Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'vonyzjakaqom' = '%HOMEPATH%\vonyzjakaqom.exe'
Malicious functions:
Executes the following:
- '<SYSTEM32>\wsqmcons.exe'
- '<SYSTEM32>\rundll32.exe' dfdts.dll,DfdGetDefaultPolicyAndSMART
- '<SYSTEM32>\schtasks.exe' /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader"
- '<SYSTEM32>\sc.exe' start w32time task_started
- '<SYSTEM32>\sdclt.exe' /CONFIGNOTIFICATION
- '<SYSTEM32>\taskhost.exe' $(Arg0)
Modifies file system :
Creates the following files:
- C:\ProgramData\Microsoft\RAC\Temp\sqlB99E.tmp
- C:\ProgramData\Microsoft\RAC\Temp\sqlB9FC.tmp
- %HOMEPATH%\vonyzjakaqom.exe
- %APPDATA%\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3525224950-2885160813-905547259-1000\7ee83745df35bad5ccfc8cd8875de253_fdaad129-04df-4089-bb80-174ce725f721
Deletes the following files:
- C:\ProgramData\Microsoft\RAC\Temp\sqlB99E.tmp
- C:\ProgramData\Microsoft\RAC\Temp\sqlB9FC.tmp
Network activity:
Connects to:
- '67.##5.160.76':25
- 'sm##.live.com':25
UDP:
- DNS ASK mo###ophoto.com
- DNS ASK ro####how.com.au
- DNS ASK dj###taro.com
- DNS ASK sz###tufi.com
- DNS ASK ac###nvestor.ca
- DNS ASK ar#####turadigital.com
- DNS ASK ch####supplies.net
- DNS ASK ss#####ginggroup.com
- DNS ASK ac#####oambiente.com
- DNS ASK fr#####entauction.com
- DNS ASK wl#.##uisiana.gov
- DNS ASK th###rgery.com
- DNS ASK tr####y-works.com
- DNS ASK es####-hotelier.com
- DNS ASK se##door.pl
- DNS ASK de####scueusa.com
- DNS ASK ra######ckwarehouse.com.au
- DNS ASK ja#####sallamerican.com
- DNS ASK ma####.us2.mcsv.net
- DNS ASK cb####nting.com.au
- DNS ASK su###le.co.jp
- DNS ASK ka###hal.com
- DNS ASK ar###2aa.org
- DNS ASK ha####ltimedia.com
- DNS ASK db####onents.com
- DNS ASK fa#####hofamerica.com
- DNS ASK ge###ermusa.com
- DNS ASK is#####ltarim.com.tr
- DNS ASK nu###ech.com
- DNS ASK ct###rocess.org
- DNS ASK si####etalsinc.com
- DNS ASK sg###nting.ca
- DNS ASK co###ne.or.id
- DNS ASK is####arnataka.org
- DNS ASK ib##.com.br
- DNS ASK th######inghouseltd.co.uk
- DNS ASK sm##.#ompuserve.com
- DNS ASK sa####connection.ca
- DNS ASK el###rno.com
- DNS ASK un###.edu.bo
- DNS ASK pa##tow.com
- DNS ASK ka####ka.vic.edu.au
- DNS ASK al###wared.com
- DNS ASK ca#####citytuxedo.com
- DNS ASK av##ay.com
- DNS ASK aj##.net
- DNS ASK to##x.ro
- DNS ASK ch####ybarry.com
- DNS ASK to###ipe.com
- DNS ASK he###mare.nl
- DNS ASK ka##it.com
- DNS ASK eo##.net
- DNS ASK ar####esajandek.hu
- DNS ASK yo###omla.com
- DNS ASK le####shipforum.us
- DNS ASK re####efield.co.uk
- DNS ASK ch####-select.com
- DNS ASK al######ive-aquitaine.co.uk
- DNS ASK al####ousehotel.com
- DNS ASK ro#####cintyre.com.au
- DNS ASK we####dechurch.org
- DNS ASK fr#####high.school.nz
- DNS ASK ku###ci.or.jp
- DNS ASK na###gurus.com
- DNS ASK su###france.com
- DNS ASK le###riage.com
- DNS ASK ag#####des-druides.com
- DNS ASK ea##gen.com
- DNS ASK ch####clothes.com
- DNS ASK pr######nsolutionsky.com
- DNS ASK co##tney.ca
- DNS ASK ac###ctory.net
- DNS ASK xn########h8abch1g1b0ap6a9vxa.com
- DNS ASK e-###ukyaku.com
- DNS ASK fa###nonline.de
- DNS ASK bu####llmedia.com
- DNS ASK is##h.com
- DNS ASK br###ndia.com
- DNS ASK do##sf.com
- DNS ASK du###fipec.kz
- DNS ASK ne###adgunar.kz
- DNS ASK fu###tbab.kz
- DNS ASK do###ritdud.kz
- DNS ASK mo###ixhimz.kz
- DNS ASK ha###acosgib.kz
- DNS ASK fo###dihija.kz
- DNS ASK vu###rkuz.kz
- DNS ASK bo####ydesign.com
- DNS ASK ph###clubs.com
- DNS ASK pc##ds.com
- DNS ASK ma#####siecologia.com
- DNS ASK ke###urjixmi.kz
- DNS ASK fo###oqkenix.kz
- DNS ASK e-###ami.com
- DNS ASK co##th.com
- DNS ASK xi###group.com
- DNS ASK ka####okuren.com
- DNS ASK an###ervice.com
- DNS ASK sa###david.com
- DNS ASK st####ennygames.com
- DNS ASK ya###oto-sr.com
- DNS ASK au####ansurfing.at
- DNS ASK cg###ngland.com
- DNS ASK ni###.com.cn
- DNS ASK ti###urkey.com
- DNS ASK li####ist-uk.com
- DNS ASK ws#####rontheweb.com
- DNS ASK th###tospas.com
- DNS ASK ul##dsu.org
- DNS ASK di##ro.se
- DNS ASK gi###imo.com
- DNS ASK au####ce-web.net
- DNS ASK to###nmeuse.com
- DNS ASK op###er.com.au
- DNS ASK ck###obal.net
- DNS ASK tr###alau.com
- DNS ASK mo#####-vacaciones.com
- DNS ASK kr###haus.com
- DNS ASK gj#.com.pl
- DNS ASK fu###o-lab.com
- DNS ASK as###isk.com.sg
- DNS ASK zi####rbatului.ro
- DNS ASK ar##for.com
- DNS ASK e-###rming.com
- DNS ASK te###ra.co.jp
- DNS ASK im###.com.pl
- DNS ASK ko###hi-hp.com
- DNS ASK mi###stga.com
- DNS ASK sd#p.ie
- DNS ASK un#####arthgroup.com
- DNS ASK go####luecenter.com
- DNS ASK st##net.de
- DNS ASK ap###farm.org
- DNS ASK ga######onlinemagazine.com
- DNS ASK me#####-jacquelin.com
- DNS ASK ur##asu.net
- DNS ASK ia###obal.or.id
- DNS ASK ad####ivechat.us
- DNS ASK va###ardpkg.com
- DNS ASK wo#####dhillwinery.com
- DNS ASK sc##edel.it
- DNS ASK ic###ain.com
- DNS ASK be#####rebusiness.org
- DNS ASK ga###marine.com
- DNS ASK pl#s.ba
- DNS ASK bi#####ultimedia.com
- DNS ASK nd####nementiel.com
- DNS ASK lo###tic.com
- DNS ASK ti##.#indows.com
- DNS ASK ma###-man.com
- DNS ASK ma###chn.com
- DNS ASK bu####ss-edge.com
- DNS ASK re##soft.ru
- DNS ASK my####center.com
- DNS ASK te##ole.com
- DNS ASK so####oncorp.com
- DNS ASK ey###oup.com
- DNS ASK te####g-video.com
- DNS ASK ch###eative.com
- DNS ASK bi#####sbeefjerky.com
- DNS ASK pe####sion.co.in
- DNS ASK fl###ercorp.com
- DNS ASK sa##y.com
- DNS ASK le###ridica.com
- DNS ASK dn#.##ftncsi.com
- DNS ASK sm##.#ail.yahoo.com
- DNS ASK sm##.live.com
- DNS ASK ru###eberg.com
- DNS ASK no###uroya.com
- DNS ASK th####ofhair.com
- DNS ASK vi####agamba.com
- DNS ASK au##ma.it
- DNS ASK ge####isions.com
- DNS ASK na###sklep.pl
- DNS ASK pi##mia.com
- DNS ASK at#####hnologies.com
- DNS ASK ce####kalip.com.tr
- DNS ASK et###les.com
- DNS ASK ge###r.gen.tr
- DNS ASK sh###yspizza.ph
- DNS ASK ma####grimes.co.uk
- DNS ASK hp####rvices.com
- DNS ASK pe#c.ca
- DNS ASK ho###hd.com.br
- DNS ASK sk###r.com.pl
- DNS ASK no##-k.com
- DNS ASK pa###ball.be
- DNS ASK re###dhits.com
- DNS ASK fl####adoubled.com
- DNS ASK ba######ramsevatrust.org
- DNS ASK st###edia.ca
- DNS ASK sm##.#irectcon.net
- DNS ASK st##om.nl
- DNS ASK ca###choice.org
- DNS ASK up###on89.com
- DNS ASK sc####inpeach.com
- DNS ASK sh#####teexpress.com
- DNS ASK au#####ica-travel.com
- DNS ASK st#####ldlifeart.com
- DNS ASK vi###ria.com.pl
- DNS ASK go####rk-moossee.ch
- DNS ASK re####eretreat.com
- DNS ASK to#####rthcare.com.au
- DNS ASK ch####atecovers.com
- DNS ASK ma##.#irmail.net
- DNS ASK hi##ken.com
- DNS ASK br####nternet.nl
- DNS ASK lo###rlookz.com
- DNS ASK ea####rmations.net
- DNS ASK pb##.com
- DNS ASK x-#####ommunications.de
- DNS ASK fr#####ckallergy.com
- DNS ASK st###tives.org
- DNS ASK vb##z.com
- DNS ASK na####ictures.com
- DNS ASK wi#####emarketing.com
- DNS ASK ca####eonline.com
- DNS ASK na####ecurtiss.com
- DNS ASK au####direkt.net
- DNS ASK so#####rganizing.com
- DNS ASK ag##rno.ru
- DNS ASK em###dalia.com
- DNS ASK mi####io-teatras.lt
- DNS ASK br####arm.com.au
- DNS ASK th#####ldsongroup.com
- DNS ASK se###co-ind.com
- DNS ASK ta##i.com
- DNS ASK je###mate.co.jp
- DNS ASK ro###eli.com
- DNS ASK sh###zil.com
- DNS ASK ma###egor.co.kr
- DNS ASK kv###atoff.ru
- DNS ASK co####permarkt.nl
- DNS ASK ac#####ificrepairs.com
- DNS ASK sl##go.org
- DNS ASK sm##.###global.yahoo.com
- DNS ASK te###avis.com
- DNS ASK ch###scope.com
- DNS ASK we####llsstl.org
- DNS ASK mi###ech.net
- DNS ASK ni####ictionary.com
- DNS ASK na###ngcw.com
- DNS ASK tv##ra.net
- DNS ASK or####networks.net
- DNS ASK s2#.fr
- DNS ASK ur####aproject.com
- DNS ASK ma####ntralaya.com
- DNS ASK ze###et.co.jp
- DNS ASK ma###acorp.com
- DNS ASK ik##s.fr
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'Indicator' WindowName: '(null)'
