Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\mystartup.lnk
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Executes the following
- '%WINDIR%\syswow64\net.exe' stop avpsus /y
- '%WINDIR%\syswow64\net.exe' stop VeeamNFSSvc /y
- '%WINDIR%\syswow64\net.exe' stop veeam /y
- '%WINDIR%\syswow64\net.exe' stop PDVFSService /y
- '%WINDIR%\syswow64\net.exe' stop BackupExecVSSProvider /y
- '%WINDIR%\syswow64\net.exe' stop BackupExecAgentAccelerator /y
- '%WINDIR%\syswow64\net.exe' stop BackupExecAgentBrowser /y
- '%WINDIR%\syswow64\net.exe' stop BackupExecDiveciMediaService /y
- '%WINDIR%\syswow64\net.exe' stop BackupExecManagementService /y
- '%WINDIR%\syswow64\taskkill.exe' /IM mydesktopqos.exe /F
- '%WINDIR%\syswow64\net.exe' stop BackupExecRPCService /y
- '%WINDIR%\syswow64\net.exe' stop AcrSch2Svc /y
- '%WINDIR%\syswow64\net.exe' stop AcronisAgent /y
- '%WINDIR%\syswow64\net.exe' stop CASAD2DWebSvc /y
- '%WINDIR%\syswow64\net.exe' stop CAARCUpdateSvc /y
- '%WINDIR%\syswow64\net.exe' stop sophos /y
- '%WINDIR%\syswow64\taskkill.exe' /IM mspub.exe /F
- '%WINDIR%\syswow64\net.exe' stop VeeamDeploymentService /y
- '%WINDIR%\syswow64\net.exe' stop BackupExecJobEngine /y
- '%WINDIR%\syswow64\net.exe' stop VeeamTransportSvc /y
- '%WINDIR%\syswow64\net.exe' stop SavRoam /y
- '%WINDIR%\syswow64\net.exe' stop McAfeeDLPAgentService /y
- '%WINDIR%\syswow64\net.exe' stop mfewc /y
- '%WINDIR%\syswow64\net.exe' stop BMR Boot Service /y
- '%WINDIR%\syswow64\net.exe' stop NetBackup BMR MTFTP Service /y
- '%WINDIR%\syswow64\net.exe' stop DefWatch /y
- '%WINDIR%\syswow64\net.exe' stop ccEvtMgr /y
- '%WINDIR%\syswow64\net.exe' stop ccSetMgr /y
- '%WINDIR%\syswow64\net.exe' stop RTVscan /y
- '%WINDIR%\syswow64\net.exe' stop stc_raw_agent /y
- '%WINDIR%\syswow64\net.exe' stop QBFCService /y
- '%WINDIR%\syswow64\net.exe' stop QBIDPService /y
- '%WINDIR%\syswow64\net.exe' stop Intuit.QuickBooks.FCS /y
- '%WINDIR%\syswow64\net.exe' stop QBCFMonitorService /y
- '%WINDIR%\syswow64\net.exe' stop YooBackup /y
- '%WINDIR%\syswow64\net.exe' stop YooIT /y
- '%WINDIR%\syswow64\net.exe' stop zhudongfangyu /y
- '%WINDIR%\syswow64\net.exe' stop VSNAPVSS /y
- '%WINDIR%\syswow64\taskkill.exe' /IM mydesktopservice.exe /F
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\64bit_notes.htm
- %HOMEPATH%\desktop\alert.htm
- %HOMEPATH%\desktop\applicantform_en.doc
- %HOMEPATH%\desktop\february_catalogue__2015.doc
- %HOMEPATH%\desktop\file_p_00000000_1371597592.docx
- %HOMEPATH%\desktop\hanni_umami_chapter.doc
- %HOMEPATH%\desktop\holycrosschurchinstructions.docx
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\region-north-karelia.jpeg
- %HOMEPATH%\desktop\split.avi
- %HOMEPATH%\desktop\tree_view.htm
- %HOMEPATH%\desktop\trivial-merge.html
Modifies file system
Creates the following files
- %TEMP%\mxbgzhjy.exe
- C:\far2\plugins\ftp\ftpcmds_rus.txt.locked
- C:\far2\plugins\ftp\notes.txt.locked
- C:\far2\plugins\ftp\notes_rus.txt.locked
- C:\far2\plugins\filecase\changelog.locked
- C:\far2\plugins\farcmds\changelog.locked
- C:\far2\plugins\emenu\changelog.locked
- C:\far2\plugins\editcase\changelog.locked
- C:\far2\plugins\drawline\changelog.locked
- C:\far2\plugins\compare\changelog.locked
- C:\far2\plugins\brackets\changelog.locked
- C:\far2\plugins\autowrap\changelog.locked
- C:\far2\plugins\ftp\changelog.locked
- C:\far2\plugins\ftp\ftpcmds.txt.locked
- C:\far2\plugins\arclite\changelog.locked
- C:\far2\documentation\rus\arc_support.txt.locked
- C:\far2\documentation\rus\bug_report.txt.locked
- C:\far2\documentation\rus\far_faq.txt.locked
- C:\far2\documentation\rus\plugins_install.txt.locked
- C:\far2\documentation\rus\plugins_review.txt.locked
- C:\far2\documentation\rus\techinfo.txt.locked
- C:\far2\documentation\eng\arc_support.txt.locked
- C:\far2\documentation\eng\bug_report.txt.locked
- C:\far2\documentation\eng\far_faq.txt.locked
- C:\far2\documentation\eng\plugins_install.txt.locked
- C:\far2\documentation\eng\plugins_review.txt.locked
- C:\far2\plugins\align\changelog.locked
- C:\far2\fexcept\changelog.locked
- C:\far2\plugins\hlfviewer\changelog.locked
- C:\far2\plugins\macroview\changelog.locked
- C:\far2\plugins\network\changelog.locked
- %TEMP%\tmpe84.bat
- %HOMEPATH%\desktop\13.jpeg.locked
- %HOMEPATH%\desktop\2.jpg.locked
- %HOMEPATH%\desktop\64bit_notes.htm.locked
- %HOMEPATH%\desktop\alert.htm.locked
- %HOMEPATH%\desktop\applicantform_en.doc.locked
- %HOMEPATH%\desktop\february_catalogue__2015.doc.locked
- C:\users\public\music\sample music\kalimba.mp3.locked
- C:\users\public\music\sample music\maid with the flaxen hair.mp3.locked
- C:\users\public\music\sample music\sleep away.mp3.locked
- C:\users\all users\mozilla\logs\maintenanceservice-install.log.locked
- C:\users\all users\mozilla\logs\maintenanceservice-uninstall.log.locked
- %TEMP%\how_to_decypher_files.txt
- C:\users\all users\microsoft\rac\statedata\racmetadata.dat.locked
- C:\users\all users\microsoft\rac\statedata\racwmieventdata.dat.locked
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
- C:\users\all users\microsoft\officesoftwareprotectionplatform\cache\cache.dat.locked
- C:\users\all users\microsoft\network\downloader\qmgr0.dat.locked
- C:\users\all users\microsoft\network\downloader\qmgr1.dat.locked
- C:\far2\changelog.locked
- C:\far2\pluginsdk\headers.pas\farcolorw.pas.locked
- C:\far2\pluginsdk\headers.pas\farkeysw.pas.locked
- C:\far2\pluginsdk\headers.pas\pluginw.pas.locked
- C:\far2\plugins\tmppanel\changelog.locked
- C:\far2\plugins\proclist\changelog.locked
- C:\users\all users\microsoft\rac\statedata\racwmidatabookmarks.dat.locked
- C:\far2\documentation\eng\techinfo.txt.locked
- D:\install.log.locked
Deletes the following files
- %TEMP%\tmpe84.bat
Changes user data files extensions (Trojan.Encoder).
Network activity
TCP
HTTP GET requests
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
UDP
- DNS ASK google.com
- DNS ASK ra#.####ubusercontent.com
- DNS ASK po###admin.com
Miscellaneous
Searches for the following windows
- ClassName: 'TaskManagerWindow' WindowName: 'Administrador de tareas'
- ClassName: '#32770' WindowName: 'Task Manager'
- ClassName: '#32770' WindowName: ''
- ClassName: 'SysListView32' WindowName: 'Processes'
- ClassName: '' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -EnableControlledFolderAccess Disabled' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -EnableControlledFolderAccess Disabled
- '%WINDIR%\syswow64\net1.exe' stop BMR Boot Service /y
- '%WINDIR%\syswow64\net1.exe' stop YooIT /y
- '%WINDIR%\syswow64\net1.exe' stop zhudongfangyu /y
- '%WINDIR%\syswow64\net1.exe' stop VSNAPVSS /y
- '%WINDIR%\syswow64\net1.exe' stop stc_raw_agent /y
- '%WINDIR%\syswow64\net1.exe' stop ccSetMgr /y
- '%WINDIR%\syswow64\net1.exe' stop sophos /y
- '%WINDIR%\syswow64\net1.exe' stop CASAD2DWebSvc /y
- '%WINDIR%\syswow64\net1.exe' stop CAARCUpdateSvc /y
- '%WINDIR%\syswow64\net1.exe' stop AcrSch2Svc /y
- '%WINDIR%\syswow64\net1.exe' stop AcronisAgent /y
- '%WINDIR%\syswow64\net1.exe' stop BackupExecRPCService /y
- '%WINDIR%\syswow64\net1.exe' stop VeeamDeploymentService /y
- '%WINDIR%\syswow64\net1.exe' stop BackupExecDiveciMediaService /y
- '%WINDIR%\syswow64\net1.exe' stop BackupExecJobEngine /y
- '%WINDIR%\syswow64\net1.exe' stop DefWatch /y
- '%WINDIR%\syswow64\net1.exe' stop ccEvtMgr /y
- '%WINDIR%\syswow64\net1.exe' stop BackupExecAgentAccelerator /y
- '%WINDIR%\syswow64\net1.exe' stop BackupExecAgentBrowser /y
- '%WINDIR%\syswow64\net1.exe' stop PDVFSService /y
- '%WINDIR%\syswow64\net1.exe' stop BackupExecVSSProvider /y
- '%WINDIR%\syswow64\net1.exe' stop VeeamNFSSvc /y
- '%WINDIR%\syswow64\net1.exe' stop veeam /y
- '%WINDIR%\syswow64\net1.exe' stop VeeamTransportSvc /y
- '%WINDIR%\syswow64\net1.exe' stop QBFCService /y
- '%WINDIR%\syswow64\net1.exe' stop BackupExecManagementService /y
- '%WINDIR%\syswow64\net1.exe' stop RTVscan /y
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=f: /on=f: /maxsize=unbounded
- '%WINDIR%\syswow64\sc.exe' config SQLTELEMETRY start= disabled
- '%WINDIR%\syswow64\sc.exe' config SQLTELEMETRY$ECWDB2 start= disabled
- '%WINDIR%\syswow64\sc.exe' config SQLWriter start= disabled
- '%WINDIR%\syswow64\sc.exe' config SstpSvc start= disabled
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=c: /on=c: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=c: /on=c: /maxsize=unbounded
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=d: /on=d: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=d: /on=d: /maxsize=unbounded
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=e: /on=e: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=e: /on=e: /maxsize=unbounded
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=f: /on=f: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=g: /on=g: /maxsize=401MB
- '%WINDIR%\syswow64\net1.exe' stop QBIDPService /y
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=g: /on=g: /maxsize=unbounded
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=h: /on=h: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=h: /on=h: /maxsize=unbounded
- '%WINDIR%\syswow64\cmd.exe' /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
- '%WINDIR%\syswow64\net1.exe' stop avpsus /y
- '%WINDIR%\syswow64\net1.exe' stop mfewc /y
- '%WINDIR%\syswow64\net1.exe' stop NetBackup BMR MTFTP Service /y
- '%WINDIR%\syswow64\net1.exe' stop McAfeeDLPAgentService /y
- '%WINDIR%\syswow64\net1.exe' stop SavRoam /y
- '%WINDIR%\syswow64\net1.exe' stop QBCFMonitorService /y
- '%WINDIR%\syswow64\net1.exe' stop YooBackup /y
- '%WINDIR%\syswow64\net1.exe' stop Intuit.QuickBooks.FCS /y
- '%WINDIR%\syswow64\cmd.exe' /C %TEMP%\tmpE84.bat
