Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe] 'Debugger' = 'winupd01.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = 'ctfmon.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\Autorun.inf
- <Drive name for removable media>:\scan\scan.com
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '<SYSTEM32>\winupd01.exe' = '<SYSTEM32>\winupd01.exe:*:Enabled:DHCP Router'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\winupd01.exe' = '<SYSTEM32>\winupd01.exe:*:Enabled:DHCP Router'
Creates and executes the following:
- '<SYSTEM32>\winupd01.exe' <Full path to virus>
Executes the following:
- '<SYSTEM32>\sc.exe' delete OutpostFirewall
- '<SYSTEM32>\net1.exe' stop OutpostFirewall
- '<SYSTEM32>\sc.exe' config OutpostFirewall start= disabled
- '<SYSTEM32>\net.exe' stop OutpostFirewall
- '<SYSTEM32>\sc.exe' stop OutpostFirewall
- '<SYSTEM32>\net.exe' stop TmPfw
- '<SYSTEM32>\net1.exe' stop TmPfw
- '<SYSTEM32>\net.exe' stop KPF4
- '<SYSTEM32>\sc.exe' delete TmPfw
- '<SYSTEM32>\sc.exe' stop TmPfw
- '<SYSTEM32>\sc.exe' config TmPfw start= disabled
- '<SYSTEM32>\sc.exe' config ekrn start= disabled
- '<SYSTEM32>\net1.exe' stop ekrn
- '<SYSTEM32>\sc.exe' stop ekrn
- '<SYSTEM32>\sc.exe' delete NOD32krn
- '<SYSTEM32>\net.exe' stop ekrn
- '<SYSTEM32>\sc.exe' delete ekrn
- '<SYSTEM32>\net1.exe' stop McShield
- '<SYSTEM32>\sc.exe' delete McShield
- '<SYSTEM32>\sc.exe' config McShield start= disabled
- '<SYSTEM32>\net.exe' stop McShield
- '<SYSTEM32>\sc.exe' stop McShield
- '<SYSTEM32>\ipconfig.exe' /pid=3636
- '<SYSTEM32>\sc.exe' /pid=1376
- '<SYSTEM32>\net1.exe' /C sc stop vsmon
- '<SYSTEM32>\sc.exe' config cmdAgent start= disabled
- '<SYSTEM32>\sc.exe' /C sc delete cmdAgent
- '<SYSTEM32>\sc.exe' /pid=2528
- '<SYSTEM32>\net1.exe' stop cmdAgent
- '<SYSTEM32>\sc.exe' /pid=988
- '<SYSTEM32>\sc.exe' stop vsmon
- '<SYSTEM32>\net.exe' stop vsmon
- '<SYSTEM32>\sc.exe' delete cmdAgent
- '<SYSTEM32>\sc.exe' /pid=3776
- '<SYSTEM32>\net1.exe' stop KPF4
- '<SYSTEM32>\sc.exe' /pid=3692
- '<SYSTEM32>\sc.exe' delete KPF4
- '<SYSTEM32>\sc.exe' stop KPF4
- '<SYSTEM32>\sc.exe' config KPF4 start= disabled
- '<SYSTEM32>\net.exe' stop SmcService
- '<SYSTEM32>\sc.exe' /C sc config cmdAgent start= disabled
- '<SYSTEM32>\sc.exe' delete SmcService
- '<SYSTEM32>\sc.exe' /C net stop cmdAgent
- '<SYSTEM32>\sc.exe' stop SmcService
- '<SYSTEM32>\sc.exe' config SmcService start= disabled
- '<SYSTEM32>\net1.exe' stop "avast! Antivirus"
- '<SYSTEM32>\sc.exe' delete "avast! Antivirus"
- '<SYSTEM32>\sc.exe' config "avast! Antivirus" start= disabled
- '<SYSTEM32>\net.exe' stop "avast! Antivirus"
- '<SYSTEM32>\sc.exe' stop "avast! Antivirus"
- '<SYSTEM32>\net.exe' stop AntiVirService
- '<SYSTEM32>\net1.exe' stop AntiVirService
- '<SYSTEM32>\net.exe' stop PASRV
- '<SYSTEM32>\sc.exe' delete AntiVirService
- '<SYSTEM32>\sc.exe' stop AntiVirService
- '<SYSTEM32>\sc.exe' config AntiVirService start= disabled
- '<SYSTEM32>\sc.exe' stop K7RTScan
- '<SYSTEM32>\net1.exe' stop K7RTScan
- '<SYSTEM32>\net.exe' stop K7RTScan
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '<SYSTEM32>\sc.exe' config K7RTScan start= disabled
- '<SYSTEM32>\sc.exe' delete K7RTScan
- '<SYSTEM32>\sc.exe' delete K7TSMngr
- '<SYSTEM32>\net1.exe' stop K7TSMngr
- '<SYSTEM32>\sc.exe' stop K7TSMngr
- '<SYSTEM32>\net.exe' stop K7TSMngr
- '<SYSTEM32>\sc.exe' config K7TSMngr start= disabled
- '<SYSTEM32>\sc.exe' stop PASRV
- '<SYSTEM32>\sc.exe' stop avg9wd
- '<SYSTEM32>\sc.exe' config avg9wd start= disabled
- '<SYSTEM32>\net.exe' stop avg9wd
- '<SYSTEM32>\sc.exe' delete avg8wd
- '<SYSTEM32>\net1.exe' stop avg8wd
- '<SYSTEM32>\net1.exe' stop avg9wd
- '<SYSTEM32>\sc.exe' config NOD32krn start= disabled
- '<SYSTEM32>\net1.exe' stop NOD32krn
- '<SYSTEM32>\sc.exe' stop NOD32krn
- '<SYSTEM32>\sc.exe' delete avg9wd
- '<SYSTEM32>\net.exe' stop NOD32krn
- '<SYSTEM32>\net.exe' stop VSSERV
- '<SYSTEM32>\sc.exe' stop VSSERV
- '<SYSTEM32>\net1.exe' stop PASRV
- '<SYSTEM32>\sc.exe' config PASRV start= disabled
- '<SYSTEM32>\sc.exe' delete PASRV
- '<SYSTEM32>\sc.exe' config VSSERV start= disabled
- '<SYSTEM32>\sc.exe' stop avg8wd
- '<SYSTEM32>\sc.exe' config avg8wd start= disabled
- '<SYSTEM32>\net.exe' stop avg8wd
- '<SYSTEM32>\sc.exe' delete VSSERV
- '<SYSTEM32>\net1.exe' stop VSSERV
Injects code into
the following system processes:
- <SYSTEM32>\net.exe
- <SYSTEM32>\net1.exe
- <SYSTEM32>\cmd.exe
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\sc.exe
Terminates or attempts to terminate
the following user processes:
- ntvdm.exe
- GUARD.EXE
Hides the following processes:
- <SYSTEM32>\winupd01.exe
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\usb[1]
- <SYSTEM32>\winupd01.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\upd[1]
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\winupd01.exe
Deletes itself.
Network activity:
Connects to:
- 'us#.#verapo.ru':80
- 'av####1.everapo.ru':7575
- 'up#.#verapo.ru':80
TCP:
HTTP GET requests:
- us#.#verapo.ru/usb
- up#.#verapo.ru/upd
UDP:
- DNS ASK us#.#verapo.ru
- DNS ASK av####1.everapo.ru
- DNS ASK up#.#verapo.ru
