Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Windows Audio Driver] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Windows Audio Driver] 'ImagePath' = 'cmd.exe /c start %CommonProgramFiles%\Services\svchost.exe'
Malicious functions:
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\cmd.exe
Modifies file system:
Creates the following files:
- %CommonProgramFiles%\Services\system\svchost.exe
- %CommonProgramFiles%\Services\svchost.exe
- %ProgramFiles%\Windows NT\DESKT0P.INI
- C:\Documents and Settings\LocalService\Local Settings\<INETFILES>\Content.IE5\CJCTQ25G\kj[1].jpg
Network activity:
Connects to:
- 'kj.###ilingyuan.com':80
TCP:
HTTP GET requests:
- http://kj.###ilingyuan.com/kj.jpg
UDP:
- DNS ASK kj.###ilingyuan.com
Miscellaneous:
Creates and executes the following:
- '%CommonProgramFiles%\Services\svchost.exe'
Executes the following:
- '<SYSTEM32>\cmd.exe' /c start %CommonProgramFiles%\Services\svchost.exe
