Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\TapiSrv] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\eventlog] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\SstpSvc] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\RasMan] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\RasAuto] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\Netman] 'Start' = '00000002'
Modifies file system
Creates the following files
- %TEMP%\bnsqqwb.zip
- C:\bnsqqwb\qqwb_client\data\tgp_ui\web_load_failed\images\bj_05.jpg
- C:\bnsqqwb\qqwb_client\data\tgp_ui\web_load_failed\css\common.css
- C:\bnsqqwb\qqwb_client\data\tgp_ui\web_load_failed\loadfailed2.html
- C:\bnsqqwb\qqwb_client\data\tgp_ui\web_load_failed\loadfailed.html
- C:\bnsqqwb\qqwb_client\config_backup\window.info
- C:\bnsqqwb\qqwb_client\config_backup\uiconfig.xml
- C:\bnsqqwb\qqwb_client\config_backup\uiconfig.info
- C:\bnsqqwb\qqwb_client\config_backup\tips_types.info
- C:\bnsqqwb\qqwb_client\config_backup\tips.info
- C:\bnsqqwb\qqwb_client\config_backup\qqwb_plugin_config.info
- C:\bnsqqwb\qqwb_client\config_backup\name2id.xml
- C:\bnsqqwb\qqwb_client\config_backup\log.info
- C:\bnsqqwb\qqwb_client\config_backup\initial.info
- C:\bnsqqwb\qqwb_client\config_backup\customevent.xml
- C:\bnsqqwb\qqwb_client\config_backup\cursor.xml
- C:\bnsqqwb\qqwb_client\config_backup\cfg_root.info
- C:\bnsqqwb\qqwb_client\config\window.info
- C:\bnsqqwb\qqwb_client\config\uiconfig.xml
- C:\bnsqqwb\qqwb_client\config\uiconfig.info
- C:\bnsqqwb\qqwb_client\data\tgp_ui\web_load_failed\images\load_failed_bg.png
- C:\bnsqqwb\qqwb_client\data\tgp_ui\web_load_failed\images\load_failed_hdbg1.png
- C:\bnsqqwb\qqwb_client\tcls\tenio\teniodl\teniodl.exe
- C:\bnsqqwb\qqwb_client\data\tgp_ui\web_load_failed\images\video_bg.png
- C:\bnsqqwb\qqwb_client\tcls\tenio\teniodl\teniodl.dll
- C:\bnsqqwb\qqwb_client\tcls\tenio\teniodl\p2papp.dll
- C:\bnsqqwb\qqwb_client\tcls\tenio\tpfcustom.dll
- C:\bnsqqwb\qqwb_client\tcls\tenio\tinyxml.dll
- C:\bnsqqwb\qqwb_client\tcls\tenio\tentpf.dll
- C:\bnsqqwb\qqwb_client\tcls\tenio\tenfact.dll
- C:\bnsqqwb\qqwb_client\tcls\tenio\tenbase.dll
- C:\bnsqqwb\qqwb_client\tcls\tenio\scriptmanager.dll
- C:\bnsqqwb\qqwb_client\tcls\tenio\memoryalloctor.dll
- C:\bnsqqwb\qqwb_client\tcls\tenio\log.dll
- C:\bnsqqwb\qqwb_client\tcls\tenio\june.dll
- C:\bnsqqwb\qqwb_client\tcls\config\versionserverconfigdynamic.ini
- C:\bnsqqwb\qqwb_client\tcls\config\versionserverconfig.xml
- C:\bnsqqwb\qqwb_client\tcls\config\version.cfg
- C:\bnsqqwb\qqwb_client\tcls\config\updateconfig.cfg
- C:\bnsqqwb\qqwb_client\tcls\config\commonconfig.cfg
- C:\bnsqqwb\qqwb_client\tcls\protocolcenter.dll
- C:\bnsqqwb\qqwb_client\log\qqwb_tuw.log
- C:\bnsqqwb\qqwb_client\log\qqwb_client.log
- C:\bnsqqwb\qqwb_client\config\tips_types.info
- C:\bnsqqwb\qqwb_client\data\tgp_ui\web_load_failed\images\load_failed_hdbg.png
- C:\bnsqqwb\qqwb_client\config\tips.info
- C:\bnsqqwb\qqwb_client\qqwb_client-d.bat
- C:\bnsqqwb\qqwb_client\process_mgr.dll
- C:\bnsqqwb\qqwb_client\privilege_mgr.dll
- C:\bnsqqwb\qqwb_client\msvcr100.dll
- C:\bnsqqwb\qqwb_client\msvcp100.dll
- C:\bnsqqwb\qqwb_client\machine_code.dll
- C:\bnsqqwb\qqwb_client\lua51.dll
- C:\bnsqqwb\qqwb_client\libpcre.dll
- C:\bnsqqwb\qqwb_client\libmpr.dll
- C:\bnsqqwb\qqwb_client\libhttp.dll
- C:\bnsqqwb\qqwb_client\libesp.dll
- C:\bnsqqwb\qqwb_client\libeay32.dll
- C:\bnsqqwb\qqwb_client\libappweb.dll
- C:\bnsqqwb\qqwb_client\common.dll
- C:\bnsqqwb\qqwb_client\cjson.dll
- C:\bnsqqwb\qqwb_client\bugreport.exe
- C:\bnsqqwb\qqwb_client\adapt_for_imports.dll
- C:\bnsqqwb\secureidentify.exe
- C:\bnsqqwb\msvcr100.dll
- %TEMP%\jcwbxz.bat
- C:\bnsqqwb\qqwb_client\qbtrident3.dll
- C:\bnsqqwb\qqwb_client\qqwb_client-p.bat
- C:\bnsqqwb\qqwb_client\config\name2id.xml
- C:\bnsqqwb\qqwb_client\qqwb_client.exe
- C:\bnsqqwb\qqwb_client\config\log.info
- C:\bnsqqwb\qqwb_client\config\initial.info
- C:\bnsqqwb\qqwb_client\config\customevent.xml
- C:\bnsqqwb\qqwb_client\config\cursor.xml
- C:\bnsqqwb\qqwb_client\config\cfg_root.info
- C:\bnsqqwb\qqwb_client\update_mgr.dll
- C:\bnsqqwb\qqwb_client\tray_ui.dll
- C:\bnsqqwb\qqwb_client\tpf_ui.vfs
- C:\bnsqqwb\qqwb_client\tpf_ui.dll
- C:\bnsqqwb\qqwb_client\tips_mgr.dll
- C:\bnsqqwb\qqwb_client\tinyxml.dll
- C:\bnsqqwb\qqwb_client\tenio.ini
- C:\bnsqqwb\qqwb_client\sqlite3.dll
- C:\bnsqqwb\qqwb_client\server.conf
- C:\bnsqqwb\qqwb_client\report_assistant.dll
- C:\bnsqqwb\qqwb_client\qqwb_update.exe
- C:\bnsqqwb\qqwb_client\qqwb_tuw.exe
- C:\bnsqqwb\qqwb_client\qqwb_tuh.dll
- C:\bnsqqwb\qqwb_client\qqwb_tub.dll
- C:\bnsqqwb\qqwb_client\config\qqwb_plugin_config.info
- C:\bnsqqwb\qqwb_client\tcls\tenio\teniodl\teniodl_core.dll
Network activity
Connects to
- 'li##.#qjinpai.com':80
- 's9.#nzz.com':443
TCP
HTTP GET requests
- http://li##.#qjinpai.com/vip/bns/pz.php?se###
UDP
- DNS ASK li##.#qjinpai.com
- DNS ASK s9.#nzz.com
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: 'qqwb_client123.dll'
- ClassName: '' WindowName: 'qqwb_client.exe'
- ClassName: '' WindowName: 'qqwb_tuw.exe'
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\cmd.exe' /c %TEMP%\jcwbxz.bat' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c %TEMP%\jcwbxz.bat
- '%WINDIR%\syswow64\sc.exe' config TapiSrv start= AUTO
- '%WINDIR%\syswow64\sc.exe' start TapiSrv
- '%WINDIR%\syswow64\sc.exe' config eventlog start= AUTO
- '%WINDIR%\syswow64\sc.exe' start eventlog
- '%WINDIR%\syswow64\sc.exe' config SstpSvc start= AUTO
- '%WINDIR%\syswow64\sc.exe' start SstpSvc
- '%WINDIR%\syswow64\sc.exe' config RasMan start= AUTO
- '%WINDIR%\syswow64\sc.exe' start RasMan
- '%WINDIR%\syswow64\sc.exe' config RasAuto start= AUTO
- '%WINDIR%\syswow64\sc.exe' start RasAuto
- '%WINDIR%\syswow64\sc.exe' config Netman start= AUTO
- '%WINDIR%\syswow64\sc.exe' start Netman
