Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'skunser' = 'C:\nate\svchest.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = '<SYSTEM32>\ctfmon.exe'
Malicious functions:
Creates and executes the following:
- %PROGRAM_FILES%\tongjiya.exe
- %PROGRAM_FILES%\tongjiya.exe (downloaded from the Internet)
Executes the following:
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A" /v hkey /d HKLM
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A" /v inimapping /d 0
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A" /v item /d TINTSETP
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A" /v command /d "<SYSTEM32>\IME\TINTLGNT\TINTSETP.EXE /IMEName"
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1" /v item /d IMJPMIG
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1" /v key /d SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A"
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync" /v inimapping /d 0
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync" /v item /d TINTSETP
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync" /v key /d SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync" /v hkey /d HKLM
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A" /v key /d SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync"
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync" /v command /d ""%WINDIR%\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32"
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1" /v inimapping /d 0
- <SYSTEM32>\cacls.exe <DRIVERS>\etc\hosts.ics /t /g everyone:F
- <SYSTEM32>\reg.exe export HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run %WINDIR%\2.reg
- <SYSTEM32>\reg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va /f
- <SYSTEM32>\cacls.exe <DRIVERS>\etc\hosts /t /p users:n
- <SYSTEM32>\cmd.exe /c %WINDIR%\qingchu.bat
- <SYSTEM32>\reg.exe export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run %WINDIR%\1.reg
- <SYSTEM32>\cacls.exe <DRIVERS>\etc\hosts /t /g everyone:F
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1"
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1" /v command /d ""%WINDIR%\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32"
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1" /v hkey /d HKLM
- <SYSTEM32>\reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /f
- <SYSTEM32>\reg.exe delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /va /f
- <SYSTEM32>\reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v ctfmon.exe /d <SYSTEM32>\ctfmon.exe
- <SYSTEM32>\reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v skunser /d C:\nate\svchest.exe
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\blank[1].gif
- C:\nate\funbots.bat
- C:\nate\svchest.exe
- C:\nate\system.yf
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\sun[1].txt
- C:\nate\Isinter.gif
- %WINDIR%\2.reg
- %WINDIR%\1.reg
- %WINDIR%\qingchu.bat
- %PROGRAM_FILES%\tongjiya.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\piao[1].exe
- %WINDIR%\▒╕╖▌╡─╞Ї╢п╧ю─┐.reg
Deletes the following files:
- C:\nate\Isinter.gif
- %WINDIR%\2.reg
- %WINDIR%\1.reg
Modifies the HOSTS file.
Network activity:
Connects to:
- 'st####.naver.net':80
- 'ti###ess888.com':80
- 'localhost':1036
- 'www.hi###pharm.com':80
TCP:
HTTP GET requests:
- ti###ess888.com/sun.txt
- st####.naver.net/w9/blank.gif
- www.hi###pharm.com/files/File/product/piao.exe
UDP:
- DNS ASK ti###ess888.com
- DNS ASK st####.naver.net
- DNS ASK www.hi###pharm.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
