Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\svchostsw.exe
Modifies file system
Creates the following files
- %TEMP%\s.bat
- %TEMP%\<File name>.exe.pid
Network activity
Connects to
- 'i-###ori.com':80
- 'if##ulk.com':80
- 'il##te.com':80
TCP
HTTP GET requests
- http://17#.##1.14.125:8888/bots/knock?wo######################################
- http://hd##ex.com/dba.sql.zip
- http://he###cal.com/dba.sql.zip
- http://he###wdress.com/dba.sql.zip
- http://hi####fashion.com/dba.sql.zip
- http://hf###search.com/dba.sql.zip
- http://he###songs.com/dba.sql.zip
- http://he####fabrikasi.com/dba.sql.zip
- http://ha###carbon.com/dba.sql.zip
- http://he#####eofscotland.com/dba.sql.zip
- http://hi##boy.com/dba.sql.zip
- http://hi####butler.com/dba.sql.zip
- http://he####tdoors.com/dba.sql.zip
- http://ho###ack.co.uk/dba.sql.zip
- http://hi###pod101.com/dba.sql.zip
- http://he####biopharm.shop/dba.sql.zip
- http://ho####ingdirect.com/dba.sql.zip
- http://hi###yass.com/dba.sql.zip
- http://he#####ldiamonds.com/dba.sql.zip
- http://gr###ibes.com/dba.sql.zip
- http://gr###rushes.com/dba.sql.zip
- http://gr######ntaindiapers.com/dba.sql.zip
- http://gu##7.com/dba.sql.zip
- http://he######tonesboutique.com/dba.sql.zip
- http://ha####nikken.com/dba.sql.zip
- http://ha#####furniture.co.uk/dba.sql.zip
- http://ha####re-brands.com/dba.sql.zip
- http://gu#####necentral.com/dba.sql.zip
- http://ha####urluck.com/dba.sql.zip
- http://ha###izeme.com/dba.sql.zip
- http://he###hy-pet.com/dba.sql.zip
- http://ha###nzarei.com/dba.sql.zip
- http://ha####sbretzel.com/dba.sql.zip
- http://ha#####encostumes.co.uk/dba.sql.zip
- http://he####ndypro.com/dba.sql.zip
- http://he###asters.com/dba.sql.zip
- http://hd##sk.com/dba.sql.zip
- http://ha###tishop.com/dba.sql.zip
- http://go###all.com/dba.sql.zip
- http://ha###urena.com/dba.sql.zip
- http://ge####negifts.com/dba.sql.zip
- http://he####matesauna.com/dba.sql.zip
- http://ho#####olatedesign.com/dba.sql.zip
- http://ht####ailcheck.com/dba.sql.zip
- http://hs###tasiye.com/dba.sql.zip
- http://hu####driguez.com/dba.sql.zip
- http://hy###ndhare.com/dba.sql.zip
- http://i-####ervices.com/dba.sql.zip
- http://ho##tee.com/dba.sql.zip
- http://gr###hgurus.com/dba.sql.zip
- http://hi##hew.com/dba.sql.zip
- http://he###tch.com/dba.sql.zip
- http://ic##u.com/dba.sql.zip
- http://id####eptstores.com/dba.sql.zip
- http://ho###-icon.com/dba.sql.zip
- http://ho###topuss.com/dba.sql.zip
- http://id##do.com/dba.sql.zip
- http://ia##fg.com/dba.sql.zip
- http://ho###nix.com/dba.sql.zip
- http://ha#####cewarehouse.com/dba.sql.zip
- http://hv####rtsshop.com/dba.sql.zip
- http://gr#####pleactive.com/dba.sql.zip
- http://ha#####alwilltravel.com/dba.sql.zip
- http://ho###nger.co.uk/dba.sql.zip
- http://hi###aeve.com/dba.sql.zip
- http://ho###animo.com/dba.sql.zip
- http://ho##ard.com/dba.sql.zip
- http://ho###bum.com/dba.sql.zip
- http://ho####ndlattice.com/dba.sql.zip
- http://ho###cur.com/dba.sql.zip
- http://ho###shoes.com/dba.sql.zip
- http://ho###leitem.com/dba.sql.zip
- http://ho####ffaiza.co.uk/dba.sql.zip
- http://ho#####balltickets.com/dba.sql.zip
- http://hu####sutler.com/dba.sql.zip
- http://ho###uys.com/dba.sql.zip
- http://hu###hemes.com/dba.sql.zip
- http://ha#####accessories.com/dba.sql.zip
- http://ho###keup.com/dba.sql.zip
- http://ho####rcelona.com/dba.sql.zip
- http://id####aymedia.com/dba.sql.zip
- http://ha###luxe.com/dba.sql.zip
- http://gr##co.ca/dba.sql.zip
- http://ge####alouise.com/dba.sql.zip
- http://gl##ly.com/dba.sql.zip
- http://gl#####randsstore.com/dba.sql.zip
- http://gl###hop.co.uk/dba.sql.zip
- http://ho####itness.com/dba.sql.zip
- http://ge###bra.com/dba.sql.zip
- http://gl###soft.com/dba.sql.zip
- http://gh###rifles.com/dba.sql.zip
- http://ge###2me.com/dba.sql.zip
- http://go####anesabz.com/dba.sql.zip
- http://gl####rtanks.com/dba.sql.zip
- http://go####earning.com/dba.sql.zip
- http://gi##s.com/dba.sql.zip
- http://gl###lkart.com/dba.sql.zip
- http://go###kplus.com/dba.sql.zip
- http://ge####eporgy.com/dba.sql.zip
- http://go###rdings.com/dba.sql.zip
- http://ge####rguide.co.uk/dba.sql.zip
- http://ge####rboomback.com/dba.sql.zip
- http://17#.##1.14.125:8888/project/active
- http://17#.##1.14.125:8888/gw?wo#####################
- http://17#.##1.14.125:8888/gw?wo#####
- http://ge##xa.com/dba.sql.zip
- http://ge####design.com/dba.sql.zip
- http://id####nghold.com/dba.sql.zip
- http://if##ral.com/dba.sql.zip
- http://ik###music.com/dba.sql.zip
- http://17#.##1.14.125:8888/bots/chkVersion?cu####################
- http://gh##t.co.uk/dba.sql.zip
- http://gi####opiola.com/dba.sql.zip
- http://gi###amo.com/dba.sql.zip
- http://if###orld.com/dba.sql.zip
- http://gr###rimpor.com/dba.sql.zip
- http://ge###ode.com/dba.sql.zip
- http://ge###timo.com/dba.sql.zip
- http://go####orobooks.com/dba.sql.zip
- http://gi###gram.com/dba.sql.zip
- http://go###sport.com/dba.sql.zip
- http://ge###door.com/dba.sql.zip
- http://go##ise.com/dba.sql.zip
- http://go####uscosmos.com/dba.sql.zip
- http://go####barrel.com/dba.sql.zip
- http://gu##ed.com/dba.sql.zip
- http://gr###ooms.com/dba.sql.zip
- http://gu#####nesecurity.com/dba.sql.zip
- http://gu###steel.com/dba.sql.zip
- http://gr####penings.com/dba.sql.zip
- http://gu###irenze.com/dba.sql.zip
- http://gi####ishiba.com/dba.sql.zip
- http://gr###auren.com/dba.sql.zip
- http://go###ature.com/dba.sql.zip
- http://gr###omacro.com/dba.sql.zip
- http://go####aservers.com/dba.sql.zip
- http://gr####itruvian.com/dba.sql.zip
- http://ha###ritea.com/dba.sql.zip
- http://h2####tributors.com/dba.sql.zip
- http://gu#####schampignons.com/dba.sql.zip
- http://go###tate.com/dba.sql.zip
- http://gr##.com/dba.sql.zip
- http://ho##20.com/dba.sql.zip
- http://hv###rain.com/dba.sql.zip
- http://gr####icolls.co.uk/dba.sql.zip
- http://go#####dwordsppcseo.com/dba.sql.zip
- http://go####rcatalog.com/dba.sql.zip
- http://go###p-net.com/dba.sql.zip
- http://go####heeseshop.com/dba.sql.zip
- http://gr####ldteam.com/dba.sql.zip
- http://gr###ishes.com/dba.sql.zip
- http://ga##.co.uk/dba.sql.zip
- http://hi###ishop.com/dba.sql.zip
- http://go####n-beaute.com/dba.sql.zip
- http://gr###ine.com/dba.sql.zip
- http://gr####cosmetics.com/dba.sql.zip
- http://gr#####ndgreen.co.uk/dba.sql.zip
- http://gr##s28.com/dba.sql.zip
- http://gr###art.co.uk/dba.sql.zip
- http://go####rsports.com/dba.sql.zip
- http://gr###clubs.com/dba.sql.zip
- http://gr###cci.com/dba.sql.zip
- http://gr####fields.com/dba.sql.zip
- http://hu#####furniture.com/dba.sql.zip
UDP
- DNS ASK ge##xa.com
- DNS ASK hi##boy.com
- DNS ASK ho###ack.co.uk
- DNS ASK ho####ingdirect.com
- DNS ASK ho##ard.com
- DNS ASK ho####rcelona.com
- DNS ASK ho####itness.com
- DNS ASK ho###keup.com
- DNS ASK ho#####winecellar.com
- DNS ASK ho###cur.com
- DNS ASK ho##tee.com
- DNS ASK ho###animo.com
- DNS ASK ho#####wnskateshop.com
- DNS ASK ho##on.com
- DNS ASK ho###nger.co.uk
- DNS ASK ho####ndlattice.com
- DNS ASK ho###uys.com
- DNS ASK ho###bum.com
- DNS ASK ho#####olatedesign.com
- DNS ASK ho##imi.com
- DNS ASK ho###leitem.com
- DNS ASK ho####glotus.com
- DNS ASK ho##20.com
- DNS ASK ho###-icon.com
- DNS ASK hi###pod101.com
- DNS ASK hi###ishop.com
- DNS ASK he###asters.com
- DNS ASK he###hy-pet.com
- DNS ASK he####ndypro.com
- DNS ASK he####matesauna.com
- DNS ASK he#####ldiamonds.com
- DNS ASK he####biopharm.shop
- DNS ASK he###songs.com
- DNS ASK he###cal.com
- DNS ASK he####u-shop.com
- DNS ASK he###wdress.com
- DNS ASK he#####eofscotland.com
- DNS ASK he####fabrikasi.com
- DNS ASK hi##hew.com
- DNS ASK he####tdoors.com
- DNS ASK hf###search.com
- DNS ASK hi####fashion.com
- DNS ASK he###tch.com
- DNS ASK hi##eys.com
- DNS ASK he######tonesboutique.com
- DNS ASK hi###yass.com
- DNS ASK hi###aeve.com
- DNS ASK hi####butler.com
- DNS ASK ho#####balltickets.com
- DNS ASK ho###shoes.com
- DNS ASK ho###nix.com
- DNS ASK id######ntaintouring.com
- DNS ASK if####gegear.com
- DNS ASK id###ile.co.uk
- DNS ASK ik###music.com
- DNS ASK id####nghold.com
- DNS ASK id##.com
- DNS ASK if###orld.com
- DNS ASK if##ulk.com
- DNS ASK if##ral.com
- DNS ASK ho###idays.com
- DNS ASK ig####igital.com
- DNS ASK il##te.com
- DNS ASK il######ggioanewyork.com
- DNS ASK il####rmittens.com
- DNS ASK il###nino.com
- DNS ASK im###bco.com
- DNS ASK il#####atedmonthly.com
- DNS ASK im####stores.com
- DNS ASK gl####ileoasis.com
- DNS ASK ha###pells.com
- DNS ASK id##do.com
- DNS ASK id##ife.com
- DNS ASK id####aymedia.com
- DNS ASK ic##ery.com
- DNS ASK id###808.com
- DNS ASK ho###topuss.com
- DNS ASK ho####ffaiza.co.uk
- DNS ASK hu####sutler.com
- DNS ASK hu###hemes.com
- DNS ASK hu####driguez.com
- DNS ASK hu#####furniture.com
- DNS ASK ht####ailcheck.com
- DNS ASK hs###tasiye.com
- DNS ASK hy###world.com
- DNS ASK ha###tishop.com
- DNS ASK i-###ori.com
- DNS ASK hv###rain.com
- DNS ASK i-####ervices.com
- DNS ASK hy###ndhare.com
- DNS ASK ib#.com
- DNS ASK ia##fg.com
- DNS ASK ib##711.com
- DNS ASK ic##u.com
- DNS ASK ic###ime.com
- DNS ASK ic###sys.com
- DNS ASK id####eptstores.com
- DNS ASK ho###vakil.com
- DNS ASK hv####rtsshop.com
- DNS ASK ig#.com
- DNS ASK hd##sk.com
- DNS ASK ha####sbretzel.com
- DNS ASK go###all.com
- DNS ASK go###rdings.com
- DNS ASK go####anesabz.com
- DNS ASK go###ncoil.com
- DNS ASK go####rcatalog.com
- DNS ASK go####earning.com
- DNS ASK go####barrel.com
- DNS ASK ge####negifts.com
- DNS ASK go####orobooks.com
- DNS ASK go##ise.com
- DNS ASK go###sport.com
- DNS ASK go####uscosmos.com
- DNS ASK gi###dharma.com
- DNS ASK go###tate.com
- DNS ASK go#####dwordsppcseo.com
- DNS ASK go####rsports.com
- DNS ASK go####aservers.com
- DNS ASK go####heeseshop.com
- DNS ASK go####n-beaute.com
- DNS ASK go###p-net.com
- DNS ASK gr###ooms.com
- DNS ASK go###kplus.com
- DNS ASK gr###ishes.com
- DNS ASK gl#####randsstore.com
- DNS ASK gl###soft.com
- DNS ASK ge###door.com
- DNS ASK ge###bra.com
- DNS ASK ge###ode.com
- DNS ASK ge####design.com
- DNS ASK ge####eporgy.com
- DNS ASK ge###2me.com
- DNS ASK ge####rboomback.com
- DNS ASK ge###timo.com
- DNS ASK ge####rguide.co.uk
- DNS ASK ge####alouise.com
- DNS ASK gh###rifles.com
- DNS ASK gi###amo.com
- DNS ASK gh##t.co.uk
- DNS ASK gi###gram.com
- DNS ASK gi####ishiba.com
- DNS ASK gi##s.com
- DNS ASK gi####opiola.com
- DNS ASK gl####rtanks.com
- DNS ASK gl##gum.com
- DNS ASK gl###hop.co.uk
- DNS ASK gl##ly.com
- DNS ASK gl###lkart.com
- DNS ASK gr####ldteam.com
- DNS ASK gr#####ndgreen.co.uk
- DNS ASK gr####cosmetics.com
- DNS ASK gu###irenze.com
- DNS ASK h2####tributors.com
- DNS ASK ha####urluck.com
- DNS ASK ha#####cewarehouse.com
- DNS ASK go###ature.com
- DNS ASK ha###izeme.com
- DNS ASK ha#####encostumes.co.uk
- DNS ASK ha###ritea.com
- DNS ASK ha###urena.com
- DNS ASK ha#####alwilltravel.com
- DNS ASK gu##7.com
- DNS ASK ha#####hi-online.shop
- DNS ASK ha###carbon.com
- DNS ASK ha###luxe.com
- DNS ASK ha###campus.com
- DNS ASK ha####re-brands.com
- DNS ASK ha####nikken.com
- DNS ASK ha#####furniture.co.uk
- DNS ASK ha###nzarei.com
- DNS ASK ha#####accessories.com
- DNS ASK gu#####necentral.com
- DNS ASK gu###merica.com
- DNS ASK gu###steel.com
- DNS ASK gu##ed.com
- DNS ASK gr###omacro.com
- DNS ASK ga##.co.uk
- DNS ASK gr###ine.com
- DNS ASK gr###cci.com
- DNS ASK gr###clubs.com
- DNS ASK gr###art.co.uk
- DNS ASK gr####penings.com
- DNS ASK gr####icolls.co.uk
- DNS ASK gr####fields.com
- DNS ASK gr#####pleactive.com
- DNS ASK hd##ex.com
- DNS ASK gr##co.ca
- DNS ASK gr###auren.com
- DNS ASK gr######oomsmengifts.com
- DNS ASK gr####itruvian.com
- DNS ASK gr###hgurus.com
- DNS ASK gr###rimpor.com
- DNS ASK gr######ntaindiapers.com
- DNS ASK gr###ibes.com
- DNS ASK gr###rushes.com
- DNS ASK gu#####schampignons.com
- DNS ASK gu#####nesecurity.com
- DNS ASK gr##s28.com
- DNS ASK gr##.com
- DNS ASK im###udent.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\cmd.exe' /Q /C <LS_APPDATA>\Temp/s.bat' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /Q /C <LS_APPDATA>\Temp/s.bat
