Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'winchk' = '%ALLUSERSPROFILE%\Application Data\WebExt\winchk.exe'
Malicious functions
Creates and loads libraries (exploit)
- %ALLUSERSPROFILE%\application data\webext\cssys.dll
Installs hooks to intercept notifications
on keystrokes:
- Handler for all processes: %ALLUSERSPROFILE%\Application Data\WebExt\cssys.dll
Searches for windows to
detect programs and games:
- ClassName: 'AOL Frame25', WindowName: ''
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\application data\netext\udat.dat
- %ALLUSERSPROFILE%\application data\webext\winchk.exe
- %ALLUSERSPROFILE%\application data\webext\cssys.dll
- %ALLUSERSPROFILE%\application data\webext\iusys.dll
- %ALLUSERSPROFILE%\application data\netext\user\uman.dat
- %ALLUSERSPROFILE%\application data\netext\user\action.log
- %ALLUSERSPROFILE%\application data\netext\user\win.log
- %ALLUSERSPROFILE%\application data\netext\user\app.log
- %TEMP%\etilqs_gj5kfyr0n4ktypt
- %TEMP%\etilqs_hmageel9xqchqnu
- %ALLUSERSPROFILE%\application data\netext\user\sysinfo.log
Sets the 'hidden' attribute to the following files
- %ALLUSERSPROFILE%\application data\webext\winchk.exe
- %ALLUSERSPROFILE%\application data\webext\cssys.dll
- %ALLUSERSPROFILE%\application data\webext\iusys.dll
Substitutes the following files
- <SYSTEM32>\d3d9caps.dat
Network activity
UDP
- DNS ASK re###.opera.com
- DNS ASK mc.yandex.ru
- DNS ASK mail.yandex.ru
- DNS ASK si#####ck2.opera.com
- DNS ASK re###espy.com
- DNS ASK au######te.geo.opera.com
Miscellaneous
Searches for the following windows
- ClassName: 'RSClass' WindowName: 'RS'
- ClassName: 'OUIWINDOW' WindowName: ''
- ClassName: 'MozillaUIWindowClass' WindowName: ''
- ClassName: 'MSN6 Window' WindowName: ''
- ClassName: 'Edit' WindowName: ''
- ClassName: 'ComboBox' WindowName: ''
- ClassName: 'ComboBoxEx32' WindowName: ''
- ClassName: 'ReBarWindow32' WindowName: ''
- ClassName: 'WorkerW' WindowName: ''
- ClassName: 'TabWindowClass' WindowName: 'about:blank - Microsoft Internet Explorer'
- ClassName: 'TabWindowClass' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''
- ClassName: 'Chat View' WindowName: ''
- ClassName: 'Opera Main Window' WindowName: ''
- ClassName: 'TskMultiChatForm.UnicodeClass' WindowName: ''
- ClassName: 'IMClass' WindowName: ''
- ClassName: 'YSearchMenuWndClass' WindowName: ''
- ClassName: 'IMWindowClass' WindowName: ''
- ClassName: 'DlgGroupChat Window Class' WindowName: ''
- ClassName: '#32770' WindowName: ''
- ClassName: 'AIM_ChatWnd' WindowName: ''
- ClassName: 'AIM_IMessage' WindowName: ''
- ClassName: 'DeadAIM_TabbedIM' WindowName: ''
- ClassName: '__oxFrame.class__' WindowName: ''
- ClassName: 'AOL Child' WindowName: ''
- ClassName: 'MDIClient' WindowName: ''
- ClassName: 'SpyClass' WindowName: 'RemoteSpy'
- ClassName: 'YahooBuddyMain' WindowName: ''
- ClassName: 'Opera_MessageWindow' WindowName: '%APPDATA%\Opera Software\Opera Stable'
Creates and executes the following
- '%ALLUSERSPROFILE%\application data\webext\winchk.exe'
- '%ProgramFiles%\opera\launcher.exe' ' (with hidden window)
Executes the following
- '%ProgramFiles%\opera\launcher.exe'
- '%ProgramFiles%\opera\35.0.2066.92\opera.exe' --ran-launcher
- '%ProgramFiles%\opera\35.0.2066.92\opera_crashreporter.exe' --ran-launcher --crash-reporter-parent-id=4008
- '%ProgramFiles%\opera\35.0.2066.92\opera.exe' --type=renderer --alt-high-dpi-setting=96 --system-dpi-setting=96 --disable-direct-npapi-requests --disable-win32k-renderer-lockdown --lang=en-US --extension-process --enable-webrtc-hw-h264-enc...
- '%ProgramFiles%\opera\35.0.2066.92\opera.exe' --type=renderer --alt-high-dpi-setting=96 --system-dpi-setting=96 --disable-direct-npapi-requests --disable-win32k-renderer-lockdown --lang=en-US --disable-client-side-phishing-detection --with...
- '%ProgramFiles%\opera\35.0.2066.92\opera_crashreporter.exe' --ran-launcher --crash-reporter-parent-id=528
