Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'AntiSpyware Service' = '%TEMP%\igbz7e.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] '{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}' = 'ghya673gidh87we9inkff'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'winupdate.exe' = '<SYSTEM32>\winupdate.exe'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
blocks the following features:
- System Restore (SR)
Creates and executes the following:
- %TEMP%\ueja73hkjd.exe
- %TEMP%\igbz7e.exe
- <SYSTEM32>\41.exe
- %TEMP%\na.exe
- %TEMP%\sp.exe
- %TEMP%\ppc.exe
- <SYSTEM32>\winupdate.exe
- <SYSTEM32>\41.exe (downloaded from the Internet)
Executes the following:
- %WINDIR%\explorer.exe
- <SYSTEM32>\cmd.exe /c ""%TEMP%\p2hhr.bat" "%TEMP%\na.exe""
- <SYSTEM32>\ntvdm.exe -f -i1
- <SYSTEM32>\regsvr32.exe /s <SYSTEM32>\tajf83ikdmf.dll
Installs hooks to intercept notifications
on keystrokes:
- Handler for all processes: <SYSTEM32>\tajf83ikdmf.dll
Terminates or attempts to terminate
the following user processes:
- chrome.exe
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\download[1].pl
- <SYSTEM32>\AVR09.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\dm3[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\firewall[1].dll
- <SYSTEM32>\winhelper.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\ndw[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ndw[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ndw[2].php
- <SYSTEM32>\41.exe
- %TEMP%\p2hhr.bat
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\get[1].pl
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\loads[1].php
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs2.tmp
- %TEMP%\ppc.exe
- %TEMP%\sp.exe
- %TEMP%\soft.exe
- <SYSTEM32>\winupdate.exe
- %TEMP%\igbz7e.exe
- %TEMP%\cab124647DFW2S39JD.tmp
- %TEMP%\ueja73hkjd.exe
- %TEMP%\na.exe
- <SYSTEM32>\tajf83ikdmf.dll
Sets the 'hidden' attribute to the following files:
- %TEMP%\igbz7e.exe
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\loads[1].php
- %TEMP%\na.exe
- <SYSTEM32>\winupdate.exe
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs2.tmp
Network activity:
Connects to:
- 'te###vrdown.com':80
- 'mi##a.com':80
- 'wi##hx.cn':80
- 'on####scanxppro.com':80
- 'do####adavr3.com':80
- 'in##t.com':80
TCP:
HTTP GET requests:
- te###vrdown.com/cgi-bin/get.pl?l=#######
- in##t.com/ndw/ndw.php?id########################
- wi##hx.cn/ndw/ndw.php?id########################
- mi##a.com/ndw/ndw.php?id########################
- do####adavr3.com/firewall.dll
- on####scanxppro.com/loads.php?co##########
- do####adavr3.com/cgi-bin/download.pl?co##########
- in##t.com/ndw/dm3.php?id########################
UDP:
- DNS ASK te###vrdown.com
- DNS ASK mi##a.com
- DNS ASK wi##hx.cn
- DNS ASK on####scanxppro.com
- DNS ASK do####adavr3.com
- DNS ASK in##t.com
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-9d0.9d4.380001'
- ClassName: 'Shell_TrayWnd' WindowName: ''
