Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'allkeeper' = 'C:\users\Public\conlhost.exe'
Creates the following files on removable media
- <Drive name for removable media>:\dashborder_96.bmp
- <Drive name for removable media>:\tileimage.bmp
- <Drive name for removable media>:\toolbar.bmp
- <Drive name for removable media>:\dashborder_192.bmp
- <Drive name for removable media>:\default.bmp
- <Drive name for removable media>:\coffee.bmp
- <Drive name for removable media>:\dashborder_120.bmp
- <Drive name for removable media>:\hanni_umami_chapter.doc
- <Drive name for removable media>:\fi51.doc
- <Drive name for removable media>:\uep_form_786_bulletin_1726i602.doc
- <Drive name for removable media>:\508softwareandos.doc
- <Drive name for removable media>:\february_catalogue__2015.doc
- <Drive name for removable media>:\lisp_success.doc
- <Drive name for removable media>:\file_p_00000000_1371597592.docx
- <Drive name for removable media>:\thlps_keeper_mayer_1965.docx
- <Drive name for removable media>:\holycrosschurchinstructions.docx
- <Drive name for removable media>:\aoc_saq_d_v3_merchant.docx
- <Drive name for removable media>:\api-hashmap.html
- <Drive name for removable media>:\adadsi.html
- <Drive name for removable media>:\alert.html
- <Drive name for removable media>:\trivial-merge.html
- <Drive name for removable media>:\parnas_01.jpeg
- <Drive name for removable media>:\13.jpeg
- <Drive name for removable media>:\4f0bf7ff71f28.jpeg
- <Drive name for removable media>:\168.jpg
- <Drive name for removable media>:\pushkin.jpg
- <Drive name for removable media>:\4f0bf7ff71f28.jpg
- <Drive name for removable media>:\dualectls.pdf
- <Drive name for removable media>:\7790_preview.pdf
- <Drive name for removable media>:\2015-02-worms-nanoparticle-toxicity.pdf
- <Drive name for removable media>:\lom602.pdf
- <Drive name for removable media>:\bc01.pdf
- <Drive name for removable media>:\bg_search_box.png
- <Drive name for removable media>:\cleanlyrics.png
- <Drive name for removable media>:\arrow-down.png
- <Drive name for removable media>:\asm.png
- <Drive name for removable media>:\calibre.png
- <Drive name for removable media>:\cbz.png
- <Drive name for removable media>:\writingcompletesarnarrative_1103.ppt
- <Drive name for removable media>:\mappingconcepthubberlin.ppt
- <Drive name for removable media>:\file1.ppt
- <Drive name for removable media>:\proposaltemplates.ppt
- <Drive name for removable media>:\ppswamp.ppt
- <Drive name for removable media>:\metac.ppt
- <Drive name for removable media>:\middaugh_keynote.pptx
- <Drive name for removable media>:\samieee_obiee_presentation.pptx
- <Drive name for removable media>:\hypothyroidism_slides.pptx
- <Drive name for removable media>:\indogerman2010.pptx
- <Drive name for removable media>:\stoc13_ml_quoc_le.pptx
- <Drive name for removable media>:\pandp.rtf
- <Drive name for removable media>:\myhrvoldhanssenbiharfamine.rtf
- <Drive name for removable media>:\phytoremediation.rtf
- <Drive name for removable media>:\fungalnameauthors.rtf
- <Drive name for removable media>:\router_manual.rtf
- <Drive name for removable media>:\guide_reorganization_mapping.xls
- <Drive name for removable media>:\productos.xls
- <Drive name for removable media>:\1sm_price.xls
- <Drive name for removable media>:\calculatorworksheet.xls
- <Drive name for removable media>:\subjectclassification.xls
- <Drive name for removable media>:\2013_smccc_competition_points_jul2013.xlsx
- <Drive name for removable media>:\cee_mmsprogram_summary_public.xlsx
- <Drive name for removable media>:\2013_finalsummaryforweb.xlsx
- <Drive name for removable media>:\national_autism_preparation_programs.xlsx
- <Drive name for removable media>:\applicant.xlsx
- <Drive name for removable media>:\suspendedcompanies.xlsx
- <Drive name for removable media>:\disclosuredetails.xlsx
- <Drive name for removable media>:\calculatorworksheet.zip
- <Drive name for removable media>:\price.zip
- <Drive name for removable media>:\fiche_inscription_2015.zip
- <Drive name for removable media>:\1sm_price.zip
- <Drive name for removable media>:\price030215.zip
- <Drive name for removable media>:\contractualdeadlines.zip
- <Drive name for removable media>:\removedtitles_records.zip
Malicious functions
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\1189.jpg
- %HOMEPATH%\desktop\168.jpeg
- %HOMEPATH%\desktop\2.jpeg
- %HOMEPATH%\desktop\4f0bf7ff71f28.jpg
- %HOMEPATH%\desktop\508softwareandos.doc
- %HOMEPATH%\desktop\alert.html
- %HOMEPATH%\desktop\applicantform_en.doc
- %HOMEPATH%\desktop\coffee.bmp
- %HOMEPATH%\desktop\cveuropeo.doc
- %HOMEPATH%\desktop\february_catalogue__2015.doc
- %HOMEPATH%\desktop\hanni_umami_chapter.doc
- %HOMEPATH%\desktop\holycrosschurchinstructions.docx
- %HOMEPATH%\desktop\iisstart.html
- %HOMEPATH%\desktop\pushkin.jpeg
- %HOMEPATH%\desktop\tileimage.bmp
Modifies file system
Creates the following files
- C:\users\public\del.bat
- C:\users\public\conlhost.exe
- C:\users\public\files
- C:\users\public\testdecrypt
- C:\files_back.txt
- C:\users\files_back.txt
- C:\users\public\files_back.txt
- %HOMEPATH%\files_back.txt
- %HOMEPATH%\favorites\files_back.txt
- %HOMEPATH%\pictures\files_back.txt
- C:\users\public\time.e
Sets the 'hidden' attribute to the following files
- C:\users\public\conlhost.exe
- C:\users\public\time.e
Modifies the following files
- <Drive name for removable media>:\dashborder_96.bmp
- <Drive name for removable media>:\tileimage.bmp
- <Drive name for removable media>:\toolbar.bmp
- <Drive name for removable media>:\dashborder_192.bmp
- <Drive name for removable media>:\default.bmp
- <Drive name for removable media>:\coffee.bmp
- <Drive name for removable media>:\dashborder_120.bmp
- <Drive name for removable media>:\hanni_umami_chapter.doc
- <Drive name for removable media>:\fi51.doc
- <Drive name for removable media>:\uep_form_786_bulletin_1726i602.doc
- <Drive name for removable media>:\508softwareandos.doc
- <Drive name for removable media>:\february_catalogue__2015.doc
- <Drive name for removable media>:\lisp_success.doc
- <Drive name for removable media>:\file_p_00000000_1371597592.docx
- <Drive name for removable media>:\thlps_keeper_mayer_1965.docx
- <Drive name for removable media>:\holycrosschurchinstructions.docx
- <Drive name for removable media>:\aoc_saq_d_v3_merchant.docx
Modifies user data files (Trojan.Encoder).
Network activity
Connects to
- '46.##.169.106':80
- '<DNS_SERVER>':53
UDP
- DNS ASK bl###chain.info
Miscellaneous
Creates and executes the following
- 'C:\users\public\conlhost.exe'
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c C:\users\Public\del.bat
- '%WINDIR%\syswow64\reg.exe' ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64
- '%WINDIR%\syswow64\reg.exe' ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64
- '%WINDIR%\syswow64\cmd.exe' /c C:\users\Public\del.bat' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64' (with hidden window)
