Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\B00E3894] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\B00E3894] 'ImagePath' = '<SYSTEM32>\svchost.exe -k LocalService'
- [<HKLM>\SYSTEM\ControlSet001\services\B00E3894] 'ImagePath' = '<SYSTEM32>\svchost.exe -k LocalService�'
- [<HKLM>\SYSTEM\ControlSet001\services\B00E3894\Parameters] 'ServiceDll' = '%PROGRAMDATA%\B00E3894\0F1EBC6C.dll�'
- [<HKLM>\SYSTEM\ControlSet001\services\B00E3894] 'Start' = '00000002'
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\winlogon.exe
- <SYSTEM32>\services.exe
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\syswow64\rundll32.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\SOFTWARE\Mirabilis\ICQ\NewOwners]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar]
- [<HKCU>\Software\FlashFXP\3]
- [<HKCU>\Software\FlashFXP]
- [<HKLM>\Software\Wow6432Node\FlashFXP\3]
- [<HKLM>\Software\Wow6432Node\FlashFXP]
- [<HKCU>\Software\FileZilla]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKCU>\Software\FTP Explorer\Profiles]
- [<HKCU>\Software\VanDyke\SecureFX]
- [<HKCU>\Software\Cryer\WebSitePublisher]
- [<HKCU>\Software\ExpanDrive\Sessions]
- [<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKLM>\SOFTWARE\Wow6432Node\NCH Software\Fling\Accounts]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\TurboFTP]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar]
- [<HKCU>\Software\Yahoo\Pager]
- [<HKCU>\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users]
- [<HKCU>\Software\Google\Google Talk\Accounts]
- [<HKCU>\Software\Paltalk]
- [<HKCU>\Software\AIM\AIMPro]
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
- [<HKCU>\Software\RimArts\B2\Settings]
- [<HKCU>\SOFTWARE\RIT\The Bat!]
- [<HKCU>\SOFTWARE\RIT\The Bat!\Users depot]
- [<HKCU>\Software\Microsoft\Internet Account Manager\Accounts]
- [<HKCU>\Software\Microsoft\MSNMessenger]
- [<HKLM>\Software\Wow6432Node\Microsoft\Internet Account Manager]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
- [<HKCU>\SOFTWARE\Far\Plugins\FTP\Hosts]
- [<HKCU>\SOFTWARE\Far2\Plugins\FTP\Hosts]
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\Wow6432Node\Ghisler\Windows Commander]
- [<HKLM>\Software\Wow6432Node\Ghisler\Total Commander]
- [<HKCU>\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
- [<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
Reads files which store third party applications passwords
- %APPDATA%\mozilla\firefox\profiles.ini
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\thunderbird\profiles.ini
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
Modifies file system
Creates the following files
- <Full path to file>
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %TEMP%\1162234.tmp-shm
- %TEMP%\1162140.tmp-shm
- %TEMP%\1159109.tmp-shm
- %TEMP%\1156031.tmp-shm
- %TEMP%\1155484.tmp-shm
- %TEMP%\1155484.tmp
- %TEMP%\1155468.tmp
- %TEMP%\1149406.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\low\index.dat
- %TEMP%\1149390.tmp
- %TEMP%\1113906.tmp
- %TEMP%\1113890.tmp
- %TEMP%\1113828.tmp
- %TEMP%\1111828.tmp
- %PROGRAMDATA%\b00e3894\0001dae2
- %PROGRAMDATA%\b00e3894\05a18215\4a0aa037d2cfc5bd221651c90bed8021
- %PROGRAMDATA%\b00e3894\0f1ebc6c.dll
- %PROGRAMDATA%\b00e3894\5c58f3e9.dll
- %PROGRAMDATA%\b00e3894\69801d6e
- %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\8eb1a3a8a7233706e47da06b268f5dba_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\low\history.ie5\index.dat
Sets the 'hidden' attribute to the following files
- %PROGRAMDATA%\b00e3894\5c58f3e9.dll
- %PROGRAMDATA%\b00e3894\0f1ebc6c.dll
Deletes the following files
- <Full path to file>
- %PROGRAMDATA%\b00e3894\0001dae2
- %PROGRAMDATA%\b00e3894\05a18215\4a0aa037d2cfc5bd221651c90bed8021
- %TEMP%\1155484.tmp-shm
- %TEMP%\1156031.tmp-shm
- %TEMP%\1159109.tmp-shm
- %TEMP%\1162140.tmp-shm
- %TEMP%\1162234.tmp-shm
Substitutes the following files
- %PROGRAMDATA%\b00e3894\0001dae2
Network activity
TCP
- '5.##.56.192':443
Miscellaneous
Adds a root certificate
Searches for the following windows
- ClassName: '7BF3EE33' WindowName: '7BF3EE33'
Creates and executes the following
- '%WINDIR%\syswow64\regsvr32.exe' -s <Full path to file> f1 <Full path to file>@544' (with hidden window)
- '%WINDIR%\syswow64\rundll32.exe' <Full path to file>,f0' (with hidden window)
- '%WINDIR%\syswow64\rundll32.exe' %ProgramFiles%\B00E3894\0F1EBC6C.dll,f1 <Full path to file>@1208' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\regsvr32.exe' -s <Full path to file> f1 <Full path to file>@544
- '%WINDIR%\syswow64\rundll32.exe' <Full path to file>,f0
- '%WINDIR%\syswow64\rundll32.exe' %ProgramFiles%\B00E3894\0F1EBC6C.dll,f1 <Full path to file>@1208
- '<SYSTEM32>\rundll32.exe' %ProgramFiles%\B00E3894\0F1EBC6C.dll,f1 <Full path to file>@1208
- '<SYSTEM32>\rundll32.exe' %PROGRAMDATA%\B00E3894\0F1EBC6C.dll,f2 1FCAAAC36182D72B5B244331A7421701
- '<SYSTEM32>\svchost.exe' -k LocalService
- '%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\B00E3894\5C58F3E9.dll,f3
- '%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\B00E3894\5C58F3E9.dll,f7
- '%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\B00E3894\5C58F3E9.dll,f2 E48E292D52AA1264BCBA6B30A9CB2113
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\wininet.dll",DispatchAPICall 1
