Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\gbwxxquzyx.url
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\notepad.exe
Modifies file system
Creates the following files
- %PROGRAMDATA%\zrbebqtcgq\cfgi
- %PROGRAMDATA%\zrbebqtcgq\cfg
- %PROGRAMDATA%\zrbebqtcgq\sysdrv32
- %PROGRAMDATA%\zrbebqtcgq\r.vbs
Deletes the following files
- %PROGRAMDATA%\zrbebqtcgq\r.vbs
Moves the following files
- from %PROGRAMDATA%\zrbebqtcgq\sysdrv32 to %PROGRAMDATA%\zrbebqtcgq\sysdrv32.exe
Substitutes the following files
- %PROGRAMDATA%\zrbebqtcgq\r.vbs
Network activity
TCP
- '92.##.197.190':5657
Miscellaneous
Executes the following
- '%WINDIR%\notepad.exe' -c "%PROGRAMDATA%\ZRBEbQTcgq\cfg"
- '%WINDIR%\syswow64\cmd.exe' /C WScript "%PROGRAMDATA%\ZRBEbQTcgq\r.vbs"
- '%WINDIR%\syswow64\wscript.exe' "%PROGRAMDATA%\ZRBEbQTcgq\r.vbs"
- '%WINDIR%\notepad.exe' -c "%PROGRAMDATA%\ZRBEbQTcgq\cfgi"
