Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Microsoft Service Host' = '%HOMEPATH%\Start Menu\Programs\Startup\mscvhost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe huelar.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'winlogos.exe' = '%WINDIR%\winlogos.exe /s'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Huelar Services 2.0' = '<SYSTEM32>\huelar.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\mscvhost.exe
Creates the following files on removable media:
- <Drive name for removable media>:\Folder.htt
- <Drive name for removable media>:\desktop.ini
- <Drive name for removable media>:\My Sexy Photos.exe
- <Drive name for removable media>:\console.exe
- <Drive name for removable media>:\Autorun.inf
- <Drive name for removable media>:\x64console.exe
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
Creates and executes the following:
- %WINDIR%\winlogos.exe /s
- %HOMEPATH%\Start Menu\Programs\Startup\mscvhost.exe
- <SYSTEM32>\huelar.exe
Executes the following:
- %WINDIR%\explorer.exe <Virus name>
Terminates or attempts to terminate
the following user processes:
- fsavgui.exe
- AVPM.EXE
- AVPCC.EXE
- GUARD.EXE
- ZONEALARM.EXE
- nod32.exe
- NAVAPW32.EXE
- AVGCC32.EXE
- avgcc.exe
- ashAvast.exe
- AVGCTRL.EXE
- AVP32.EXE
- AVP.EXE
- AVP.COM
Modifies settings of Windows Explorer:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] 'NoFolderOptions' = '00000001'
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Internet Explorer\Main] 'Window Title' = 'Huelar Browser'
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %APPDATA%\Microsoft\CryptnetUrlCache.exe
- %APPDATA%\Microsoft\CryptnetUrlCache\Content.exe
- %APPDATA%\Microsoft\Credentials.exe
- %APPDATA%\Microsoft\Credentials\S-1-5-21-1275210071-117609710-1801674531-500.exe
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData.exe
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch.exe
- %APPDATA%\Microsoft\Media Player.exe
- %APPDATA%\Microsoft\HTML Help.exe
- %APPDATA%\Microsoft\Internet Explorer.exe
- %APPDATA%\Microsoft.exe
- %WINDIR%\huelar.exe
- <Current directory>.exe
- %WINDIR%\winlogos.exe
- <SYSTEM32>\huelar.exe
- C:\Documents and Settings.exe
- %APPDATA%\Identities.exe
- %APPDATA%\Identities\{4FF38130-294D-42C8-BD62-3A52854427FF}.exe
- %HOMEPATH%.exe
- %APPDATA%.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\x64console.exe
- <Drive name for removable media>:\Autorun.inf
- <Drive name for removable media>:\desktop.ini
- <Drive name for removable media>:\Folder.htt
- <Drive name for removable media>:\console.exe
- <SYSTEM32>\huelar.exe
- %WINDIR%\winlogos.exe
- %HOMEPATH%\Start Menu\Programs\Startup\mscvhost.exe
- %WINDIR%\huelar.exe
Deletes the following files:
- <Drive name for removable media>:\Autorun.inf
Network activity:
Connects to:
- '10.#.1.2':139
- '10.#.1.2':445
UDP:
- DNS ASK ya##o.com
- DNS ASK 1.#.#.#0.in-addr.arpa
- '10.#.1.1':1047
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: 'Power Meter'
- ClassName: '' WindowName: 'MS_WebcheckMonitor'
- ClassName: '' WindowName: 'Tiny H-Pot v1.6'
- ClassName: '' WindowName: 'Connections Tray'
- ClassName: '' WindowName: '3? Floppy (A:)'
- ClassName: '' WindowName: '3? Floppy (B:)'
- ClassName: '' WindowName: 'Program Manager'
- ClassName: '' WindowName: '<Virus name>'
- ClassName: '' WindowName: '<Auxiliary name>'
- ClassName: '' WindowName: 'CiceroUIWndFrame'
- ClassName: '' WindowName: 'TF_FloatingLangBar_WndTitle'
- ClassName: '' WindowName: ''
- ClassName: '' WindowName: 'SysFader'
- ClassName: '' WindowName: '<Auxiliary name> - build Mar 22 2011'
- ClassName: '' WindowName: '<SYSTEM32>\cscript.exe'
- ClassName: '' WindowName: 'Windows Explorer'
- ClassName: '' WindowName: 'Form1'
