Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Kingsoft Antivirus WebShield Service] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '%ALLUSERSPROFILE%\Application Data\smes\smes.exe' -install
- '%ALLUSERSPROFILE%\Application Data\smes\smes.exe' -start
- '%ALLUSERSPROFILE%\Application Data\smes\smes.exe'
- '%PROGRAM_FILES%\soft090204\setup_0904.exe'
- '%PROGRAM_FILES%\soft090204\w_0904.exe'
- '%PROGRAM_FILES%\soft090204\setup_0904.exe' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\ntvdm.exe' -f -i1
- '<SYSTEM32>\wscript.exe' "%PROGRAM_FILES%\soft090204\b_0904.vbe"
- '%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE' http://www.ad##ma.cn/g/
- '%WINDIR%\sleep.exe' 500
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\soft090204\C_0420110403040416020409040404.txt
- %PROGRAM_FILES%\soft090204\0420110403040416020409040404.txt
- %PROGRAM_FILES%\soft090204\B_0420110403040416020409040404.txt
- %TEMP%\nse2.tmp\NSISdl.dll
- %TEMP%\nsk4.tmp\FindProcDLL.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\g[1]
- %PROGRAM_FILES%\soft090204\setup_0904.exe
- %PROGRAM_FILES%\soft090204\w_0904.exe
- %PROGRAM_FILES%\FlashC\tabs\tabs.ini
- %PROGRAM_FILES%\FlashC\tabs\Thumbs.db
- %PROGRAM_FILES%\FlashC\tabs\TabbaseT.bmp
- %ALLUSERSPROFILE%\Desktop\ Internot Explarer .lnk
- %PROGRAM_FILES%\soft090204\smes.exe
- %PROGRAM_FILES%\soft090204\a
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\ Internot Explarer .lnk
- %ALLUSERSPROFILE%\Application Data\smes\kswbc.dll
- %TEMP%\temg_tmp.bat
- %TEMP%\nsk4.tmp\AccessControl.dll
- %ALLUSERSPROFILE%\Application Data\kingsoft\kws\spot.ini
- %ALLUSERSPROFILE%\Application Data\smes\KWSSVC.log
- %WINDIR%\Temp\scs6.tmp
- %WINDIR%\Temp\scs5.tmp
- %PROGRAM_FILES%\soft090204\s_0904.exe
- %ALLUSERSPROFILE%\Application Data\kingsoft\kws\spitesp.dat
- %ALLUSERSPROFILE%\Application Data\smes\kwsui.dll
- %ALLUSERSPROFILE%\Application Data\smes\kwssp.dll
- %ALLUSERSPROFILE%\Application Data\smes\kswebshield.dll
- %ALLUSERSPROFILE%\Application Data\smes\smes.exe
- %ALLUSERSPROFILE%\Application Data\kingsoft\kws\kws.ini
- %ALLUSERSPROFILE%\Application Data\smes\a
- %ALLUSERSPROFILE%\Application Data\smes\u.bat
- %PROGRAM_FILES%\FlashC\tabs\TabbaseB.bmp
- %PROGRAM_FILES%\FlashC\inc\msg.jpg
- %PROGRAM_FILES%\FlashC\inc\cls.jpg
- %PROGRAM_FILES%\FlashC\inc\Thumbs.db
- %PROGRAM_FILES%\FlashC\inc\nocls.jpg
- %PROGRAM_FILES%\FlashC\search\searchs.ini
- %PROGRAM_FILES%\FlashC\search\mul.ini
- %PROGRAM_FILES%\FlashC\inc\nomsg.jpg
- %PROGRAM_FILES%\FlashC\inc\Progress.bmp
- %PROGRAM_FILES%\FlashC\FlashC.exe
- %PROGRAM_FILES%\FlashC\CrCom.dll
- %PROGRAM_FILES%\FlashC\Config.dat
- %PROGRAM_FILES%\FlashC\LCmnCtrl32.dll
- %PROGRAM_FILES%\FlashC\inc\NoHide.gif
- %PROGRAM_FILES%\FlashC\inc\Hide.gif
- %PROGRAM_FILES%\FlashC\lexplorer.ini
- %PROGRAM_FILES%\FlashC\Plugin\GetWebSnap\GetWebSnap.dll
- %PROGRAM_FILES%\FlashC\tabs\TabActive_L.bmp
- %PROGRAM_FILES%\FlashC\tabs\TabActive_C.bmp
- %PROGRAM_FILES%\FlashC\tabs\tabsDown\tabs.ini
- %PROGRAM_FILES%\FlashC\tabs\TabActive_R.bmp
- %PROGRAM_FILES%\FlashC\tabs\TabNormal_R.bmp
- %PROGRAM_FILES%\FlashC\tabs\TabNormal_L.bmp
- %PROGRAM_FILES%\FlashC\tabs\TabNormal_C.bmp
- %PROGRAM_FILES%\FlashC\tabs\tabsDown\Thumbs.db
- %PROGRAM_FILES%\FlashC\tabs\tabsDown\TabActive_L.bmp
- %PROGRAM_FILES%\FlashC\tabs\tabsDown\TabActive_C.bmp
- %PROGRAM_FILES%\FlashC\Plugin\GetWebSnap\GetWebSnap.ini
- %PROGRAM_FILES%\FlashC\tabs\tabsDown\TabActive_R.bmp
- %PROGRAM_FILES%\FlashC\tabs\tabsDown\TabNormal_R.bmp
- %PROGRAM_FILES%\FlashC\tabs\tabsDown\TabNormal_L.bmp
- %PROGRAM_FILES%\FlashC\tabs\tabsDown\TabNormal_C.bmp
Deletes the following files:
- %WINDIR%\Temp\scs5.tmp
- %WINDIR%\Temp\scs6.tmp
- %TEMP%\nsk4.tmp\AccessControl.dll
- %TEMP%\nsk4.tmp\FindProcDLL.dll
Moves the following files:
- from %PROGRAM_FILES%\soft090204\0420110403040416020409040404.txt to %PROGRAM_FILES%\soft090204\b_0904.vbe
- from %PROGRAM_FILES%\soft090204\C_0420110403040416020409040404.txt to %PROGRAM_FILES%\soft090204\C_0904.vbe
- from %PROGRAM_FILES%\soft090204\B_0420110403040416020409040404.txt to %PROGRAM_FILES%\soft090204\B.bat
- from %PROGRAM_FILES%\soft090204\a to %PROGRAM_FILES%\soft090204\090204.txt
- from %PROGRAM_FILES%\soft090204\smes.exe to %PROGRAM_FILES%\soft090204\w_0904.exe
Network activity:
Connects to:
- 'www.ad##ma.cn':80
- 'oo.##mtb.info':888
- 'do##.#aodown123.com':80
- 'localhost':1038
TCP:
HTTP GET requests:
- www.ad##ma.cn/g/
- do##.#aodown123.com/soft/?so#############################
UDP:
- DNS ASK oo.##mtb.info
- DNS ASK www.ad##ma.cn
- DNS ASK do##.#aodown123.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'kws::OSUCWindowClass' WindowName: ''
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ca0.ca4.3a0001'
- ClassName: '' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
