Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\rundll32.exe' dfdts.dll,DfdGetDefaultPolicyAndSMART
Modifies file system :
Creates the following files:
- <LS_APPDATA>\Mozilla\Firefox\Profiles\zp7tnb55.default\urlclassifier3.sqlite-journal
- %TEMP%\rOFU7qwa.part
- <Current directory>\js.log
- %APPDATA%\Roaming\Mozilla\Firefox\Profiles\zp7tnb55.default\downloads.sqlite
- %APPDATA%\Roaming\Mozilla\Firefox\Profiles\zp7tnb55.default\downloads.sqlite-journal
- %APPDATA%\Roaming\Mozilla\Firefox\Profiles\zp7tnb55.default\sessionstore.bak
- %APPDATA%\Roaming\Mozilla\Firefox\Profiles\zp7tnb55.default\prefs-1.js
- %TEMP%\nsx1610.tmp\System.dll
- %APPDATA%\Roaming\Mozilla\Firefox\Profiles\zp7tnb55.default\places.sqlite-wal
- %TEMP%\nsx1610.tmp\ShellLink.dll
Deletes the following files:
- <LS_APPDATA>\Mozilla\Firefox\Profiles\zp7tnb55.default\urlclassifier3.sqlite-journal
- %APPDATA%\Roaming\Mozilla\Firefox\Profiles\zp7tnb55.default\downloads.sqlite-journal
- %TEMP%\nsx1610.tmp\ShellLink.dll
- %TEMP%\nsx1610.tmp\System.dll
Network activity:
Connects to:
- 'ma###et.ucoz.ru':80
- 'fx####s.mozilla.com':80
- 'localhost':49158
- 'localhost':49160
TCP:
HTTP GET requests:
- fx####s.mozilla.com/en-US/firefox/headlines.xml
- ma###et.ucoz.ru/
UDP:
- DNS ASK fx####s.mozilla.com
- DNS ASK ma###et.ucoz.ru
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'OleMainThreadWndClass' WindowName: ''
- ClassName: 'FirefoxMessageWindow' WindowName: ''
