Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Machin_Updaters' = 'c:\$Recycle.Bin\RCRU_64.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Machin_Update' = 'c:\$Recycle.Bin\RCRU_64.exe'
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\desktopini.exe
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'
Creates the following files on removable media
- <Drive name for removable media>:\read_me!_.txt
- <Drive name for removable media>:\delete.avi
- <Drive name for removable media>:\join.avi
- <Drive name for removable media>:\archer.avi
- <Drive name for removable media>:\tileimage.bmp
- <Drive name for removable media>:\dialmap.bmp
- <Drive name for removable media>:\coffee.bmp
- <Drive name for removable media>:\toolbar.bmp
- <Drive name for removable media>:\contosoroot.cer
- <Drive name for removable media>:\contoso_1.cer
- <Drive name for removable media>:\sdksampleunprivdeveloper.cer
- <Drive name for removable media>:\testee.cer
- <Drive name for removable media>:\contoso.cer
- <Drive name for removable media>:\testcertificate.cer
- <Drive name for removable media>:\pmd.cer
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
deletes volume shadow copies.
Executes the following
- '%WINDIR%\syswow64\netsh.exe' firewall set opmode mode=disable
- '%WINDIR%\syswow64\taskkill.exe' /im mysqld.exe
- '%WINDIR%\syswow64\taskkill.exe' /im mysqld-nt.exe
- '%WINDIR%\syswow64\taskkill.exe' /im mysqld-opt.exe
- '%WINDIR%\syswow64\taskkill.exe' /im dbeng50.exe
- '%WINDIR%\syswow64\taskkill.exe' /im sqbcoreservice.exe
- '%WINDIR%\syswow64\taskkill.exe' /im excel.exe
- '%WINDIR%\syswow64\taskkill.exe' /im infopath.exe
- '%WINDIR%\syswow64\taskkill.exe' /im msaccess.exe
- '%WINDIR%\syswow64\taskkill.exe' /im mspub.exe
- '%WINDIR%\syswow64\taskkill.exe' /im onenote.exe
- '%WINDIR%\syswow64\taskkill.exe' /im outlook.exe
- '%WINDIR%\syswow64\taskkill.exe' /im powerpnt.exe
- '%WINDIR%\syswow64\taskkill.exe' /im steam.exe
- '%WINDIR%\syswow64\taskkill.exe' /im thebat.exe
- '%WINDIR%\syswow64\taskkill.exe' /im thebat64.exe
- '%WINDIR%\syswow64\taskkill.exe' /im thunderbird.exe
- '%WINDIR%\syswow64\taskkill.exe' /im visio.exe
- '%WINDIR%\syswow64\taskkill.exe' /im ocomm.exe
- '%WINDIR%\syswow64\taskkill.exe' /im winword.exe
- '%WINDIR%\syswow64\taskkill.exe' /im tbirdconfig.exe
- '%WINDIR%\syswow64\taskkill.exe' /im encsvc.exe
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall set rule group="Network Discovery" new enable=Yes
- '%WINDIR%\syswow64\taskkill.exe' /im notepad.exe
- '%WINDIR%\syswow64\taskkill.exe' /im msftesql.exe
- '%WINDIR%\syswow64\taskkill.exe' /im sqlagent.exe
- '%WINDIR%\syswow64\taskkill.exe' /im sqlbrowser.exe
- '%WINDIR%\syswow64\taskkill.exe' /im sqlservr.exe
- '%WINDIR%\syswow64\taskkill.exe' /im sqlwriter.exe
- '%WINDIR%\syswow64\taskkill.exe' /im oracle.exe
- '%WINDIR%\syswow64\taskkill.exe' /im ocssd.exe
- '%WINDIR%\syswow64\taskkill.exe' /im dbsnmp.exe
- '%WINDIR%\syswow64\taskkill.exe' /im synctime.exe
- '%WINDIR%\syswow64\taskkill.exe' /im agntsvc.exe
- '%WINDIR%\syswow64\taskkill.exe' /im mydesktopqos.exe
- '%WINDIR%\syswow64\taskkill.exe' /im isqlplussvc.exe
- '%WINDIR%\syswow64\taskkill.exe' /im xfssvccon.exe
- '%WINDIR%\syswow64\taskkill.exe' /im mydesktopservice.exe
- '%WINDIR%\syswow64\taskkill.exe' /im ocautoupds.exe
- '%WINDIR%\syswow64\taskkill.exe' /im firefoxconfig.exe
- '%WINDIR%\syswow64\taskkill.exe' /im wordpad.exe
Modifies file system
Creates the following files
- %HOMEPATH%\appdata\pagesfilo.sys
- C:\read_me!_.txt
- D:\read_me!_.txt
- C:\$recycle.bin\read_me!_.txt
- C:\$recycle.bin\rcru_64.exe
- C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\read_me!_.txt
Modifies the following files
- D:\install.log
- <Drive name for removable media>:\delete.avi
- <Drive name for removable media>:\join.avi
- <Drive name for removable media>:\archer.avi
- <Drive name for removable media>:\tileimage.bmp
- <Drive name for removable media>:\dialmap.bmp
- <Drive name for removable media>:\coffee.bmp
- <Drive name for removable media>:\toolbar.bmp
- <Drive name for removable media>:\contosoroot.cer
- <Drive name for removable media>:\contoso_1.cer
- <Drive name for removable media>:\sdksampleunprivdeveloper.cer
- <Drive name for removable media>:\testee.cer
- <Drive name for removable media>:\contoso.cer
- <Drive name for removable media>:\testcertificate.cer
- <Drive name for removable media>:\pmd.cer
- <Drive name for removable media>:\uep_form_786_bulletin_1726i602.doc
Network activity
Connects to
- '12#.#3.179.200':8080
UDP
- DNS ASK re#####r1.opendns.com
- DNS ASK 22#.###.67.208.in-addr.arpa
- DNS ASK my##.#pendns.com
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall ...
- '%WINDIR%\syswow64\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
- '%WINDIR%\syswow64\netsh.exe' advfirewall set currentprofile state off
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill...
- '%WINDIR%\syswow64\cmd.exe' /c echo %date%-%time%
- '%WINDIR%\syswow64\cmd.exe' /c ver
- '%WINDIR%\syswow64\cmd.exe' /c nslookup myip.opendns.com. resolver1.opendns.com
- '%WINDIR%\syswow64\nslookup.exe' myip.opendns.com. resolver1.opendns.com
- '%WINDIR%\syswow64\cmd.exe' /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f® delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
- '%WINDIR%\syswow64\reg.exe' delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
- '%WINDIR%\syswow64\reg.exe' delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
- '%WINDIR%\syswow64\cmd.exe' /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Updaters /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f® add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\...
- '%WINDIR%\syswow64\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Updaters /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
- '%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
