Technical Information
Malicious functions:
Executes the following:
- <SYSTEM32>\ipconfig.exe /all
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Hooks the following functions in System Service Descriptor Table (SSDT):
- NtQuerySystemInformation, handler: PCIDump.SYS
Modifies file system :
Creates the following files:
- %WINDIR%\Temptemp.txt
- %WINDIR%\Temp\000000000001.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\install[1].asp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\index[1].txt
- <DRIVERS>\pcidump.txt
- %WINDIR%\Temp\mmhtml.dll
- C:\kpp.log
Sets the 'hidden' attribute to the following files:
- %WINDIR%\Temp\mmhtml.dll
Deletes the following files:
- %WINDIR%\Temptemp.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\install[1].asp
- <DRIVERS>\pcidump.sys
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\index[1].txt
Moves the following files:
- from <DRIVERS>\pcidump.txt to <DRIVERS>\pcidump.sys
Network activity:
Connects to:
- 'www.xh##y.cn':80
- 'ma.##pask.cn':80
- 'localhost':1037
TCP:
HTTP GET requests:
- www.xh##y.cn/install.asp
- ma.##pask.cn/index.txt
UDP:
- DNS ASK www.xh##y.cn
- DNS ASK ma.##pask.cn
