycle.net
- DNS ASK fe####bridge.net
- DNS ASK fe####except.net
- DNS ASK pr###ywhose.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
