Technical Information
Malicious functions:
Creates and executes the following:
- '%TEMP%\D701.tmp'
- '%TEMP%\E5B4.tmp'
- '%TEMP%\D30A.tmp'
- '%TEMP%\DD59.tmp'
- '%TEMP%\E085.tmp'
- '%TEMP%\DA0E.tmp'
- '%TEMP%\E91F.tmp'
- '%TEMP%\C9A5.tmp'
- '%TEMP%\BB04.tmp'
- '%TEMP%\CFBE.tmp'
- '%TEMP%\E5B4.tmp' (downloaded from the Internet)
- '%TEMP%\E91F.tmp' (downloaded from the Internet)
- '%TEMP%\E085.tmp' (downloaded from the Internet)
- '%TEMP%\DD59.tmp' (downloaded from the Internet)
- '%TEMP%\CFBE.tmp' (downloaded from the Internet)
- '%TEMP%\C9A5.tmp' (downloaded from the Internet)
- '%TEMP%\BB04.tmp' (downloaded from the Internet)
- '%TEMP%\DA0E.tmp' (downloaded from the Internet)
- '%TEMP%\D701.tmp' (downloaded from the Internet)
- '%TEMP%\D30A.tmp' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\wbem\WMIADAP.EXE' /F /T /R
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shell32.dll,OpenAs_RunDLL <Current directory>\document.doc
- '<SYSTEM32>\svchost.exe'
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system :
Creates the following files:
- %TEMP%\DD59.tmp
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\load[4].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\load[4].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\load[4].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\load[3].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\load[3].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\load[3].php
- %TEMP%\DA0E.tmp
- %TEMP%\E085.tmp
- %TEMP%\E91F.tmp
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\load[5].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\load[6].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\load[5].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\load[5].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\load[4].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\load[5].php
- %TEMP%\E5B4.tmp
- <Current directory>\&luck=1
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\load[1].php
- %TEMP%\C9A5.tmp
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\load[1].php
- <Current directory>\document.doc
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\document[1].doc
- %TEMP%\BB04.tmp
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\load[1].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\load[1].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\load[2].php
- %TEMP%\D30A.tmp
- %TEMP%\D701.tmp
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\load[3].php
- %TEMP%\CFBE.tmp
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\load[2].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\load[2].php
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\load[2].php
Deletes itself.
Network activity:
Connects to:
- 'in###viewbuy.ru':80
- 'localhost':52835
TCP:
HTTP GET requests:
- in###viewbuy.ru/forum/load.php?fi###########
- in###viewbuy.ru/forum/load.php?fi#############
- in###viewbuy.ru/forum/document.doc
- in###viewbuy.ru/forum/load.php?fi####
UDP:
- DNS ASK in###viewbuy.ru
Miscellaneous:
Searches for the following windows:
- ClassName: 'OleMainThreadWndClass' WindowName: '(null)'
