Technical Information
Malicious functions:
Creates and executes the following:
- '<Current directory>\wdreg.exe' -inf windrvr6.inf -silent install
Executes the following:
- '<SYSTEM32>\runonce.exe' -r
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\runme.bat""
Modifies file system :
Creates the following files:
- %TEMP%\CabE.tmp
- <SYSTEM32>\DRVSTORE\windrvr6_99DB507BB0DA28ABF06DE42538E3ABF657BAB3AB\windrvr6.sys
- %TEMP%\Cab10.tmp
- %WINDIR%\inf\oem3.PNF
- %WINDIR%\inf\oem3.inf
- %TEMP%\Cab8.tmp
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165
- %TEMP%\CabA.tmp
- <SYSTEM32>\DRVSTORE\windrvr6_99DB507BB0DA28ABF06DE42538E3ABF657BAB3AB\wd920.cat
- <SYSTEM32>\DRVSTORE\windrvr6_99DB507BB0DA28ABF06DE42538E3ABF657BAB3AB\windrvr6.inf
- <DRIVERS>\SET1E.tmp
- %TEMP%\Cab1C.tmp
- %TEMP%\Cab1F.tmp
- <Current directory>\out.log
- %TEMP%\Cab21.tmp
- %TEMP%\Cab14.tmp
- %TEMP%\Cab12.tmp
- %TEMP%\Cab16.tmp
- %TEMP%\Cab1A.tmp
- %TEMP%\Cab18.tmp
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
- <Current directory>\windrvr6.sys
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
- <Current directory>\difxapi.dll
- %TEMP%\1.tmp\runme.bat
- <Current directory>\wd920.cat
- <Current directory>\windrvr6.inf
- <Current directory>\wdreg.exe
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8
- %TEMP%\Cab4.tmp
- %TEMP%\Cab2.tmp
- %TEMP%\Cab6.tmp
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
Deletes the following files:
- %TEMP%\Cab21.tmp
- <Current directory>\out.log
- %TEMP%\Cab1F.tmp
- %TEMP%\Cab1A.tmp
- %TEMP%\Cab1C.tmp
- <Current directory>\difxapi.dll
- <Current directory>\windrvr6.sys
- %TEMP%\1.tmp\runme.bat
- <Current directory>\windrvr6.inf
- <Current directory>\wd920.cat
- <Current directory>\wdreg.exe
- %TEMP%\Cab8.tmp
- %TEMP%\CabA.tmp
- %TEMP%\Cab6.tmp
- %TEMP%\Cab2.tmp
- %TEMP%\Cab4.tmp
- %TEMP%\CabE.tmp
- %TEMP%\Cab16.tmp
- %TEMP%\Cab18.tmp
- %TEMP%\Cab14.tmp
- %TEMP%\Cab10.tmp
- %TEMP%\Cab12.tmp
Moves the following files:
- from <DRIVERS>\SET1E.tmp to <DRIVERS>\windrvr6.sys
Network activity:
Connects to:
- 'crl.verisign.com':80
- 'cs######4-crl.verisign.com':80
- 'wp#d':80
- 'www.download.windowsupdate.com':80
TCP:
HTTP GET requests:
- cs######4-crl.verisign.com/CSC3-2004.crl
- crl.verisign.com/ThawteTimestampingCA.crl
- crl.verisign.com/tss-ca.crl
- crl.verisign.com/pca3.crl
- wp#d/wpad.dat
- www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
- www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
UDP:
- DNS ASK crl.verisign.com
- DNS ASK cs######4-crl.verisign.com
- DNS ASK wp#d
- DNS ASK www.download.windowsupdate.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
