Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows Update System' = '%APPDATA%\msnmsgrs.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows Update System' = '%APPDATA%\msnmsgrs.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\AEXRGYH\DFG-2352-26235-2322322-624621221-2622255\usbdrivers.exe
- <Drive name for removable media>:\AEXRGYH\DFG-2352-26235-2322322-624621221-2622255\Desktop.ini
Malicious functions:
Creates and executes the following:
- %APPDATA%\Microsoft\Protect\Credentials\taskhostt.exe (downloaded from the Internet)
- %APPDATA%\msnmsgrs.exe
Modifies file system :
Creates the following files:
- %APPDATA%\msnmsgrs.exe
- %TEMP%\google_cache2.tmp
- %APPDATA%\Microsoft\Protect\Credentials\taskhostt.exe
- %APPDATA%\Microsoft\Protect\Credentials\wmpnetvk.exe
- %APPDATA%\Microsoft\Protect\Credentials\wmpnetvk.exe:ZONE.identifier
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\AEXRGYH\DFG-2352-26235-2322322-624621221-2622255\usbdrivers.exe
- %APPDATA%\msnmsgrs.exe
- %APPDATA%\Microsoft\Protect\Credentials\wmpnetvk.exe
Network activity:
Connects to:
- 'st####.wshells.ws':3211
- 'pe###ctteam.org':80
- 'wp#d':80
TCP:
HTTP GET requests:
- pe###ctteam.org/nosferatus/Crypter/taskhostt.exe
- wp#d/wpad.dat
UDP:
- DNS ASK pe###ctteam.org
- DNS ASK st####.wshells.ws
- DNS ASK wp#d
- '<Private IP address>':1035
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'BitDefender Firewall Alert'
- ClassName: '' WindowName: 'Windows Security Alert'
