Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,%ALLUSERSPROFILE%\vesswIQA\AcIcUcAM.exe,'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AcIcUcAM.exe' = '%ALLUSERSPROFILE%\vesswIQA\AcIcUcAM.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'jaQEcQMQ.exe' = '%HOMEPATH%\NIMMEwsg\jaQEcQMQ.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
blocks the following features:
- User Account Control (UAC)
Creates and executes the following:
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\vesswIQA\AcIcUcAM.exe'
- '%HOMEPATH%\NIMMEwsg\jaQEcQMQ.exe'
Executes the following:
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Modifies file system :
Creates the following files:
- <Current directory>\ZYoa.exe
- <Current directory>\qEcY.ico
- C:\RCX7.tmp
- <Current directory>\gUAw.exe
- <Current directory>\hcUM.ico
- C:\RCX5.tmp
- <Current directory>\HooS.exe
- <Current directory>\BkwI.ico
- C:\RCX6.tmp
- <Current directory>\SYYi.exe
- C:\RCXA.tmp
- <Current directory>\iYci.exe
- <Current directory>\Pqsk.ico
- C:\RCXB.tmp
- <Current directory>\nIEI.exe
- <Current directory>\iYQM.ico
- C:\RCX8.tmp
- <Current directory>\koQe.exe
- <Current directory>\rmow.ico
- C:\RCX9.tmp
- %ALLUSERSPROFILE%\casg.txt
- <Current directory>\<Virus name>
- <Current directory>\zMkQ.ico
- C:\RCX1.tmp
- <Current directory>\fAIE.exe
- %ALLUSERSPROFILE%\vesswIQA\AcIcUcAM
- %HOMEPATH%\NIMMEwsg\jaQEcQMQ
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %TEMP%\ZyAoUAMU.bat
- C:\Documents and Settings\LocalService\NIMMEwsg\jaQEcQMQ
- <Current directory>\aWcw.ico
- C:\RCX3.tmp
- <Current directory>\lgYu.exe
- <Current directory>\rOwI.ico
- C:\RCX4.tmp
- <Current directory>\qgsc.exe
- <Current directory>\LosM.ico
- C:\RCX2.tmp
- <Current directory>\cUMo.exe
- <Current directory>\ZEwE.ico
Deletes the following files:
- <Current directory>\gUAw.exe
- <Current directory>\hcUM.ico
- <Current directory>\qEcY.ico
- <Current directory>\BkwI.ico
- <Current directory>\ZYoa.exe
- <Current directory>\koQe.exe
- <Current directory>\nIEI.exe
- <Current directory>\Pqsk.ico
- <Current directory>\rmow.ico
- <Current directory>\iYQM.ico
- <Current directory>\iYci.exe
- <Current directory>\SYYi.exe
- <Current directory>\qgsc.exe
- <Current directory>\LosM.ico
- <Current directory>\zMkQ.ico
- %TEMP%\ZyAoUAMU.bat
- <Current directory>\fAIE.exe
- <Current directory>\cUMo.exe
- <Current directory>\HooS.exe
- <Current directory>\rOwI.ico
- <Current directory>\aWcw.ico
- <Current directory>\ZEwE.ico
- <Current directory>\lgYu.exe
Moves the following files:
- from C:\RCX8.tmp to <Current directory>\gUAw.exe
- from C:\RCX7.tmp to <Current directory>\ZYoa.exe
- from C:\RCX9.tmp to <Current directory>\koQe.exe
- from C:\RCXB.tmp to <Current directory>\nIEI.exe
- from C:\RCXA.tmp to <Current directory>\iYci.exe
- from C:\RCX6.tmp to <Current directory>\SYYi.exe
- from C:\RCX2.tmp to <Current directory>\qgsc.exe
- from C:\RCX1.tmp to <Current directory>\fAIE.exe
- from C:\RCX3.tmp to <Current directory>\cUMo.exe
- from C:\RCX5.tmp to <Current directory>\HooS.exe
- from C:\RCX4.tmp to <Current directory>\lgYu.exe
Network activity:
Connects to:
- 'bl##k.io':443
UDP:
- DNS ASK google.com
- DNS ASK bl##k.io
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: 'Microsoft Windows'
- ClassName: '' WindowName: 'AcIcUcAM.exe'
- ClassName: 'Indicator' WindowName: ''
