Win32.Sector.31

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '{759C631F-58B9-AC31-633B-0D69FA2D9B30}' = '%APPDATA%\Roaming\Ezzuco\exfi.exe'

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
[<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'

To complicate detection of its presence in the operating system,

forces the system hide from view:

hidden files

blocks the following features:

User Account Control (UAC)
Windows Security Center

Creates and executes the following:

'%APPDATA%\Roaming\Ezzuco\exfi.exe'

Executes the following:

'<SYSTEM32>\rundll32.exe' dfdts.dll,DfdGetDefaultPolicyAndSMART
'<SYSTEM32>\conhost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
'<SYSTEM32>\rundll32.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to virus>"
'<SYSTEM32>\DllHost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<SYSTEM32>\taskhost.exe"

Injects code into

the following system processes:

<SYSTEM32>\DllHost.exe

Modifies settings of Windows Internet Explorer:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1406' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1609' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1406' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1609' = '00000000'

Modifies file system :

Creates the following files:

%TEMP%\ppcrlui_3300_2
%TEMP%\TarC9F3.tmp
%TEMP%\windrynl.exe
%WINDIR%\ServiceProfiles\LocalService\Desktop\debug.txt
%TEMP%\CabC9F2.tmp
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\config[1].bin
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\68BF3AFF-00000001.eml:OECustomProperty
<LS_APPDATA>Low\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
<LS_APPDATA>Low\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
%TEMP%\axbc.exe
%TEMP%\qxsw.exe
%TEMP%\fscgss.exe
%TEMP%\qadv.exe
%TEMP%\xnmc.exe
%TEMP%\winhbmiv.exe
%TEMP%\windlbtl.exe
%TEMP%\jfulu.exe
%TEMP%\winveesyp.exe
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\68BF3AFF-00000001.eml
<LS_APPDATA>\Microsoft\Windows Mail\tmp.edb
%APPDATA%\Roaming\Ibxe\mifya.awd
<LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log
<LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore
%TEMP%\tmpd5b9f8ce.bat
%HOMEPATH%\Desktop\debug.txt
%TEMP%\mruxdg.exe
%TEMP%\winnhknl.exe
%APPDATA%\Roaming\Ezzuco\exfi.exe
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat
<LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\edb00002.log
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\edb.log

Deletes the following files:

%TEMP%\jfulu.exe
%TEMP%\xnmc.exe
%TEMP%\winhbmiv.exe
%TEMP%\winveesyp.exe
%TEMP%\qadv.exe
%TEMP%\fscgss.exe
%TEMP%\qxsw.exe
%TEMP%\axbc.exe
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\config[1].bin
%TEMP%\CabC9F2.tmp
%TEMP%\mruxdg.exe
%TEMP%\winnhknl.exe
%TEMP%\windrynl.exe
%TEMP%\windlbtl.exe
%TEMP%\TarC9F3.tmp
%TEMP%\ppcrlui_3300_2

Moves the following files:

from %APPDATA%\Roaming\Ibxe\mifya.awd to %APPDATA%\Roaming\Ibxe\mifya.tmp
from <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log to <LS_APPDATA>\Microsoft\Windows Mail\edb.log

Deletes itself.

Network activity:

Connects to:

'72####metgrup.com':80
'www.bl#####ecreatives.com':80
'www.ce####ogullari.com':80
'17#.#93.19.14':80
'ce###pasa.com':80
'ya######cil.ya.funpic.de':80
'pe#####el.fm.interia.pl':80
'20#.#6.232.182':80
'pu###hss.com':80
'de###int-eg.com':80
'su###llie.com':80
'ch###stara.com':80

TCP:

HTTP GET requests:

72####metgrup.com/images/logosa.gif?a5###########
www.bl#####ecreatives.com/logos.gif?a5###########
www.ce####ogullari.com/logof.gif?a5###########
17#.#93.19.14/logo.gif?a6###########
ce###pasa.com/images/logos.gif?a6###########
ya######cil.ya.funpic.de/images/logos.gif?a5###########
pe#####el.fm.interia.pl/logos.gif?a4###########
20#.#6.232.182/pki/crl/products/CodeSignPCA.crl
pu###hss.com/images/link/BankofAmerica.Com/config.bin
de###int-eg.com/images/logosa.gif?a5##########
su###llie.com/images/logos.gif?a5###########
ch###stara.com/logof.gif?a4###########

UDP:

DNS ASK www.bl#####ecreatives.com
DNS ASK www.ce####ogullari.com
DNS ASK 72####metgrup.com
DNS ASK ce###pasa.com
DNS ASK ya######cil.ya.funpic.de
DNS ASK de###int-eg.com
DNS ASK crl.microsoft.com
DNS ASK pu###hss.com
DNS ASK pe#####el.fm.interia.pl
DNS ASK su###llie.com
DNS ASK ch###stara.com

Miscellaneous:

Searches for the following windows:

ClassName: 'Indicator' WindowName: '(null)'
ClassName: 'OutlookExpressHiddenWindow' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
ClassName: 'OleMainThreadWndClass' WindowName: '(null)'

Technologies

Terminology

Training and education

Myths

Technical Information