Technical Information
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
- Windows Security Center
Executes the following
- '%WINDIR%\syswow64\net.exe' stop wscsvc
- '%WINDIR%\syswow64\net.exe' stop sharedaccess
- '%WINDIR%\syswow64\net.exe' stop "Security Center"
Searches for windows to
detect programs and games:
- ClassName: '', WindowName: 'Yahoo! Messenger'
Modifies file system
Creates the following files
- %TEMP%\tmp1.exe
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\info_48[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\background_gradient[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\httperrorpagesscripts[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\errorpagestrings[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\http_500_weboc[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\down[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\bullet[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\info_48[2]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\background_gradient[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\httperrorpagesscripts[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\errorpagestrings[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\errorpagetemplate[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\http_500_weboc[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\down[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\bullet[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\info_48[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\background_gradient[2]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\httperrorpagesscripts[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\errorpagestrings[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\errorpagetemplate[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\dnserrordiagoff_weboc[1]
- %TEMP%\nslf9f9.tmp\langdll.dll
- %TEMP%\nsvf9e8.tmp
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\bullet[2]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\down[1]
Deletes the following files
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\errorpagetemplate[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\errorpagestrings[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\httperrorpagesscripts[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\background_gradient[2]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\info_48[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\bullet[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\down[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\http_500_weboc[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\errorpagetemplate[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\errorpagestrings[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\httperrorpagesscripts[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\background_gradient[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\info_48[2]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\bullet[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\down[1]
Substitutes the following files
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\errorpagetemplate[1]
Network activity
TCP
HTTP GET requests
- http://www.ak#####.justfree.com/index.php?ac####################################
- http://www.ak#####.justfree.com/home?ac####################################
UDP
- DNS ASK ak#####.justfree.com
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '%TEMP%\tmp1.exe'
- '%WINDIR%\syswow64\net.exe' stop wscsvc' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop sharedaccess' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c net stop "Security Center"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c net stop SharedAccess' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c net stop "Security Center"
- '%WINDIR%\syswow64\cmd.exe' /c net stop SharedAccess
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
- '%WINDIR%\syswow64\net1.exe' stop wscsvc
- '%WINDIR%\syswow64\net1.exe' stop SharedAccess
- '%WINDIR%\syswow64\net1.exe' stop "Security Center"
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
