Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Control Panel\Desktop] 'SCRNSAVE.EXE' = '%PROGRAM_FILES%\Coopen\Coopen.scr'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\CoopenІҐ·ЕЖч.lnk
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\sup.exe'
- '<SYSTEM32>\yx.exe'
- '<SYSTEM32>\homep.exe'
- '%PROGRAM_FILES%\Coopen\CoopenAir.exe'
- '%PROGRAM_FILES%\Coopen\Coopen.exe'
- '<SYSTEM32>\hp123.exe'
- '<SYSTEM32>\f.exe'
- '<SYSTEM32>\coop.exe'
- '<SYSTEM32>\uu.exe'
- '<SYSTEM32>\coopen_setup_100067.exe' /S
- '<SYSTEM32>\BBPlayer.exe'
Executes the following:
- '<SYSTEM32>\cmd.exe' /c ""<SYSTEM32>\hp.bat" "
- '<SYSTEM32>\wscript.exe' "<SYSTEM32>\hp.vbs"
- '%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE' http://61.###.62.83:1111/down.php?un###############
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Progress_download.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Progress_download1.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Separator.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Button_next.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Notify_BG.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Notify_Close.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\SkinNormal.ini
- %PROGRAM_FILES%\Coopen\Resource\res\BMP\cancel.bmp
- %PROGRAM_FILES%\Coopen\Resource\res\BMP\close.bmp
- %PROGRAM_FILES%\Coopen\Resource\res\BMP\play.bmp
- %PROGRAM_FILES%\Coopen\Resource\res\BMP\MyShare.bmp
- %PROGRAM_FILES%\Coopen\Resource\res\BMP\MyWallpaper.bmp
- %PROGRAM_FILES%\Coopen\Resource\res\BMP\Myphoto.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Button_IconHide.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Button_IconShow.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Button_ModeMenu.bmp
- %PROGRAM_FILES%\Coopen\Templete\CoopenPhoto.jpg
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Background.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Button_Close.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Button_ModeSel.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Button_ScreenSaver.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Button_Setting.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Button_Weblogo.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Button_Pause.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Button_Play.bmp
- %PROGRAM_FILES%\Coopen\Resource\SkinNormal\Button_Prev.bmp
- %PROGRAM_FILES%\Coopen\Templete\DefaultCoopenWallpaper.jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ydsszuo[1].htm
- %HOMEPATH%\Start Menu\Programs\Coopen\CoopenІҐ·ЕЖч.lnk
- %HOMEPATH%\Start Menu\Programs\Coopen\Р¶ФШ.lnk
- %PROGRAM_FILES%\Coopen\image\Share\coopen share\image_100\PicList.ini
- <SYSTEM32>\Coopen.inf
- %PROGRAM_FILES%\Coopen\conf\Coopen.inf
- %TEMP%\nsp3.tmp\inetc.dll
- %PROGRAM_FILES%\Coopen\conf\Debug
- %PROGRAM_FILES%\Coopen\uninst.exe
- %TEMP%\nsp3.tmp\PartnerDlg.ini
- <SYSTEM32>\Coopen.scr
- %PROGRAM_FILES%\Coopen\conf\%USERNAME%.ini
- %PROGRAM_FILES%\Coopen\conf\All Users.ini
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\╞Ї╢п Internet Explorer фп└└╞ў.lnk
- %PROGRAM_FILES%\Coopen\image\Wallpaper\coopen wallpaper\DefaultCoopenWallpaper.jpg
- %PROGRAM_FILES%\Coopen\image\Wallpaper\coopen wallpaper\PicList.ini
- %PROGRAM_FILES%\Coopen\Coopen.scr
- %PROGRAM_FILES%\Coopen\image\Wallpaper\local wallpaper\DefaultCoopenWallpaper.jpg
- %PROGRAM_FILES%\Coopen\image\Wallpaper\local wallpaper\ModeAList.ini
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
- %PROGRAM_FILES%\Coopen\image\Illustrated\coopen illustrated\image_100003\DefaultCoopenWallpaper.jpg
- %PROGRAM_FILES%\Coopen\image\Share\coopen share\image_100\B_0.jpg
- %PROGRAM_FILES%\Coopen\image\Share\coopen share\image_100\B_1.jpg
- %PROGRAM_FILES%\Coopen\image\Photo\local Photo\B_0.jpg
- %PROGRAM_FILES%\Coopen\image\Photo\local Photo\B_1.jpg
- %PROGRAM_FILES%\Coopen\image\Photo\local Photo\ModeBList.ini
- %TEMP%\nsp3.tmp\System.dll
- <SYSTEM32>\Internet Explorer.lnk
- <SYSTEM32>\hp.vbs
- <SYSTEM32>\Internet Explorer.url
- %TEMP%\nsz2.tmp
- <SYSTEM32>\hp.bat
- <SYSTEM32>\homep.exe
- %PROGRAM_FILES%\Coopen\CoopenModeB.cop
- %PROGRAM_FILES%\Coopen\CoopenModeB.Config
- %PROGRAM_FILES%\Coopen\CoopenModeC.cop
- %TEMP%\nsp3.tmp\KillProcDLL.dll
- %PROGRAM_FILES%\Coopen\CoopenModeA.cop
- %PROGRAM_FILES%\Coopen\CoopenModeA.Config
- <SYSTEM32>\sup.exe
- <SYSTEM32>\coop.exe
- <SYSTEM32>\HtmlView.fne
- <SYSTEM32>\coopen_setup_100067.exe
- <SYSTEM32>\BBPlayer.exe
- <SYSTEM32>\del.bat
- <SYSTEM32>\iext.fnr
- <SYSTEM32>\uu.exe
- <SYSTEM32>\f.exe
- <SYSTEM32>\redame.txt
- <SYSTEM32>\krnln.fnr
- <SYSTEM32>\yx.exe
- <SYSTEM32>\hp123.exe
- %PROGRAM_FILES%\Coopen\CoopenModeC.Config
- %PROGRAM_FILES%\Coopen\licence.txt
- %PROGRAM_FILES%\Coopen\conf\ChannelListReal.txt
- %PROGRAM_FILES%\Coopen\conf\ModeAChannelList.txt
- %PROGRAM_FILES%\Coopen\CoopenClient.cop
- %PROGRAM_FILES%\Coopen\CoopenClient.Config
- %PROGRAM_FILES%\Coopen\CoopenActiveControl93.dll
- %PROGRAM_FILES%\Coopen\conf\ModeAChannelListReal.txt
- %PROGRAM_FILES%\Coopen\Templete\ModeC.tpl
- %PROGRAM_FILES%\Coopen\Templete\ModeB.tpl
- %PROGRAM_FILES%\Coopen\Templete\ModeB_logo.jpg
- %PROGRAM_FILES%\Coopen\conf\ModeASelectChannel.txt
- %PROGRAM_FILES%\Coopen\conf\ModeAChannelSetup.txt
- %PROGRAM_FILES%\Coopen\conf\PluginConfig.ini
- %PROGRAM_FILES%\Coopen\CoopenDeskIcon.Config
- %PROGRAM_FILES%\Coopen\Coopen.exe
- %PROGRAM_FILES%\Coopen\CoopenAir.exe
- %PROGRAM_FILES%\Coopen\CoopenModeD.cop
- %PROGRAM_FILES%\Coopen\CoopenModeD.Config
- %PROGRAM_FILES%\Coopen\CoopenDeskIcon.cop
- %PROGRAM_FILES%\Coopen\CoopenDownloader.cop
- %PROGRAM_FILES%\Coopen\CoopenUI.cop
- %PROGRAM_FILES%\Coopen\CoopenUI.Config
- %PROGRAM_FILES%\Coopen\CoopenUpdate.cop
- %PROGRAM_FILES%\Coopen\CoopenDownloader.Config
- %PROGRAM_FILES%\Coopen\CoopenPlayer.cop
- %PROGRAM_FILES%\Coopen\CoopenPlayer.Config
Sets the 'hidden' attribute to the following files:
- %PROGRAM_FILES%\Coopen\conf\All Users.ini
- %PROGRAM_FILES%\Coopen\conf\%USERNAME%.ini
Deletes the following files:
- %TEMP%\nsp3.tmp\PartnerDlg.ini
- %TEMP%\nsp3.tmp\System.dll
- %TEMP%\nsp3.tmp\inetc.dll
- %TEMP%\nsp3.tmp\KillProcDLL.dll
Network activity:
Connects to:
- '61.##4.62.83':1111
- 'www.le##tv.info':80
- 'localhost':1038
- 'localhost':1035
- '12#.#24.4.133':30100
TCP:
HTTP GET requests:
- www.le##tv.info/sexse/ydsszuo.htm
UDP:
- DNS ASK xc###.coopen.cn
- DNS ASK tr######.xconf.coopen.cn
- DNS ASK se###.#emp.coopen.cn
- DNS ASK www.le##tv.info
- DNS ASK do####ad.uusee.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Progman' WindowName: 'Program Manager'
- ClassName: '(null)' WindowName: '*????*'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'CoopenPlayer' WindowName: '*????*'
- ClassName: '(null)' WindowName: 'CoopenAirAir'
- ClassName: 'SysListView32' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: '(null)' WindowName: 'cool66byCool66comcn123'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
- ClassName: '' WindowName: '(null)'
- ClassName: 'CoopenPlayer' WindowName: '*????????*'
- ClassName: '(null)' WindowName: 'Coopen@wwwcoopencn'
