Technical Information
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<DRIVERS>\svchost.exe' = '<DRIVERS>\svchost.exe:*:Enabled:Secure Connection driver'
Creates and executes the following:
- '<DRIVERS>\svchost.exe' -Install -c"<DRIVERS>\Default.cfg"
- '<DRIVERS>\svchost.exe' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 1068 "Secure Connection driver"
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 1067 "Secure Connection driver"
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram <DRIVERS>\svchost.exe "Secure Connection driver" ENABLE
Modifies file system :
Creates the following files:
- <DRIVERS>\Default.cfg
- <LS_APPDATA>\www.eBay.co.uk\<Virus name>.exe_Url_hqhyc0ccon4alkgxc4ifkamnb3wj00nb\1.0.0.0\01chq9h2.newcfg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\check[1].php
- <DRIVERS>\svchost.exe
- <DRIVERS>\FreeProxyDLL400.dll
- <DRIVERS>\FreeProxyFTP.TEM
Moves the following files:
- from <LS_APPDATA>\www.eBay.co.uk\<Virus name>.exe_Url_hqhyc0ccon4alkgxc4ifkamnb3wj00nb\1.0.0.0\01chq9h2.newcfg to <LS_APPDATA>\www.eBay.co.uk\<Virus name>.exe_Url_hqhyc0ccon4alkgxc4ifkamnb3wj00nb\1.0.0.0\user.config
Network activity:
Connects to:
- 'localhost':1042
- 'se####d-client.com':80
- 'wp#d':80
TCP:
HTTP GET requests:
- se####d-client.com/3.src
- se####d-client.com/4.src
- se####d-client.com/check.php?ui###########
- wp#d/wpad.dat
- se####d-client.com/1.src
- se####d-client.com/2.src
UDP:
- DNS ASK se####d-client.com
- DNS ASK wp#d
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
