Technical Information
Malicious functions:
Creates and executes the following:
- '%CommonProgramFiles%\bngj.exe'
Executes the following:
- '<SYSTEM32>\taskkill.exe' /F /IM 33.bat
- '<SYSTEM32>\taskkill.exe' /F /IM gjgx.vbe
- '<SYSTEM32>\taskkill.exe' /F /IM gjht.vbe
- '<SYSTEM32>\taskkill.exe' /F /IM 33.vbs
- '<SYSTEM32>\taskkill.exe' /F /IM 2.bat
- '<SYSTEM32>\taskkill.exe' /F /IM 22.vbs
- '<SYSTEM32>\taskkill.exe' /F /IM 22.bat
- '<SYSTEM32>\taskkill.exe' /F /IM bnflow.exe
- '<SYSTEM32>\at.exe' /del /yes
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 15
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 10
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 18
- '<SYSTEM32>\wscript.exe' "%WINDIR%\1.vbs"
- '<SYSTEM32>\taskkill.exe' /F /IM WINDOWSER.EXE
- '<SYSTEM32>\taskkill.exe' /F /IM windoners.exe
- '<SYSTEM32>\taskkill.exe' /F /IM WINNETEST.EXE
- '<SYSTEM32>\taskkill.exe' /F /IM conmser.exe
- '<SYSTEM32>\wscript.exe' "%CommonProgramFiles%\3.vbs"
- '<SYSTEM32>\net1.exe' stop sharedaccess
- '<SYSTEM32>\net.exe' stop sharedaccess
- '<SYSTEM32>\taskkill.exe' /F /IM BNWORK.EXE
- '<SYSTEM32>\taskkill.exe' /F /IM BNZQGJ.EXE
- '<SYSTEM32>\taskkill.exe' /F /IM 2.vbs
- '<SYSTEM32>\taskkill.exe' /F /IM xviewer.exe
- '<SYSTEM32>\taskkill.exe' /F /IM wiuioiner.exe
- '<SYSTEM32>\taskkill.exe' /F /IM wiuioinen.exe
- '<SYSTEM32>\taskkill.exe' /F /IM winloads.exe
Modifies file system :
Creates the following files:
- %WINDIR%\my2.ini
- %WINDIR%\gjht.vbe
- %WINDIR%\winnetest.exe
- %WINDIR%\1.vbs
- %WINDIR%\1.bat
- %WINDIR%\gjgx.vbe
- %CommonProgramFiles%\bngj.exe
- %CommonProgramFiles%\3.vbs
- %CommonProgramFiles%\3.bat
- %WINDIR%\conmser.exe
- %WINDIR%\bnwork.exe
Deletes the following files:
- %CommonProgramFiles%\3.vbs
- %CommonProgramFiles%\bngj.exe
Miscellaneous:
Searches for the following windows:
- ClassName: '(null)' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
