Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\APC-Host] 'Start' = '00000002'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Anyplace Control\apc_host.exe' = '%PROGRAM_FILES%\Anyplace Control\apc_host.exe:*:Enabled:Anyplace Control - Host Module'
Creates and executes the following:
- '%PROGRAM_FILES%\Anyplace Control\hcs.exe' "/effects=onC:\Program?Files\Anyplace?Control\apc-settings.ini"
- '%PROGRAM_FILES%\Anyplace Control\apc_host.exe' /service
- '%PROGRAM_FILES%\Anyplace Control\hcs.exe' "/wallpaper=on"
- '%PROGRAM_FILES%\Anyplace Control\hcs.exe' "/theme=onC:\Program?Files\Anyplace?Control\apc-settings.ini"
- '%PROGRAM_FILES%\Anyplace Control\apc_hostconfig.exe' /setup /password=
- '<Current directory>\<Virus name>_tmp.exe' /password=
- '%PROGRAM_FILES%\Anyplace Control\apc_host.exe' /install /silent
- '%PROGRAM_FILES%\Anyplace Control\apc_host.exe' /uninstall /silent
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_hostConfig.DEU.lng
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_hostConfig.ntv.lng
- %PROGRAM_FILES%\Anyplace Control\apc_host.exe
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_hostConfig.RUS.lng
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_hostConfig.ITA.lng
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_hostConfig.ESN.lng
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_hostConfig.FRA.lng
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_Admin.ITA.lng
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_Admin.ESN.lng
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_Admin.FRA.lng
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_Admin.PTB.lng
- %PROGRAM_FILES%\Anyplace Control\apc_hostconfig.exe
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_Admin.ARA.lng
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_Admin.PLK.lng
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_hostConfig.PTB.lng
- %PROGRAM_FILES%\Anyplace Control\hostaccount.ini
- %ALLUSERSPROFILE%\Start Menu\Programs\Anyplace Control\Uninstall.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\Anyplace Control\Host Module settings.lnk
- %PROGRAM_FILES%\Anyplace Control\apc-host.log
- %PROGRAM_FILES%\Anyplace Control\install.sss
- %PROGRAM_FILES%\Anyplace Control\hoststate.dat
- %PROGRAM_FILES%\Anyplace Control\apc-settings.ini
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_hostConfig.ARA.lng
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_hostConfig.PLK.lng
- %PROGRAM_FILES%\Anyplace Control\hcs.exe
- %PROGRAM_FILES%\Anyplace Control\license.txt
- %ALLUSERSPROFILE%\Start Menu\Programs\Anyplace Control\Host Module.lnk
- %PROGRAM_FILES%\Anyplace Control\INSTALL.LOG
- %PROGRAM_FILES%\Anyplace Control\Uninstall.exe
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_Admin.RUS.lng
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\butt_que.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\butt_inf.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\butt_cancel.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\unbanner.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\plugins\0\CustomUI.dll
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\maintenance.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\unwatermark.bmp
- %TEMP%\1Q542C7I\Resume.exe
- %TEMP%\1Q542C7I\unpack.dll
- <Current directory>\<Virus name>_tmp.exe
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\license.txt
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\butt_warn.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\watermark.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\banner.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\packagedb
- %PROGRAM_FILES%\Anyplace Control\libspeexdsp.dll
- %PROGRAM_FILES%\Anyplace Control\Anyplace Control.chm
- %APPDATA%\Anyplace Control 4\installerpath.txt
- %PROGRAM_FILES%\Anyplace Control\libspeex.dll
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_Admin.DEU.lng
- %PROGRAM_FILES%\Anyplace Control\Languages\apc_Admin.ntv.lng
- %PROGRAM_FILES%\Anyplace Control\apc_Admin.exe
- %PROGRAM_FILES%\Anyplace Control\anyplace-control.ini
- %TEMP%\1Q542C7I\<Virus name>_tmp\maindb
- %TEMP%\1Q542C7I\<Virus name>_tmp\languages
- %ALLUSERSPROFILE%\Application Data\Anyplace Control 4\anyplace-control.ini
- %PROGRAM_FILES%\Anyplace Control\installerpath.txt
- %ALLUSERSPROFILE%\Application Data\Anyplace Control 4\installerpath.txt
- %APPDATA%\Anyplace Control 4\anyplace-control.ini
Deletes the following files:
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\butt_warn.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\license.txt
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\butt_inf.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\butt_que.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\unwatermark.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\watermark.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\maintenance.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\unbanner.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\languages
- %TEMP%\1Q542C7I\<Virus name>_tmp\maindb
- %TEMP%\1Q542C7I\Resume.exe
- %TEMP%\1Q542C7I\unpack.dll
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\banner.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\presetup\butt_cancel.bmp
- %TEMP%\1Q542C7I\<Virus name>_tmp\packagedb
- %TEMP%\1Q542C7I\<Virus name>_tmp\plugins\0\CustomUI.dll
Network activity:
Connects to:
- 'an#####e-gateway.info':443
UDP:
- DNS ASK an#####e-gateway.info
Miscellaneous:
Searches for the following windows:
- ClassName: 'Tapchcform_About' WindowName: ''
- ClassName: 'Tapchcform_CurrentConnections' WindowName: ''
- ClassName: 'MS_WINHELP' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'APC_HOST_HandlerWindow' WindowName: ''
