Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '1' = '%TEMP%\win32.exe'
Malicious functions
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\Yahoo\pager]
- [<HKCU>\Software\Paltalk]
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
Modifies file system
Creates the following files
- %TEMP%\win32.exe
- %LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012020061720200618\index.dat
Network activity
TCP
HTTP GET requests
- http://bo#####e.hack-free.net/index.php?ac##################################################
- http://bo#####e.hack-free.net/index.php?ac#########################################################################################################
- http://ww##.###doire.hack-free.net/index.php?ac##################################################
- http://ww##.###doire.hack-free.net/index.php?ac#########################################################################################################
- http://ww##.###doire.hack-free.net/px.gif?ch#######################
- http://www.google.com/adsense/domains/caf.js
UDP
- DNS ASK bo#####e.hack-free.net
- DNS ASK ww##.###doire.hack-free.net
- DNS ASK google.com
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '%TEMP%\win32.exe'
