Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'QuickTime Task' = '%ProgramFiles(x86)%\Quicktime\QTTask.exe'
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe
Modifies file system
Creates the following files
- %TEMP%\okpkkxne.0.vb
- %TEMP%\okpkkxne.cmdline
- %TEMP%\okpkkxne.out
- %TEMP%\vbc595d.tmp
- %TEMP%\res598d.tmp
- %TEMP%\okpkkxne.dll
- %ProgramFiles(x86)%\quicktime\qttask.exe
- %TEMP%\fstg1t0q.0.vb
- %TEMP%\fstg1t0q.cmdline
- %TEMP%\fstg1t0q.out
- %TEMP%\vbc63dc.tmp
- %TEMP%\res640c.tmp
- %TEMP%\fstg1t0q.dll
- %TEMP%\user2.txt
- %TEMP%\user7
- %TEMP%\user8
Deletes the following files
- %TEMP%\res598d.tmp
- %TEMP%\vbc595d.tmp
- %TEMP%\okpkkxne.cmdline
- %TEMP%\okpkkxne.0.vb
- %TEMP%\okpkkxne.out
- %TEMP%\okpkkxne.dll
- %TEMP%\res640c.tmp
- %TEMP%\vbc63dc.tmp
- %TEMP%\fstg1t0q.dll
- %TEMP%\fstg1t0q.out
- %TEMP%\fstg1t0q.cmdline
- %TEMP%\fstg1t0q.0.vb
- %TEMP%\user2.txt
- %TEMP%\user8
- %TEMP%\user7
Substitutes the following files
- %TEMP%\user8
- %TEMP%\user7
Network activity
UDP
- DNS ASK da######audede.dyndns.org
- DNS ASK mu#####ahara.no-ip.info
- DNS ASK sy######elrich.no-ip.org
Miscellaneous
Creates and executes the following
- '%ProgramFiles(x86)%\quicktime\qttask.exe'
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\okpkkxne.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES598D.tmp" "%TEMP%\vbc595D.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\fstg1t0q.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES640C.tmp" "%TEMP%\vbc63DC.tmp"' (with hidden window)
Executes the following
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\okpkkxne.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES598D.tmp" "%TEMP%\vbc595D.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\fstg1t0q.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES640C.tmp" "%TEMP%\vbc63DC.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe'
