Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] '26639' = '%ALLUSERSPROFILE%\Local Settings\Temp\ccivexo.com'
Creates the following files on removable media:
- <Drive name for removable media>:\Thumbs.db
- <Drive name for removable media>:\Removable Disk (1GB).lnk
- <Drive name for removable media>:\desktop.ini
- <Drive name for removable media>:\ \desktop.ini
- <Drive name for removable media>:\_WJROUU.init
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
Creates and executes the following:
- '%TEMP%\_install_\msiexec.exe'
Executes the following:
- '<SYSTEM32>\wuauclt.exe'
Injects code into
the following system processes:
- <SYSTEM32>\wuauclt.exe
Modifies file system :
Creates the following files:
- %TEMP%\03.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\paeosdhrvgkuzjnycmqbfpteisxhlvah[1]
- %TEMP%\04.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\fjnycgquzjnrcgkuzdnrvgkozdhrvakz[1]
- %TEMP%\02.tmp
- %TEMP%\01.tmp
- %TEMP%\_install_\msiexec.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\blpteimxbfptyimqbfjtycmqufrxogtn[1]
- %ALLUSERSPROFILE%\Local Settings\Temp\ccivexo.com
Sets the 'hidden' attribute to the following files:
- <Full path to virus>
Deletes the following files:
- %TEMP%\03.tmp
- %TEMP%\04.tmp
- %TEMP%\01.tmp
- %TEMP%\02.tmp
Network activity:
Connects to:
- 'a.##bea.in':80
- 'b.##bea.in':80
- 'c.##bea.in':80
- 'localhost':1037
- '20#.#6.232.182':80
- '8.#.8.8':80
TCP:
HTTP GET requests:
- c.##bea.in/fjnycgquzjnrcgkuzdnrvgkozdhrvakz
- b.##bea.in/paeosdhrvgkuzjnycmqbfpteisxhlvah
- a.##bea.in/blpteimxbfptyimqbfjtycmqufrxogtn
HTTP POST requests:
- 8.#.8.8/xxxxxxxxx.php
UDP:
- DNS ASK b.##bea.in
- DNS ASK c.##bea.in
- DNS ASK www.up####.microsoft.com
- DNS ASK a.##bea.in
