Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SonyAgent' = '<Full path to virus>'
Malicious functions:
Searches for registry branches where third party applications store passwords:
- [<HKLM>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\FlashFXP]
- [<HKLM>\Software\BPFTP]
- [<HKCU>\Software\BPFTP]
- [<HKLM>\Software\FlashFXP]
- [<HKCU>\SOFTWARE\Far\Plugins\FTP\Hosts]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKCU>\SOFTWARE\Microsoft\MessengerService]
- [<HKCU>\SOFTWARE\Far2\Plugins\FTP\Hosts]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKCU>\SOFTWARE\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\SOFTWARE\Far\SavedDialogHistory\FTPHost]
Modifies file system :
Creates the following files:
- <DRIVERS>\npf.sys
- <SYSTEM32>\wpcap.dll
- <SYSTEM32>\Packet.dll
Sets the 'hidden' attribute to the following files:
- <Full path to virus>
Network activity:
Connects to:
- 'localhost':1091
- 'localhost':1088
- '89.##.144.49':80
- 'localhost':1097
- 'localhost':1094
- '21#.#5.193.187':80
- 'localhost':1079
- 'localhost':1082
- '14#.#3.15.235':80
- 'localhost':1085
- '46.##9.80.43':80
- 'localhost':1113
- '18#.#31.173.99':80
- '17#.#37.193.93':80
- '46.##9.160.50':80
- 'localhost':1117
- 'localhost':1103
- 'localhost':1100
- '78.##.139.107':80
- 'localhost':1109
- 'localhost':1106
- 'localhost':1049
- 'localhost':1046
- '12#.#10.175.202':80
- 'localhost':1055
- 'localhost':1052
- '78.##.193.176':80
- 'localhost':1037
- 'localhost':1040
- '2.##4.45.70':80
- 'localhost':1043
- '14#.#55.91.19':80
- 'localhost':1070
- '18#.#31.130.68':80
- 'localhost':1073
- 'localhost':1076
- '10#.#85.118.66':80
- 'localhost':1061
- 'localhost':1058
- '12#.#25.254.28':80
- 'localhost':1067
- 'localhost':1064
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
