Technical Information
Malicious functions:
Creates and executes the following:
- '%TEMP%\nsn6.tmp\ns14.tmp' "taskkill.exe" /F /IM WinVnc.exe /T
- '%TEMP%\nsn6.tmp\ns15.tmp' "%PROGRAM_FILES%\1c2.0.9\Uninst.exe"
- '%TEMP%\nsn6.tmp\ns13.tmp' "tskill.exe" WinVnc
- '%TEMP%\nsn6.tmp\ns11.tmp' "taskkill.exe" /F /IM WinVncSC.exe /T
- '%TEMP%\nsn6.tmp\ns12.tmp' "taskkill.exe" /F /IM AvncMenu.exe /T
- '%TEMP%\nsn6.tmp\ns16.tmp' cmd.exe /C del /P /Q "%ALLUSERSPROFILE%\Start Menu\Tools.url"
- '%TEMP%\nsn6.tmp\ns1A.tmp' "%TEMP%\nsj3.tmp\AvncMenu.exe"
- '%TEMP%\nsj3.tmp\AvncMenu.exe'
- '%TEMP%\nsn6.tmp\ns19.tmp' cmd.exe /C del /P /Q "%HOMEPATH%\Desktop\Tools.url"
- '%TEMP%\nsn6.tmp\ns17.tmp' cmd.exe /C del /P /Q "%ALLUSERSPROFILE%\Desktop\Tools.url"
- '%TEMP%\nsn6.tmp\ns18.tmp' cmd.exe /C del /P /Q "%HOMEPATH%\Start Menu\Tools.url"
- '%TEMP%\nsn6.tmp\ns9.tmp' "sc.exe" delete winvnc4
- '%TEMP%\nsn6.tmp\nsA.tmp' "net.exe" stop uvnc_service
- '%TEMP%\nsn6.tmp\ns8.tmp' "sc.exe" delete winvnc
- '%TEMP%\nsj3.tmp\WebGetS.exe' /3
- '%TEMP%\nsn6.tmp\ns7.tmp' "sc.exe" delete uvnc_service
- '%TEMP%\nsn6.tmp\nsB.tmp' "net.exe" stop WinVNC
- '%TEMP%\nsn6.tmp\nsF.tmp' "tskill.exe" AvncMenu
- '%TEMP%\nsn6.tmp\ns10.tmp' "taskkill.exe" /F /IM 1click.exe /T
- '%TEMP%\nsn6.tmp\nsE.tmp' "tskill.exe" 1click
- '%TEMP%\nsn6.tmp\nsC.tmp' "net.exe" stop WinVNC4
- '%TEMP%\nsn6.tmp\nsD.tmp' "tskill.exe" WinVncSC
Executes the following:
- '<SYSTEM32>\tskill.exe' AvncMenu
- '<SYSTEM32>\taskkill.exe' /F /IM 1click.exe /T
- '<SYSTEM32>\tskill.exe' WinVncSC
- '<SYSTEM32>\tskill.exe' 1click
- '<SYSTEM32>\tskill.exe' WinVnc
- '<SYSTEM32>\taskkill.exe' /F /IM WinVnc.exe /T
- '<SYSTEM32>\taskkill.exe' /F /IM WinVncSC.exe /T
- '<SYSTEM32>\taskkill.exe' /F /IM AvncMenu.exe /T
- '<SYSTEM32>\net1.exe' stop WinVNC4
- '<SYSTEM32>\sc.exe' delete winvnc4
- '<SYSTEM32>\net.exe' stop uvnc_service
- '<SYSTEM32>\sc.exe' delete uvnc_service
- '<SYSTEM32>\sc.exe' delete winvnc
- '<SYSTEM32>\net1.exe' stop WinVNC
- '<SYSTEM32>\net.exe' stop WinVNC4
- '<SYSTEM32>\net1.exe' stop uvnc_service
- '<SYSTEM32>\net.exe' stop WinVNC
Modifies file system :
Creates the following files:
- %TEMP%\nsn6.tmp\ns19.tmp
- %PROGRAM_FILES%\1c2.0.9\Uninst.exe
- %TEMP%\nsn6.tmp\ns17.tmp
- %TEMP%\nsn6.tmp\ns18.tmp
- %PROGRAM_FILES%\1c2.0.9\stop.ico
- %PROGRAM_FILES%\1c2.0.9\icon1.ico
- %WINDIR%\UltraVNC.ini
- %PROGRAM_FILES%\1c2.0.9\UltraVnc.ini
- %TEMP%\nsn6.tmp\ns16.tmp
- %TEMP%\nsn6.tmp\ns11.tmp
- %TEMP%\nsn6.tmp\ns12.tmp
- %TEMP%\nsn6.tmp\nsF.tmp
- %TEMP%\nsn6.tmp\ns10.tmp
- %PROGRAM_FILES%\1c2.0.9\Advantig.Lic
- %TEMP%\nsn6.tmp\ns15.tmp
- %TEMP%\nsn6.tmp\ns13.tmp
- %TEMP%\nsn6.tmp\ns14.tmp
- %PROGRAM_FILES%\1c2.0.9\Goodbye.vbs
- %PROGRAM_FILES%\1c2.0.9\Tools.url
- %PROGRAM_FILES%\1c2.0.9\CustomText.ini
- %PROGRAM_FILES%\1c2.0.9\1Click.exe
- %TEMP%\nsj3.tmp\Advantig.ini
- %TEMP%\nsn6.tmp\ns1A.tmp
- %ALLUSERSPROFILE%\Start Menu\Tools.url
- %PROGRAM_FILES%\1c2.0.9\boot.ico
- %PROGRAM_FILES%\1c2.0.9\OneClick.ini
- %PROGRAM_FILES%\1c2.0.9\background.bmp
- %PROGRAM_FILES%\1c2.0.9\helpdesk.txt
- %PROGRAM_FILES%\1c2.0.9\icon2.ico
- %PROGRAM_FILES%\1c2.0.9\logo.bmp
- %PROGRAM_FILES%\1c2.0.9\Ding_Dong.wav
- %PROGRAM_FILES%\1c2.0.9\rePaper.exe
- %PROGRAM_FILES%\1c2.0.9\winvncsc.exe
- %PROGRAM_FILES%\1c2.0.9\cad.exe
- %TEMP%\nsn6.tmp\nsE.tmp
- %TEMP%\nsj3.tmp\icon2.ico
- %TEMP%\nsj3.tmp\stop.ico
- %TEMP%\nsj3.tmp\background.bmp
- %TEMP%\nsj3.tmp\icon1.ico
- %TEMP%\nsj3.tmp\Startup.txt
- %TEMP%\nsj3.tmp\OneClick.ini
- %TEMP%\nsj3.tmp\boot.ico
- %TEMP%\nsj3.tmp\CustomText.ini
- %TEMP%\nsj3.tmp\logo.bmp
- %TEMP%\nsj3.tmp\helpdesk.txt
- %TEMP%\nsj3.tmp\winvncsc.exe
- %TEMP%\nsy2.tmp
- %TEMP%\nsj3.tmp\WebGetS.exe
- %TEMP%\nsj3.tmp\Ding_Dong.wav
- %TEMP%\nsj3.tmp\Splash.bmp
- %TEMP%\nsj3.tmp\UltraVnc.ini
- %TEMP%\nsj3.tmp\cad.exe
- %TEMP%\nsn6.tmp\ns8.tmp
- %TEMP%\nsn6.tmp\ns9.tmp
- %TEMP%\nsn6.tmp\nsExec.dll
- %TEMP%\nsn6.tmp\ns7.tmp
- %TEMP%\nsn6.tmp\nsC.tmp
- %TEMP%\nsn6.tmp\nsD.tmp
- %TEMP%\nsn6.tmp\nsA.tmp
- %TEMP%\nsn6.tmp\nsB.tmp
- %TEMP%\nsj3.tmp\AvncMenu.exe
- %TEMP%\nsj3.tmp\1Click.exe
- %TEMP%\nsh5.tmp
- %TEMP%\nsj3.tmp\Tools.url
- %TEMP%\nsj3.tmp\Goodbye.vbs
- %TEMP%\nsn6.tmp\Splash.dll
- %TEMP%\nsj3.tmp\rePaper.exe
- %TEMP%\nsj3.tmp\Advantig.Lic
- %TEMP%\nsn6.tmp\default.bmp
Deletes the following files:
- %TEMP%\nsn6.tmp\ns13.tmp
- %TEMP%\nsn6.tmp\ns14.tmp
- %TEMP%\nsn6.tmp\ns11.tmp
- %TEMP%\nsn6.tmp\ns12.tmp
- %TEMP%\nsn6.tmp\ns15.tmp
- %TEMP%\nsn6.tmp\ns18.tmp
- %TEMP%\nsn6.tmp\ns19.tmp
- %TEMP%\nsn6.tmp\ns16.tmp
- %TEMP%\nsn6.tmp\ns17.tmp
- %TEMP%\nsn6.tmp\ns10.tmp
- %TEMP%\nsn6.tmp\ns9.tmp
- %TEMP%\nsn6.tmp\nsA.tmp
- %TEMP%\nsn6.tmp\ns7.tmp
- %TEMP%\nsn6.tmp\ns8.tmp
- %TEMP%\nsn6.tmp\nsB.tmp
- %TEMP%\nsn6.tmp\nsE.tmp
- %TEMP%\nsn6.tmp\nsF.tmp
- %TEMP%\nsn6.tmp\nsC.tmp
- %TEMP%\nsn6.tmp\nsD.tmp
Miscellaneous:
Searches for the following windows:
- ClassName: 'WinVNC desktop sink' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: '#32770' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
