Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\svchost.exe
Creates the following files on removable media:
- <Drive name for removable media>:\osxqq_backup.exe
- <Drive name for removable media>:\RCX6.tmp
- <Drive name for removable media>:\Bloc-notes.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\osxqq.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- <Auxiliary element>
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\Setup.exe' = '%TEMP%\Setup.exe:*:Enabled:ipsec'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- '%TEMP%\svchost.exe'
- '%TEMP%\Setup.exe'
Executes the following:
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\v6wynvjr.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5.tmp" "%TEMP%\vbc4.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\f5ozydjk.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3.tmp" "%TEMP%\vbc2.tmp"
Injects code into
the following system processes:
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\cscript.exe
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\ctfmon.exe
a large number of user processes.
Modifies file system :
Creates the following files:
- C:\autorun.inf
- C:\tqckcs.exe
- %TEMP%\lwTz.resources
- <DRIVERS>\gtjgo.sys
- %TEMP%\winsqeb.exe
- %TEMP%\jjjiq.exe
- %TEMP%\CWW.resources
- %TEMP%\vbc4.tmp
- %TEMP%\RES5.tmp
- %TEMP%\windowsupdate.ico
- %TEMP%\v6wynvjr.out
- %TEMP%\whatdafock.txt
- %TEMP%\v6wynvjr.0.vb
- %TEMP%\v6wynvjr.cmdline
- %TEMP%\f5ozydjk.exe
- %TEMP%\65rqb467.resources
- %TEMP%\MSNPSharp.dll
- %TEMP%\f5ozydjk.0.vb
- %TEMP%\00034BCF_Rar\Setup.exe
- %TEMP%\PrbVKosS.resources
- %TEMP%\Setup.exe
- %TEMP%\svchost.exe
- %TEMP%\f5ozydjk.cmdline
- %TEMP%\vbc2.tmp
- %TEMP%\ISPackFiles.ini
- %TEMP%\RES3.tmp
- %TEMP%\00037996_Rar\Setup.exe
- %TEMP%\f5ozydjk.out
- %TEMP%\000377C1_Rar\Setup.exe
- %TEMP%\000378CB_Rar\Setup.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\osxqq.exe
- C:\autorun.inf
- C:\tqckcs.exe
Deletes the following files:
- %TEMP%\vbc4.tmp
- %TEMP%\v6wynvjr.out
- %TEMP%\v6wynvjr.cmdline
- %TEMP%\winsqeb.exe
- %TEMP%\jjjiq.exe
- %TEMP%\RES5.tmp
- <Drive name for removable media>:\osxqq_backup.exe
- %TEMP%\windowsupdate.ico
- <Drive name for removable media>:\osxqq.exe
- %TEMP%\v6wynvjr.0.vb
- %TEMP%\lwTz.resources
- %TEMP%\CWW.resources
- <DRIVERS>\gtjgo.sys
- %TEMP%\RES3.tmp
- %TEMP%\vbc2.tmp
- %TEMP%\f5ozydjk.out
- %TEMP%\00034BCF_Rar\Setup.exe
- %TEMP%\Setup.exe
- %TEMP%\svchost.exe
- %TEMP%\000377C1_Rar\Setup.exe
- %TEMP%\000378CB_Rar\Setup.exe
- %TEMP%\00037996_Rar\Setup.exe
- %TEMP%\f5ozydjk.exe
- %TEMP%\f5ozydjk.cmdline
- %TEMP%\f5ozydjk.0.vb
Network activity:
Connects to:
- '17#.#3.169.14':80
