Technical Information
Malicious functions
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\ORL\WinVNC3]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar]
- [<HKCU>\Software\FlashFXP\3]
- [<HKCU>\Software\FlashFXP]
- [<HKLM>\Software\Wow6432Node\FlashFXP\3]
- [<HKLM>\Software\FlashFXP\3]
- [<HKLM>\Software\Wow6432Node\FlashFXP]
- [<HKLM>\Software\FlashFXP]
- [<HKCU>\Software\FileZilla]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\TurboFTP]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKCU>\Software\FTP Explorer\Profiles]
- [<HKCU>\Software\VanDyke\SecureFX]
- [<HKCU>\Software\Cryer\WebSitePublisher]
- [<HKCU>\Software\ExpanDrive\Sessions]
- [<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKLM>\SOFTWARE\Wow6432Node\NCH Software\Fling\Accounts]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar]
- [<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions]
- [<HKLM>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKLM>\SOFTWARE\Wow6432Node\Miranda]
- [<HKLM>\SOFTWARE\Miranda]
- [<HKCU>\SOFTWARE\Mirabilis\ICQ\NewOwners]
- [<HKCU>\Software\Microsoft\MSNMessenger]
- [<HKCU>\Software\Yahoo\Pager]
- [<HKCU>\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users]
- [<HKCU>\Software\Google\Google Talk\Accounts]
- [<HKCU>\Software\Paltalk]
- [<HKCU>\Software\AIM\AIMPro]
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
- [<HKCU>\Software\RimArts\B2\Settings]
- [<HKCU>\SOFTWARE\RIT\The Bat!]
- [<HKCU>\SOFTWARE\RIT\The Bat!\Users depot]
- [<HKCU>\Software\Microsoft\Internet Account Manager\Accounts]
- [<HKLM>\Software\Wow6432Node\Microsoft\Internet Account Manager]
- [<HKLM>\Software\Microsoft\Internet Account Manager]
- [<HKCU>\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
- [<HKCU>\SOFTWARE\Far\Plugins\FTP\Hosts]
- [<HKCU>\SOFTWARE\Far2\Plugins\FTP\Hosts]
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\Wow6432Node\Ghisler\Windows Commander]
- [<HKLM>\Software\Wow6432Node\Ghisler\Total Commander]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
Reads files which store third party applications passwords
- %APPDATA%\mozilla\firefox\profiles.ini
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\thunderbird\profiles.ini
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
Modifies file system
Creates the following files
- %ProgramFiles%\a3d90235e113.dll
- %TEMP%\1105657.tmp
- %TEMP%\1105641.tmp
- %TEMP%\1105423.tmp-shm
- %TEMP%\1105423.tmp
- %TEMP%\1105407.tmp-shm
- %TEMP%\1105407.tmp
- %TEMP%\1105376.tmp-shm
- %TEMP%\1105376.tmp
- %TEMP%\1105345.tmp-shm
- %TEMP%\1105345.tmp
- %TEMP%\1105657.tmp-shm
- %TEMP%\1105267.tmp
- %TEMP%\1105142.tmp
- %TEMP%\1105126.tmp
- %TEMP%\1104923.tmp-shm
- %TEMP%\1104923.tmp
- %TEMP%\1104674.tmp-shm
- %TEMP%\1104674.tmp
- %TEMP%\tmpd2ea.tmp.ps1
- %TEMP%\tmpace1.tmp.ps1
- %TEMP%\1092615.tmp
- %TEMP%\1087342.tmp
- %TEMP%\1105251.tmp
- %TEMP%\1105735.tmp
Deletes the following files
- %TEMP%\tmpd2ea.tmp.ps1
- %TEMP%\1104674.tmp-shm
- %TEMP%\1104923.tmp-shm
- %TEMP%\1105345.tmp-shm
- %TEMP%\1105376.tmp-shm
- %TEMP%\1105407.tmp-shm
- %TEMP%\1105423.tmp-shm
- %TEMP%\1105657.tmp-shm
Deletes itself.
Network activity
Connects to
- '37.##0.222.107':443
- '79.##0.52.194':443
- '16#.#14.188.47':443
Miscellaneous
Searches for the following windows
- ClassName: 'TrayNotifyWnd' WindowName: ''
- ClassName: 'SysPager' WindowName: ''
- ClassName: 'ToolbarWindow32' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Executionpolicy bypass -File "%TEMP%\tmpACE1.tmp.ps1"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Executionpolicy bypass -File "%TEMP%\tmpD2EA.tmp.ps1"
- '%WINDIR%\syswow64\rundll32.exe' C:\PROGRA~3\A3D902~1.DLL,zz <Full path to file>' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Executionpolicy bypass -File "%TEMP%\tmpACE1.tmp.ps1"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Executionpolicy bypass -File "%TEMP%\tmpD2EA.tmp.ps1"' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\rundll32.exe' C:\PROGRA~3\A3D902~1.DLL,zz <Full path to file>
- '%WINDIR%\syswow64\rundll32.exe' C:\PROGRA~3\A3D902~1.DLL,dlkdHJ8=
