Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Yahoo Messengger' = '<SYSTEM32>\system3_.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe system3_.exe'
Creates or modifies the following files:
- %WINDIR%\Tasks\At1.job
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\system3_.exe
- <Drive name for removable media>:\New Folder.exe
Malicious functions:
Executes the following:
- '<SYSTEM32>\cacls.exe' "C:\system volume information" /e /g "%USERNAME%":f
- '<SYSTEM32>\at.exe' 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\system3_.exe
- '<SYSTEM32>\at.exe' /delete /yes
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- <SYSTEM32>\autorun.ini
- %WINDIR%\system3_.exe
- <SYSTEM32>\system3_.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <SYSTEM32>\autorun.ini
- <SYSTEM32>\system3_.exe
Network activity:
Connects to:
- 'www.ba####6.0catch.com':80
- 'www.ba####5.0catch.com':80
- 'www.ba####7.0catch.com':80
- 'www.ba####9.0catch.com':80
- 'www.ba####8.0catch.com':80
- 'www.ba####4.0catch.com':80
- 'www.ba####0.0catch.com':80
- 'h1.##pway.com':80
- 'www.ba####1.0catch.com':80
- 'www.ba####3.0catch.com':80
- 'www.ba####2.0catch.com':80
TCP:
HTTP GET requests:
- h1.##pway.com/asdb028/setting.ini
- h1.##pway.com/asdb026/setting.ini
- h1.##pway.com/asdb032/setting.ini
- h1.##pway.com/asdb030/setting.ini
- h1.##pway.com/asdb024/setting.ini
- www.ba####9.0catch.com/set/setting.ini
- h1.##pway.com/asdb018/setting.ini
- h1.##pway.com/asdb022/setting.ini
- h1.##pway.com/asdb020/setting.ini
- h1.##pway.com/asdb046/setting.ini
- h1.##pway.com/asdb044/setting.ini
- h1.##pway.com/asdb050/setting.ini
- h1.##pway.com/asdb048/setting.ini
- h1.##pway.com/asdb042/setting.ini
- h1.##pway.com/asdb036/setting.ini
- h1.##pway.com/asdb034/setting.ini
- h1.##pway.com/asdb040/setting.ini
- h1.##pway.com/asdb038/setting.ini
- h1.##pway.com/asdb006/setting.ini
- www.ba####2.0catch.com/set/setting.ini
- h1.##pway.com/asdb008/setting.ini
- www.ba####3.0catch.com/set/setting.ini
- h1.##pway.com/asdb004/setting.ini
- www.ba####0.0catch.com/set/setting.ini
- h1.##pway.com/asdb000/setting.ini
- www.ba####1.0catch.com/set/setting.ini
- h1.##pway.com/asdb002/setting.ini
- www.ba####7.0catch.com/set/setting.ini
- h1.##pway.com/asdb014/setting.ini
- www.ba####8.0catch.com/set/setting.ini
- h1.##pway.com/asdb016/setting.ini
- www.ba####6.0catch.com/set/setting.ini
- h1.##pway.com/asdb010/setting.ini
- www.ba####4.0catch.com/set/setting.ini
- h1.##pway.com/asdb012/setting.ini
- www.ba####5.0catch.com/set/setting.ini
UDP:
- DNS ASK www.ba####6.0catch.com
- DNS ASK www.ba####5.0catch.com
- DNS ASK www.ba####7.0catch.com
- DNS ASK www.ba####9.0catch.com
- DNS ASK www.ba####8.0catch.com
- DNS ASK www.ba####4.0catch.com
- DNS ASK www.ba####0.0catch.com
- DNS ASK h1.##pway.com
- DNS ASK www.ba####1.0catch.com
- DNS ASK www.ba####3.0catch.com
- DNS ASK www.ba####2.0catch.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
