Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\thmus] 'Start' = '00000002'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
Malicious functions:
Creates and executes the following:
- <Current directory>\b.exe (downloaded from the Internet)
- <Current directory>\a.exe (downloaded from the Internet)
Executes the following:
- <SYSTEM32>\svchost.exe
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system :
Creates the following files:
- \Device\LanmanRedirector\192.168.19.2\pipe\browser
- \Device\LanmanRedirector\192.168.19.3\pipe\browser
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IJBU4WF7\jxkpme[1].bmp
- <SYSTEM32>\x
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\TUSE347B\wpad[1].dat
- \Device\LanmanRedirector\192.168.19.7\pipe\browser
- \Device\LanmanRedirector\192.168.19.8\pipe\browser
- \Device\LanmanRedirector\192.168.19.6\pipe\browser
- \Device\LanmanRedirector\192.168.19.4\pipe\browser
- \Device\LanmanRedirector\192.168.19.5\pipe\browser
- <Current directory>\a.exe
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IJBU4WF7\desktop.ini
- <SYSTEM32>\01.tmp
- <SYSTEM32>\qqqqqqqq.vmx
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\file1[1].exe
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\TUSE347B\desktop.ini
- <Current directory>\b.exe
- \Device\LanmanRedirector\192.168.19.1\pipe\browser
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\file2[1].exe
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\23CHAXSZ\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0YZLJ20S\desktop.ini
Sets the 'hidden' attribute to the following files:
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0YZLJ20S\desktop.ini
- <Drive name for removable media>:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
- <Drive name for removable media>:\autorun.inf
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\23CHAXSZ\desktop.ini
- <SYSTEM32>\kvzgmyr.dll
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IJBU4WF7\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\TUSE347B\desktop.ini
Deletes the following files:
- <SYSTEM32>\01.tmp
Network activity:
Connects to:
- 'wpad.localdomain':80
- '<Private IP address>':139
- '<Private IP address>':2370
- 'www.wh###smyip.org':80
- 'ch####p.dyndns.org':80
- 'www.ge##yip.org':80
- 'localhost':1040
- '8s##ing.ru':80
- 'localhost':1038
- 'localhost':1047
- 'www.wh#####ipaddress.com':80
- '<Private IP address>':445
TCP:
HTTP GET requests:
- www.ge##yip.org/
- ch####p.dyndns.org/
- www.wh###smyip.org/
- wpad.localdomain/wpad.dat
- 8s##ing.ru/file1.exe
- 8s##ing.ru/file2.exe
- www.wh#####ipaddress.com/
UDP:
- DNS ASK www.ge##yip.org
- DNS ASK ch####p.dyndns.org
- DNS ASK www.wh###smyip.org
- DNS ASK wpad.localdomain
- DNS ASK 8s##ing.ru
- DNS ASK www.wh#####ipaddress.com
- '23#.#55.255.250':1900
