Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Taskman' = '%HOMEPATH%\aegvvp.exe'
Malicious functions:
Executes the following:
- '<SYSTEM32>\svchost.exe'
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system:
Creates the following files:
- %HOMEPATH%\aegvvp.exe
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\aegvvp.exe
Network activity:
UDP:
- DNS ASK mu###.###tal-protection.net.ru
- DNS ASK sl###.##fehousenumber.com
- 'mu###.###tal-protection.net.ru':19700
- 'sl###.##fehousenumber.com':19700
Miscellaneous:
Searches for the following windows:
- ClassName: 'Qftgx. Jfvk Wyyxn' WindowName: 'Bljuj. Emj. Auvp'
- ClassName: 'Ydcgsicm Xftmalh Yd' WindowName: 'Mowmir. Wolwndej'
- ClassName: 'Qostf, Y' WindowName: 'Qostf, Y'
- ClassName: 'Miss Qdlyg' WindowName: 'Miss Qdlyg'
- ClassName: 'Y' WindowName: 'Qostf, Y, Qostf'
- ClassName: 'Qwhm. Bcqvaq Ftmd' WindowName: 'Hsfrt Sicyl Xmjqcor'
- ClassName: 'Jdly Qpudgped Mdq' WindowName: 'Srce. Nrtmu, Hkbut'
- ClassName: 'Uameag Ssohqxyb' WindowName: 'Jronp Gcwglbbb G'
- ClassName: 'Ewjvohn Bx' WindowName: 'Ewjvohn Bx'
- ClassName: 'Hlfix. Iutsi. Majhy' WindowName: 'Laxvle, Rgbbkquxl'
- ClassName: 'Qrombk Rrowcxmbcfu' WindowName: 'Whcrd. Gjxbj, Sn'
- ClassName: 'Xtdtyf. Slcqxfqk' WindowName: 'Nbxywefyo Ggv U'
- ClassName: 'Nvdna. Ugqi Tcfctbk' WindowName: 'Qeswy, Tmiu Oofsur'
- ClassName: 'Nte Pobolj' WindowName: 'Oihebkbwdf Kocj, Ujpe'
- ClassName: 'Lctkh. Tdugdf Nc' WindowName: 'Ouhb. Ujcgrioq Ny'
- ClassName: 'Jfw' WindowName: 'Bfqqoro. Ahptkas, Ciiha. Obj'
- ClassName: 'Ciiha. Obj, Jfw' WindowName: 'Bfqqoro. Ahptkas'
- ClassName: 'Ujpe, Nte Pobolj' WindowName: 'Oihebkbwdf Kocj'
- ClassName: 'Jqxdglvbtm Xlbap' WindowName: 'Uhnret Soci Ixxvth'
- ClassName: 'Kgv. Fcmeuh Fav' WindowName: 'Svjvgkd, Ebgppl'
- ClassName: 'Ahjxoby Qrg. Wtdy' WindowName: 'Etmcnpf Wkutycqm'
- ClassName: 'Aaaspg. Gwadavbx' WindowName: 'Hwswc, Lvsnx, Kw'
- ClassName: 'Txvrcvqj. Nnyivsr' WindowName: 'Bwhknnj Ffmom, R'
- ClassName: 'Sbwl' WindowName: 'Dehgeb, Ngkgpv V, Kkfvdp Hrb'
- ClassName: 'Eaao Dyonm, Ccwa' WindowName: 'Ofph, Lvi, Vmfytvr'
- ClassName: 'Isjgl C' WindowName: 'Kbqnd Toxnt Oqgkm, Ifqpmc'
- ClassName: 'Ccwa' WindowName: 'Ofph, Lvi, Vmfytvr, Eaao Dyonm'
- ClassName: 'Wlkxrxd Rqm, Iklgy' WindowName: 'Hhwbrexk Yuxtu B'
- ClassName: 'Vkfwrypx Lnfvvrm N' WindowName: 'Ssptkd Vgef Xrnbc'
- ClassName: 'Ifqpmc, Isjgl C' WindowName: 'Kbqnd Toxnt Oqgkm'
- ClassName: 'Myavjhi Fyii Tsg' WindowName: 'Pfxga, Ymukr. Op'
- ClassName: 'Yacocwj Ejj Wnabqld' WindowName: 'Ujmg. Wxiioac Tr'
- ClassName: 'Dlc, Be, Syvyrc Cua' WindowName: 'Nwfty Amdswp Kbgkp'
- ClassName: 'Qxvo. Lquwwq Hxe' WindowName: 'Tpwh Aivpnit Aqn'
- ClassName: 'Syvyrc Cua' WindowName: 'Nwfty Amdswp Kbgkp, Dlc, Be'
- ClassName: 'Iklgy' WindowName: 'Hhwbrexk Yuxtu B, Wlkxrxd Rqm'
- ClassName: 'Iedewhlb, Etir Jeuc' WindowName: 'Etocsl, Ldchs Kj'
- ClassName: 'Ruqp. La' WindowName: 'Jgwk, Ruqp. La, Jgwk'
- ClassName: 'Etir Jeuc' WindowName: 'Etocsl, Ldchs Kj, Iedewhlb'
- ClassName: 'Kkfvdp Hrb, Sbwl' WindowName: 'Dehgeb, Ngkgpv V'
- ClassName: 'Vejiir Akgwo O' WindowName: 'Vejiir Akgwo O'
- ClassName: 'Jgwk, Ruqp. La' WindowName: 'Jgwk, Ruqp. La'
- ClassName: 'Yhljqg' WindowName: 'Exbyhu Kjjfg Gfqbg, Scds. Vhvev'
- ClassName: 'Scds. Vhvev, Yhljqg' WindowName: 'Exbyhu Kjjfg Gfqbg'
- ClassName: 'Rwegnxys Bghp Qasrn' WindowName: 'Pxnttkipmk Lptcp'
- ClassName: 'Mfayl Jffn. Nuyrnqq' WindowName: 'Efkjeyf Cqkgdjl'
- ClassName: 'Mmmrpp Pvgka Kucsc I' WindowName: 'Mmmrpp Pvgka Kucsc I'
