Technical Information
Malicious functions:
Creates and executes the following:
- %PROGRAM_FILES%\winsoft9\test.exe
- %TEMP%\PPTV(pplive)_forqd313.exe
- %PROGRAM_FILES%\winsoft9\t2.exe
- %PROGRAM_FILES%\winsoft9\bho.exe
- %TEMP%\PPTV(pplive)_forqd313.exe (downloaded from the Internet)
Executes the following:
- %PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE http://58.###.198.119:8080/count.asp?ma################################ Windows XP&flag=fac166ca13297b62a7103ae0bb62a92f&user=test
- <SYSTEM32>\wscript.exe "%PROGRAM_FILES%\winsoft9\1.vbs"
Modifies file system :
Creates the following files:
- %HOMEPATH%\Favorites\їґїґµзКУѕзФЪПЯґуИ«,,,ЧоєГВМЙ«ЧоРВёЯЛЩГв·СµзКУѕзНшХѕ!.url
- %HOMEPATH%\Favorites\ГАЕ®·бРШґуГШѕч-20МмДЪСёЛЩФцґуґуґу!.url
- %HOMEPATH%\Favorites\°¬іИЕ®Ч°--ЧоГААцК±ЙРµДЕ®Ч°Ж·ЕЖ.ГАЕ®ВтТВЈ¬ГлЙ±°¬іИЕ®Ч°!!.url
- %HOMEPATH%\Favorites\ЧїФЅСЗВнС·НшЙП№єОпНјКйЈ¬КЦ»ъЈ¬КэВлЈ¬јТµзЈ¬»ЇЧ±Ж·Ј¬ЦУ±нЈ¬КЧКОµИФЪПЯПъКЫ.url
- %HOMEPATH%\Favorites\МФ±¦Нш - МФЈЎОТПІ»¶.url
- %HOMEPATH%\Favorites\45575.comФЪПЯµДРЎУОП·.ЧоєГНжЧоРВЧоїмїбі¬ј¶РЎУОП·!.url
- %HOMEPATH%\Favorites\µ±µ±НшЎЄНшЙП№єОпЦРРД.url
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\PPTV(pplive)_forqd313[1].exe
- %TEMP%\History\History.IE5\desktop.ini
- %WINDIR%\Survival_0.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\qvoddianying[1]
- %TEMP%\Temporary Internet Files\Content.IE5\4H6785YF\desktop.ini
- %TEMP%\PPTV(pplive)_forqd313.exe
- %TEMP%\Temporary Internet Files\Content.IE5\desktop.ini
- %TEMP%\Temporary Internet Files\Content.IE5\GPUZUPIV\desktop.ini
- %HOMEPATH%\Favorites\ЧоРВФЪПЯРЎЛµГв·СµДФД¶Б.·бё»ДЪИЭЛЩ¶ИїмµДРЎЛµХѕ!.url
- %PROGRAM_FILES%\winsoft9\3.vbs
- %PROGRAM_FILES%\winsoft9\test.exe
- %PROGRAM_FILES%\winsoft9\t2.exe
- %PROGRAM_FILES%\winsoft9\1.vbs
- %PROGRAM_FILES%\winsoft9\bho.exe
- %PROGRAM_FILES%\winsoft9\WINDOWS\time\mian.dil
- %PROGRAM_FILES%\winsoft9\WINDOWS\time\mian.dll
- %PROGRAM_FILES%\winsoft9\taobao.ico
- %HOMEPATH%\Favorites\ЧоРВј«Ж·ВМЙ«єГµДµзУ°ївГв·С.ёЯЗеёЯЛЩЈЎМмМмёьРВ!!.url
- %HOMEPATH%\Favorites\МмМмёьРВ!!.url
- %HOMEPATH%\Favorites\ЦР№ъёЈАыІКЖ±Ј¬МеУэІКЖ±µДН¶ЧўЦРРД.ІКЖ±ґуУ®јТ!.url
- C:\b.html
- %PROGRAM_FILES%\winsoft9\game.ico
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.url
Sets the 'hidden' attribute to the following files:
- %TEMP%\Temporary Internet Files\Content.IE5\4H6785YF\desktop.ini
- %TEMP%\History\History.IE5\desktop.ini
- %TEMP%\Temporary Internet Files\Content.IE5\desktop.ini
- %TEMP%\Temporary Internet Files\Content.IE5\GPUZUPIV\desktop.ini
Network activity:
Connects to:
- '58.##8.198.119':8080
- 'www.qv####anying.com':80
- 'localhost':1039
- 'localhost':1036
- 'do####ad.pplive.com':80
TCP:
HTTP GET requests:
- www.qv####anying.com/?qi###
- do####ad.pplive.com/PPTV(pplive)_forqd313.exe
UDP:
- DNS ASK www.qv####anying.com
- DNS ASK do####ad.pplive.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''
- ClassName: 'Maxthon2_Frame' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: ''
