Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'SysAnti' = '%CommonProgramFiles%\SysAnti.exe'
Malicious functions:
Creates and executes the following:
- '%CommonProgramFiles%\SysAnti.exe' -One
Executes the following:
- '<SYSTEM32>\svchost.exe'
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\Fonts\jqbgm.dll",MyKILLEntry
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\Fonts\rgbqs.dll",MyKILLEntry
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system :
Creates the following files:
- %CommonProgramFiles%\SysAnti.exe
- %WINDIR%\Fonts\jqbgm.dll
- %WINDIR%\Fonts\rtto.fon
- %WINDIR%\Fonts\rgbqs.dll
- %WINDIR%\Fonts\udfl.fon
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\Count[1].htm
Sets the 'hidden' attribute to the following files:
- %CommonProgramFiles%\SysAnti.exe
Deletes the following files:
- %WINDIR%\Fonts\rtto.fon
- %WINDIR%\Fonts\udfl.fon
Network activity:
Connects to:
- 'cn####.5944vip.com':80
TCP:
HTTP POST requests:
- cn####.5944vip.com/Count/down/Count.asp
UDP:
- DNS ASK cn####.5944vip.com
