Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Information CNG Removal Remote' = '<SYSTEM32>\nbkerdxxuu.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\nbkerdxxuu.exe
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Background Networking Internet Font System] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\etgsiuruw.exe' "<SYSTEM32>\nbkerdxxuu.exe"
- '%WINDIR%\Temp\unwjorm3ywjhn5z.exe' -r 28425 tcp
- '%TEMP%\unwjorm3rjrhn5qtw2yv.exe'
- '<SYSTEM32>\nbkerdxxuu.exe'
Modifies file system :
Creates the following files:
- <SYSTEM32>\qhkpjwlou\run
- <SYSTEM32>\qhkpjwlou\rng
- <SYSTEM32>\qhkpjwlou\cfg
- <SYSTEM32>\qhkpjwlou\por
- %WINDIR%\Temp\unwjorm3ywjhn5z.exe
- %TEMP%\unwjorm3rjrhn5qtw2yv.exe
- <SYSTEM32>\qhkpjwlou\tst
- <SYSTEM32>\qhkpjwlou\etc
- <SYSTEM32>\etgsiuruw.exe
- <SYSTEM32>\nbkerdxxuu.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\etgsiuruw.exe
- <SYSTEM32>\nbkerdxxuu.exe
Deletes the following files:
- %WINDIR%\Temp\unwjorm3ywjhn5z.exe
- <DRIVERS>\etc\hosts
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'wi###tudy.net':80
- 'dr###study.net':80
- 'wi###oss.net':80
- 'dr###loss.net':80
- 'wi###ncle.net':80
- 'th###loss.net':80
- 'th###study.net':80
- 'dr###uncle.net':80
- 'th###once.net':80
- 'kn###ther.net':80
- 'ab###orty.net':80
- 'kn###all.net':80
- 'ab###ther.net':80
- 'kn###orty.net':80
- 'wi###nce.net':80
- 'dr###once.net':80
- 'ab###ree.net':80
- 'kn###ree.net':80
- 'th###uncle.net':80
- 'hi###oss.net':80
- 'wh###tudy.net':80
- 'hi###nce.net':80
- 'wh###oss.net':80
- 'vi###mojo.com':80
- 'ja###uter.com':80
- 'do####club-grup.com':80
- 'mo###uia.com':80
- 'mo###itio.com':80
- 'lo###oss.net':80
- 'fe###oss.net':80
- 'lo###nce.net':80
- 'fe###nce.net':80
- 'lo###tudy.net':80
- 'fe###ncle.net':80
- 'wh###nce.net':80
- 'fe###tudy.net':80
- 'lo###ncle.net':80
TCP:
HTTP GET requests:
- wi###tudy.net/forum/search.php?me#########################################
- dr###study.net/forum/search.php?me#########################################
- wi###oss.net/forum/search.php?me#########################################
- dr###loss.net/forum/search.php?me#########################################
- wi###ncle.net/forum/search.php?me#########################################
- th###loss.net/forum/search.php?me#########################################
- th###study.net/forum/search.php?me#########################################
- dr###uncle.net/forum/search.php?me#########################################
- th###once.net/forum/search.php?me#########################################
- kn###ther.net/forum/search.php?me#########################################
- ab###orty.net/forum/search.php?me#########################################
- kn###all.net/forum/search.php?me#########################################
- ab###ther.net/forum/search.php?me#########################################
- kn###orty.net/forum/search.php?me#########################################
- wi###nce.net/forum/search.php?me#########################################
- dr###once.net/forum/search.php?me#########################################
- ab###ree.net/forum/search.php?me#########################################
- kn###ree.net/forum/search.php?me#########################################
- th###uncle.net/forum/search.php?me#########################################
- hi###oss.net/forum/search.php?me#########################################
- wh###tudy.net/forum/search.php?me#########################################
- hi###nce.net/forum/search.php?me#########################################
- wh###oss.net/forum/search.php?me#########################################
- vi###mojo.com/forum/search.php?me#########################################
- ja###uter.com/forum/search.php?me#########################################
- do####club-grup.com/forum/search.php?me#########################################
- mo###uia.com/forum/search.php?me#########################################
- mo###itio.com/forum/search.php?me#########################################
- lo###oss.net/forum/search.php?me#########################################
- fe###oss.net/forum/search.php?me#########################################
- lo###nce.net/forum/search.php?me#########################################
- fe###nce.net/forum/search.php?me#########################################
- lo###tudy.net/forum/search.php?me#########################################
- fe###ncle.net/forum/search.php?me#########################################
- wh###nce.net/forum/search.php?me#########################################
- fe###tudy.net/forum/search.php?me#########################################
- lo###ncle.net/forum/search.php?me#########################################
UDP:
- DNS ASK dr###study.net
- DNS ASK wi###ncle.net
- DNS ASK wi###tudy.net
- DNS ASK wi###oss.net
- DNS ASK dr###loss.net
- DNS ASK th###study.net
- DNS ASK th###uncle.net
- DNS ASK th###loss.net
- DNS ASK dr###uncle.net
- DNS ASK th###once.net
- DNS ASK kn###ther.net
- DNS ASK ab###orty.net
- DNS ASK ab###ther.net
- DNS ASK ab###all.net
- DNS ASK kn###all.net
- DNS ASK wi###nce.net
- DNS ASK dr###once.net
- DNS ASK kn###ree.net
- DNS ASK kn###orty.net
- DNS ASK ab###ree.net
- DNS ASK wh###tudy.net
- DNS ASK vi###mojo.com
- DNS ASK wh###oss.net
- DNS ASK hi###oss.net
- DNS ASK mo###uia.com
- DNS ASK el#####arimagine.com
- DNS ASK do####club-grup.com
- DNS ASK mo###itio.com
- DNS ASK ja###uter.com
- DNS ASK hi###nce.net
- DNS ASK lo###oss.net
- DNS ASK fe###oss.net
- DNS ASK lo###nce.net
- DNS ASK fe###nce.net
- DNS ASK lo###tudy.net
- DNS ASK fe###ncle.net
- DNS ASK wh###nce.net
- DNS ASK lo###ncle.net
- DNS ASK fe###tudy.net
- '23#.#55.255.250':1900
