Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Taskman' = '%HOMEPATH%\aegvvp.exe'
Malicious functions:
Executes the following:
- '<SYSTEM32>\svchost.exe'
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Searches for windows to
bypass different anti-viruses:
- ClassName: 'Pbaavpoqcd Vuuc Ki' WindowName: 'Euoxfoi Htu. Gxldo'
Modifies file system:
Creates the following files:
- %HOMEPATH%\aegvvp.exe
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\aegvvp.exe
Network activity:
UDP:
- DNS ASK mu###.###tal-protection.net.ru
- DNS ASK sl###.##fehousenumber.com
- 'mu###.###tal-protection.net.ru':41801
- 'sl###.##fehousenumber.com':41801
Miscellaneous:
Searches for the following windows:
- ClassName: 'Oknij. Lym Oern. R' WindowName: 'Bepqo Mfamtoi. Ms'
- ClassName: 'Ijmxibu. Hjxmqws' WindowName: 'Ytsgpjef. Ovgvpq Bf'
- ClassName: 'Nlkddli Dur. Wk' WindowName: 'Qfmcfmmjei Glum'
- ClassName: 'Vfhkmfr. Tpuje Xh' WindowName: 'Qkvwohjx, Dxbc, Fx'
- ClassName: 'Wnsmqkvu Enribelenb' WindowName: 'Cmhgim Xwee Jcwjy'
- ClassName: 'Job' WindowName: 'Nvynkgx, Pxtvosw, Hvjfihj Jhqd'
- ClassName: 'Tlnhmss Vflybr' WindowName: 'Tlnhmss Vflybr'
- ClassName: 'Ecvm. Xntr Nfmvnv' WindowName: 'Wiqnctb Qmnglw Lc'
- ClassName: 'Odvdh, Drn Gsge' WindowName: 'Xtbrhq, Rfvg Ra'
- ClassName: 'Dxyx. Vqjs Vsvnjo' WindowName: 'Vwhrmyu Eatafvn'
- ClassName: 'Xxjkp Xhjuca Nwyphs' WindowName: 'Rianw. Wgmhmadt'
- ClassName: 'Drn Gsge' WindowName: 'Xtbrhq, Rfvg Ra, Odvdh'
- ClassName: 'Rtxdda Coslwdhbn' WindowName: 'Hwdphv Roddrtt Yjk'
- ClassName: 'Cejel Lnmswht. Apf' WindowName: 'Jaiyhpl Swsqnv Vqmm'
- ClassName: 'Vilcehx Xmvvswr I' WindowName: 'Ntjrgfvy Hjjpow'
- ClassName: 'Ywilui Gkk Cjgiops' WindowName: 'Ega. Eupfmh. Rot'
- ClassName: 'Xr' WindowName: 'Lnqkg, Oilay Llngx, Erlnnrm Hctof'
- ClassName: 'Erlnnrm Hctof, Xr' WindowName: 'Lnqkg, Oilay Llngx'
- ClassName: 'Kkceq Tprdlxnly Bmt' WindowName: 'Gejrvpmxmy Wyxx'
- ClassName: 'Khcp Yobdex Jqd' WindowName: 'Lcksjb Vtrgdlvrn'
- ClassName: 'Ngibygs' WindowName: 'Agfdis Wjuyeb C, Rbdjnbe'
- ClassName: 'Rbdjnbe, Ngibygs' WindowName: 'Agfdis Wjuyeb C'
- ClassName: 'Cljtoh Bt' WindowName: 'Mkjstu Iuqs, Vabvy, Yhpyh'
- ClassName: 'Yhpyh, Cljtoh Bt' WindowName: 'Mkjstu Iuqs, Vabvy'
- ClassName: 'Tdig Yrncaif Easun' WindowName: 'Vmuhyh Xqrantyb'
- ClassName: 'Bsjat. Em' WindowName: 'Vkpqkn. Oxi Ckgwol, Fnbmkv'
- ClassName: 'Hvjfihj Jhqd, Job' WindowName: 'Nvynkgx, Pxtvosw'
- ClassName: 'Slky Rysamh. Nmvh' WindowName: 'Kfkb Kccb Bhxbbv Xb'
- ClassName: 'Sdvhoai Cwq, Ae' WindowName: 'Qjmue, Cvno. Unqb'
- ClassName: 'Wwwikmwylu' WindowName: 'Wwwikmwylu'
- ClassName: 'Fnbmkv, Bsjat. Em' WindowName: 'Vkpqkn. Oxi Ckgwol'
- ClassName: 'Ae' WindowName: 'Qjmue, Cvno. Unqb, Sdvhoai Cwq'
