Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '82ecfef53e3a7c68.vbs' = '%WINDIR%\Temp\82ecfef53e3a7c68.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '82ecfef53e3a7c68.vbs' = '%TEMP%\82ecfef53e3a7c68.vbs'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '82ecfef53e3a7c68.vbs' = '%TEMP%\82ecfef53e3a7c68.vbs'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\yurip] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\yurip] 'ImagePath' = 'system32\DRIVERS\tcpip.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\yurip] 'ImagePath' = '<DRIVERS>\yurip.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\jwivs] 'ImagePath' = '<DRIVERS>\jwivs.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\0xe739427b43a4] 'ImagePath' = '%TEMP%\427b43a4.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\jwivs] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\jwivs] 'ImagePath' = 'system32\DRIVERS\ipsec.sys'
Substitutes the following executable system files:
- <DRIVERS>\intelppm.sys with <DRIVERS>\intelppm.sys
- <DRIVERS>\rdpcdd.sys with <DRIVERS>\RDPCDD.sys
- <DRIVERS>\termdd.sys with <DRIVERS>\termdd.sys
- <DRIVERS>\serial.sys with <DRIVERS>\serial.sys
- <DRIVERS>\mouclass.sys with <DRIVERS>\mouclass.sys
- <DRIVERS>\kbdclass.sys with <DRIVERS>\kbdclass.sys
- <DRIVERS>\afd.sys with <DRIVERS>\afd.sys
- <DRIVERS>\vga.sys with <DRIVERS>\vga.sys
- <DRIVERS>\netbt.sys with <DRIVERS>\netbt.sys
- <DRIVERS>\i8042prt.sys with <DRIVERS>\i8042prt.sys
- <DRIVERS>\imapi.sys with <DRIVERS>\imapi.sys
- <DRIVERS>\tcpip.sys with <DRIVERS>\tcpip.sys
- <DRIVERS>\rasacd.sys with <DRIVERS>\rasacd.sys
- <DRIVERS>\redbook.sys with <DRIVERS>\redbook.sys
- <DRIVERS>\ipsec.sys with <DRIVERS>\ipsec.sys
- <DRIVERS>\cdrom.sys with <DRIVERS>\cdrom.sys
Infects the following executable files:
- <DRIVERS>\intelppm.sys
- <DRIVERS>\RDPCDD.sys
- <DRIVERS>\termdd.sys
- <DRIVERS>\serial.sys
- <DRIVERS>\mouclass.sys
- <DRIVERS>\kbdclass.sys
- <DRIVERS>\afd.sys
- <DRIVERS>\vga.sys
- <DRIVERS>\netbt.sys
- <DRIVERS>\i8042prt.sys
- <DRIVERS>\imapi.sys
- <DRIVERS>\tcpip.sys
- <DRIVERS>\rasacd.sys
- <DRIVERS>\redbook.sys
- <DRIVERS>\ipsec.sys
- <DRIVERS>\cdrom.sys
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\wscript.exe' "%TEMP%\82ecfef53e3a7c68.vbs"
Executes the following:
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE' http://19#.#23.36.108/_diag.php?os##############################################################################
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE' http://19#.#23.36.108/_diag.php?os###########################################################
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE' http://19#.#23.36.108/_diag.php?os##########################################################
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE' http://19#.#23.36.108/_diag.php?os###############################################################
- '<SYSTEM32>\cmd.exe' /c "<Current directory>\548f6882.BAT"
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE' http://19#.#23.36.108/_diag.php?os#########################################################
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE' http://19#.#23.36.108/_diag.php?os###########################################################################################################
Hooks the following functions in System Service Descriptor Table (SSDT):
- NtQueryDirectoryFile, handler: unknown
- NtOpenKey, handler: unknown
- NtQueryInformationFile, handler: unknown
- NtShutdownSystem, handler: unknown
- NtSetInformationFile, handler: unknown
- NtOpenFile, handler: unknown
- NtCreateFile, handler: unknown
- NtClose, handler: unknown
- NtCreateKey, handler: unknown
- NtEnumerateKey, handler: unknown
- NtDeleteFile, handler: unknown
Modifies file system:
Creates the following files:
- <SYSTEM32>\66c3794a38.bin
- <SYSTEM32>\66ca9ee655.bin
- %WINDIR%\Temp\82ecfef53e3a7c68.vbs
- <SYSTEM32>\66bbc918c9.bin
- <SYSTEM32>\66d6ea48d0.bin
- <SYSTEM32>\66d993bc1c.bin
- <SYSTEM32>\66cea236d4.bin
- <SYSTEM32>\66d2f406ce.bin
- <SYSTEM32>\609a9ee073.bin
- <SYSTEM32>\5a06dd2da0
- <SYSTEM32>\5a082d2461
- <SYSTEM32>\59faf93c1d
- <SYSTEM32>\59fc3ba02a
- %TEMP%\427b43a4.sys
- <Current directory>\548f6882.BAT
- <SYSTEM32>\5a1385d88d
- <SYSTEM32>\5a14b3f4f7
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\_diag[1].php
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\_diag[2].php
- <DRIVERS>\jwivs.sys
- <DRIVERS>\yurip.sys
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\2VAZY7AN\_diag[1].php
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\2VAZY7AN\_diag[2].php
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\U98D4X8H\_diag[1].php
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\U98D4X8H\_diag[2].php
- <SYSTEM32>\67005b347d.bin
- <SYSTEM32>\66e5d36275.bin
- <SYSTEM32>\66e946a2e2.bin
- <SYSTEM32>\66df8d805d.bin
- <SYSTEM32>\66e2fde35a.bin
- <SYSTEM32>\66f6376558.bin
- <SYSTEM32>\66fc2d05cd.bin
- <SYSTEM32>\66ed4a04b2.bin
- <SYSTEM32>\66f26ec21a.bin
- <SYSTEM32>\5964b75590
- <SYSTEM32>\597624911e
- <SYSTEM32>\594c40cbad
- <SYSTEM32>\5962de8776
- <SYSTEM32>\59858cd2c6
- <SYSTEM32>\59920d53e7
- <SYSTEM32>\59779310df
- <SYSTEM32>\5984099d18
- <SYSTEM32>\594aca0267
- <SYSTEM32>\58805cac1a
- <SYSTEM32>\5881a59cd8
- %TEMP%\82ecfef53e3a7c68.vbs
- %WINDIR%\Temp\47a457dbf07c10
- <SYSTEM32>\5886f142df
- <SYSTEM32>\5888e647bf
- <SYSTEM32>\58846c82b0
- <SYSTEM32>\5885a3700e
- <SYSTEM32>\59d8328452
- <SYSTEM32>\59d9263403
- <SYSTEM32>\59ce879e9d
- <SYSTEM32>\59cf85425a
- <SYSTEM32>\59efccc569
- <SYSTEM32>\59f0c806d0
- <SYSTEM32>\59e15d86aa
- <SYSTEM32>\59e2b1081d
- <SYSTEM32>\59c554327e
- <SYSTEM32>\59a03266f6
- <SYSTEM32>\59ab5e3d79
- <SYSTEM32>\5993839566
- <SYSTEM32>\599ef14fa9
- <SYSTEM32>\59bae1f35c
- <SYSTEM32>\59c4675018
- <SYSTEM32>\59ace3ff29
- <SYSTEM32>\59b9eb9969
Deletes the following files:
- %TEMP%\427b43a4.sys
Moves the following system files:
- from <DRIVERS>\intelppm.sys to <DRIVERS>\intelppm.sys59d10c0761
- from <DRIVERS>\rdpcdd.sys to <DRIVERS>\RDPCDD.sys59da8e22ba
- from <DRIVERS>\termdd.sys to <DRIVERS>\termdd.sys59bc6c097a
- from <DRIVERS>\serial.sys to <DRIVERS>\serial.sys59c6d9443e
- from <DRIVERS>\mouclass.sys to <DRIVERS>\mouclass.sys59fe08af45
- from <DRIVERS>\kbdclass.sys to <DRIVERS>\kbdclass.sys5a09f47307
- from <DRIVERS>\afd.sys to <DRIVERS>\afd.sys59e4628d30
- from <DRIVERS>\vga.sys to <DRIVERS>\vga.sys59f39041c3
- from <DRIVERS>\netbt.sys to <DRIVERS>\netbt.sys5968feac0f
- from <DRIVERS>\i8042prt.sys to <DRIVERS>\i8042prt.sys597a2e725d
- from <DRIVERS>\imapi.sys to <DRIVERS>\imapi.sys593e2e6334
- from <DRIVERS>\tcpip.sys to <DRIVERS>\tcpip.sys594ebac088
- from <DRIVERS>\rasacd.sys to <DRIVERS>\rasacd.sys59a25a9c32
- from <DRIVERS>\redbook.sys to <DRIVERS>\redbook.sys59af4b9a39
- from <DRIVERS>\ipsec.sys to <DRIVERS>\ipsec.sys5988192517
- from <DRIVERS>\cdrom.sys to <DRIVERS>\cdrom.sys5995d178ea
Deletes itself.
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
