Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe regsvr.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Msn Messsenger' = '<SYSTEM32>\regsvr.exe'
Creates or modifies the following files
- %WINDIR%\tasks\at1.job
- <SYSTEM32>\tasks\at1
Creates the following files on removable media
- <Drive name for removable media>:\new folder .exe
- <Drive name for removable media>:\regsvr.exe
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Registry Editor (RegEdit)
modifies the following system settings:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NofolderOptions' = '00000000'
Executes the following
- '%WINDIR%\syswow64\at.exe' /delete /yes
- '%WINDIR%\syswow64\at.exe' 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\svchost .exe
Modifies file system
Creates the following files
- %APPDATA%\wplugin.dll
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\i9y0gyn5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\pjla4wqz\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\j1t4jnj0\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\p8e0c3df\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %WINDIR%\syswow64\svchost .exe
- %WINDIR%\ws2help.dll
- %WINDIR%\regsvr.exe
- %WINDIR%\syswow64\regsvr.exe
- %WINDIR%\syswow64\28463\svchost.001
- %TEMP%\autb77.tmp
- %TEMP%\autabb.tmp
- %WINDIR%\explorer.exe.local
- %WINDIR%\wplugin.dll
- %WINDIR%\syswow64\setup.ini
- %WINDIR%\syswow64\setting.ini
Sets the 'hidden' attribute to the following files
- %WINDIR%\syswow64\regsvr.exe
- %WINDIR%\syswow64\svchost .exe
- %WINDIR%\syswow64\setup.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\p8e0c3df\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\j1t4jnj0\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\pjla4wqz\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\i9y0gyn5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %WINDIR%\syswow64\setting.ini
Deletes the following files
- %TEMP%\autabb.tmp
- %TEMP%\autb77.tmp
Network activity
TCP
HTTP GET requests
- http://ya##o.com/setting.doc
- http://ya##o.com/setting.xls
- http://www.ya##o.com/setting.doc
UDP
- DNS ASK ya##o.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\cmd.exe' /C AT /delete /yes' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\svchost .exe' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C AT /delete /yes
- '%WINDIR%\syswow64\cmd.exe' /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\svchost .exe
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\Wininet.dll",DispatchAPICall 1
