Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\Microsoftbill] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\Microsoftbill] 'ImagePath' = '<SYSTEM32>\spool\svchost.exe -service'
Creates the following services
- 'Microsoftbill' <SYSTEM32>\spool\svchost.exe -service
Modifies file system
Creates the following files
- <Current directory>\iexp1orer.exe
- <SYSTEM32>\spool\web\accadd.htm
- <SYSTEM32>\spool\web\accheader.htm
- <SYSTEM32>\spool\web\acclist.htm
- <SYSTEM32>\spool\web\account.htm
- <SYSTEM32>\spool\web\index.html
- <SYSTEM32>\spool\web\list.htm
- <SYSTEM32>\spool\web\log.htm
- <SYSTEM32>\spool\web\settings.htm
- <SYSTEM32>\spool\accinfo.ini
- <SYSTEM32>\spool\ccproxy.ini
- <SYSTEM32>\spool\cdial.dll
- <SYSTEM32>\spool\spool.bat
- <SYSTEM32>\spool\ntsvc.exe
- <SYSTEM32>\spool\uuid.dll
- <SYSTEM32>\spool\whw1.exe
- <SYSTEM32>\spool\svchost.exe
- <SYSTEM32>\spool\spool.exe
- <SYSTEM32>\spool\language\english.ini
- nul
- <SYSTEM32>\spool\language\english.chm
- <SYSTEM32>\spool\language\chinesegb.chm
- <SYSTEM32>\spool\basic.exe
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\604pwz7f\dnserrordiagoff_weboc[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\q1e129qo\dnserrordiagoff_weboc[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\604pwz7f\errorpagetemplate[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dzhkzdlo\errorpagestrings[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bg0n0zou\errorpagetemplate[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\604pwz7f\errorpagestrings[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dzhkzdlo\httperrorpagesscripts[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\604pwz7f\httperrorpagesscripts[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dzhkzdlo\background_gradient[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\q1e129qo\info_48[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dzhkzdlo\bullet[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bg0n0zou\down[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\604pwz7f\background_gradient[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dzhkzdlo\info_48[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\q1e129qo\bullet[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dzhkzdlo\down[1]
- <SYSTEM32>\spool\language\chinesegb.ini
- <Current directory>\km.bat
Deletes the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\604pwz7f\dnserrordiagoff_weboc[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\604pwz7f\errorpagetemplate[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dzhkzdlo\errorpagestrings[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dzhkzdlo\httperrorpagesscripts[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dzhkzdlo\background_gradient[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\q1e129qo\info_48[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dzhkzdlo\bullet[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bg0n0zou\down[1]
- <SYSTEM32>\spool\ntsvc.exe
- <SYSTEM32>\spool\whw1.exe
- <SYSTEM32>\spool\spool.exe
Deletes itself.
Network activity
Connects to
- '21#.#40.85.247':82
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following
- '<Current directory>\iexp1orer.exe' stop LogicalDisk
- '<SYSTEM32>\spool\ntsvc.exe' config "Microsoftbill" DisplayName= "Windows Managements Instrumentation Drivers"
- '<SYSTEM32>\spool\ntsvc.exe' create Microsoftbill binpath= "<SYSTEM32>\spool\svchost.exe -service" start= auto Displayname= "Windows Managements Instrumentation Drivers"
- '<SYSTEM32>\spool\ntsvc.exe' stop Microsoftbill
- '<SYSTEM32>\spool\whw1.exe' stop Microsoftbill
- '<SYSTEM32>\spool\spool.exe'
- '<Current directory>\iexp1orer.exe' start LogicalDisk
- '<Current directory>\iexp1orer.exe' start Microsoftbill
- '<SYSTEM32>\spool\basic.exe'
- '<Current directory>\iexp1orer.exe' stop svchost
- '<SYSTEM32>\spool\ntsvc.exe' description Microsoftbill "Component Object Model (COM +) components of the configuration and tracking. If you stop the service, most COM +-based components will not work correctly. If you disa...
- '<Current directory>\iexp1orer.exe' stop taskmgr
- '<Current directory>\iexp1orer.exe' stop wmisrvs
- '<Current directory>\iexp1orer.exe' stop RunAServces
- '<Current directory>\iexp1orer.exe' delete vsmon
- '<Current directory>\iexp1orer.exe' stop vsmon
- '<Current directory>\iexp1orer.exe' delete CCproxy
- '<Current directory>\iexp1orer.exe' delete RasAuto
- '<Current directory>\iexp1orer.exe' stop CCproxy
- '<Current directory>\iexp1orer.exe' stop RasAuto
- '<Current directory>\iexp1orer.exe' stop Microsoftbill
- '<Current directory>\iexp1orer.exe' stop Bethserv
- '<SYSTEM32>\spool\ntsvc.exe' start Microsoftbill
Executes the following
- '%WINDIR%\syswow64\attrib.exe' +s +h CDial.dll
- '%WINDIR%\syswow64\attrib.exe' +s +h svchost.exe
- '%WINDIR%\syswow64\cmd.exe' /c copy <SYSTEM32>\wins\delphi.exe <SYSTEM32>\dllcache\delphi.exe
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 1 -w 500
- '%WINDIR%\syswow64\attrib.exe' +s +h AccInfo.ini
- '%WINDIR%\syswow64\cmd.exe' /c type %systemdrive%\\boot.ini>windows.log
- '%WINDIR%\syswow64\cmd.exe' /c <SYSTEM32>\spool\spool.bat
- '%WINDIR%\syswow64\attrib.exe' +s +h uuid.dll
- '%WINDIR%\syswow64\attrib.exe' +s +h CCProxy.ini
- '%WINDIR%\syswow64\attrib.exe' +s +h +r web
- '%WINDIR%\syswow64\cmd.exe' /c ""<Current directory>\Km.bat""
- '%WINDIR%\syswow64\cmd.exe' /c copy <SYSTEM32>\spool\basic.exe <SYSTEM32>\dllcache\basic.exe
- '%WINDIR%\syswow64\attrib.exe' +s +h +r Language
- '<Current directory>\iexp1orer.exe' stop taskmgr' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""<Current directory>\Km.bat""' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c <SYSTEM32>\spool\spool.bat' (with hidden window)
- '<Current directory>\iexp1orer.exe' start LogicalDisk' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c copy <SYSTEM32>\spool\basic.exe <SYSTEM32>\dllcache\basic.exe' (with hidden window)
- '<SYSTEM32>\spool\basic.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c copy <SYSTEM32>\wins\delphi.exe <SYSTEM32>\dllcache\delphi.exe' (with hidden window)
- '<Current directory>\iexp1orer.exe' stop svchost' (with hidden window)
- '<Current directory>\iexp1orer.exe' stop Bethserv' (with hidden window)
- '<Current directory>\iexp1orer.exe' stop CCproxy' (with hidden window)
- '<Current directory>\iexp1orer.exe' stop RunAServces' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c type %systemdrive%\\boot.ini>windows.log' (with hidden window)
- '<Current directory>\iexp1orer.exe' stop vsmon' (with hidden window)
- '<Current directory>\iexp1orer.exe' delete CCproxy' (with hidden window)
- '<Current directory>\iexp1orer.exe' delete RasAuto' (with hidden window)
- '<Current directory>\iexp1orer.exe' stop wmisrvs' (with hidden window)
- '<Current directory>\iexp1orer.exe' stop RasAuto' (with hidden window)
- '<Current directory>\iexp1orer.exe' stop Microsoftbill' (with hidden window)
- '<Current directory>\iexp1orer.exe' delete vsmon' (with hidden window)
- '<Current directory>\iexp1orer.exe' start Microsoftbill' (with hidden window)
- '<Current directory>\iexp1orer.exe' stop LogicalDisk' (with hidden window)
