Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\qqurlmgr
- <SYSTEM32>\tasks\display.nvcontainer
Modifies file system
Creates the following files
- %TEMP%\aut60a6.tmp
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\mpa4jwxy\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\z8wkotcp\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\urvohfw8\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\2936y63w\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\internet explorer\msimgsiz.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\zmuktniv\bullet[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\i3nmat9z\info_48[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dyps348i\background_gradient[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\ea09503g\httperrorpagesscripts[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\zmuktniv\errorpagestrings[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\i3nmat9z\errorpagetemplate[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dyps348i\navcancl[1]
- %APPDATA%\info\inst.log
- %TEMP%\2932qzoekwp
- %TEMP%\aut9858.tmp
- %WINDIR%\temp\copylick.exe
- %TEMP%\aut93c7.tmp
- %TEMP%\1836swlznak
- %TEMP%\aut8890.tmp
- %CommonProgramFiles%\display.nvcontainer.exe
- %TEMP%\aut8566.tmp
- %TEMP%\service.bat
- %TEMP%\1292woncdzz
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\info\reg.txt
Sets the 'hidden' attribute to the following files
- %CommonProgramFiles%\display.nvcontainer.exe
- %WINDIR%\temp\copylick.exe
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\2936y63w\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\urvohfw8\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\z8wkotcp\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\mpa4jwxy\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
Deletes the following files
- %TEMP%\aut60a6.tmp
- %TEMP%\2932qzoekwp
- %TEMP%\aut9858.tmp
- %TEMP%\aut93c7.tmp
- %TEMP%\1836swlznak
- %TEMP%\aut8890.tmp
- %TEMP%\aut8566.tmp
- %WINDIR%\temp\ts_d96.tmp
- %WINDIR%\temp\ts_98e.tmp
- %WINDIR%\temp\ts_910.tmp
- %WINDIR%\temp\ts_6cd.tmp
- %WINDIR%\temp\ts_1a3e.tmp
- %WINDIR%\temp\ts_19c0.tmp
- %WINDIR%\temp\ts_1395.tmp
- %WINDIR%\temp\ts_126b.tmp
- %WINDIR%\temp\ts_1085.tmp
- %WINDIR%\temp\fwtsqmfile00.sqm
- %WINDIR%\temp\dmi2a28.tmp
- %TEMP%\service.bat
- %TEMP%\1292woncdzz
- %WINDIR%\temp\copylick.exe
- %APPDATA%\info\reg.txt
Substitutes the following files
- %APPDATA%\info\reg.txt
Deletes itself.
Network activity
UDP
- DNS ASK qq.com
- DNS ASK ba##u.com
- DNS ASK fi##.###enhomeland.com.cn
- DNS ASK tj.##oss.com
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '%CommonProgramFiles%\display.nvcontainer.exe'
- '%WINDIR%\temp\copylick.exe'
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c cacls "%ProgramFiles%\NVIDIA Corporation\Display.NvContainer" /c /t /e /p system:F
- '%WINDIR%\syswow64\ping.exe' -n 3 127.1
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Temp" /c /t /e /p administrators:F
- '<SYSTEM32>\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p administrator:F
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Temp" /c /t /e /p administrator:F
- '<SYSTEM32>\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p everyone:F
- '<SYSTEM32>\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p system:F
- '<SYSTEM32>\schtasks.exe' /create /sc onlogon /tn QQUrlMgr /rl highest /tr %WINDIR%\temp\copylick.exe
- '<SYSTEM32>\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p administrators:F
- '<SYSTEM32>\cmd.exe' /c schtasks /delete /tnDisplay.NvContainer /F
- '<SYSTEM32>\cmd.exe' /c schtasks /create /sc onlogon /tn QQUrlMgr /rl highest /tr %WINDIR%\temp\copylick.exe
- '<SYSTEM32>\cmd.exe' \c schtasks \create \sc onlogon \tn Display.NvContainer \rl highest \tr C:\PROGRA~2\COMMON~1\DISPLA~1.EXE
- '<SYSTEM32>\schtasks.exe' /delete /tnQQUrlMgr /F
- '<SYSTEM32>\schtasks.exe' /delete /tnDisplay.NvContainer /F
- '%WINDIR%\syswow64\sc.exe' delete Display.NvContainer
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Temp" /c /t /e /p system:F
- '%WINDIR%\syswow64\cmd.exe' /c ping -n 3 127.1 & del /q "<Full path to file>"
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Temp" /c /t /e /p everyone:F
- '<SYSTEM32>\schtasks.exe' /create /sc onlogon /tn Display.NvContainer /rl highest /tr C:\PROGRA~2\COMMON~1\DISPLA~1.EXE
- '%WINDIR%\syswow64\cacls.exe' "%WINDIR%\Temp" /c /t /e /p administrators:F
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%WINDIR%\syswow64\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p everyone:F
- '%WINDIR%\syswow64\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p administrator:F
- '%WINDIR%\syswow64\schtasks.exe' /delete /tnQQUrlMgr /F
- '%WINDIR%\syswow64\cacls.exe' "%WINDIR%\Temp" /c /t /e /p everyone:F
- '<SYSTEM32>\cmd.exe' /c schtasks /delete /tnQQUrlMgr /F
- '%WINDIR%\syswow64\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p system:F
- '%WINDIR%\syswow64\schtasks.exe' /delete /tnDisplay.NvContainer /F
- '%WINDIR%\syswow64\cmd.exe' /c call "%TEMP%\Service.bat"
- '%WINDIR%\syswow64\cacls.exe' "%ProgramFiles%\NVIDIA Corporation\Display.NvContainer" /c /t /e /p system:F
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /delete /tnQQUrlMgr /F
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /delete /tnDisplay.NvContainer /F
- '%WINDIR%\syswow64\cacls.exe' "%WINDIR%\Temp" /c /t /e /p system:F
- '%WINDIR%\syswow64\cacls.exe' "%WINDIR%\Temp" /c /t /e /p administrator:F
- '%WINDIR%\syswow64\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p administrators:F
- '<SYSTEM32>\cmd.exe' /c schtasks /delete /tnQQUrlMgr /F' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ping -n 3 127.1 & del /q "<Full path to file>"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p administrators:F' (with hidden window)
- '<SYSTEM32>\cmd.exe' \c schtasks \create \sc onlogon \tn Display.NvContainer \rl highest \tr C:\PROGRA~2\COMMON~1\DISPLA~1.EXE' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c cacls "%ProgramFiles%\NVIDIA Corporation\Display.NvContainer" /c /t /e /p system:F' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /delete /tnDisplay.NvContainer /F' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c schtasks /delete /tnDisplay.NvContainer /F' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c schtasks /create /sc onlogon /tn QQUrlMgr /rl highest /tr %WINDIR%\temp\copylick.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p system:F' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p system:F' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p everyone:F' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p administrator:F' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c call "%TEMP%\Service.bat"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /delete /tnQQUrlMgr /F' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p administrator:F' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p everyone:F' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls "%WINDIR%\Temp" /c /t /e /p administrators:F' (with hidden window)
