Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Authentication Card Connect Task Security' = '<SYSTEM32>\tfqkhfltltyl.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\PC Connection Server System Driver] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\bopxenlls.exe' "<SYSTEM32>\tfqkhfltltyl.exe"
- '%WINDIR%\Temp\offkbiex3270bpptp.exe' -r 29757 tcp
- '%TEMP%\offkbiex2u79bpptpmkrhjgb.exe'
- '<SYSTEM32>\tfqkhfltltyl.exe'
Modifies file system :
Creates the following files:
- <SYSTEM32>\ctqmqqozrcpohd\run
- <SYSTEM32>\ctqmqqozrcpohd\rng
- %WINDIR%\Temp\offkbiex3270bpptp.exe
- <SYSTEM32>\ctqmqqozrcpohd\cfg
- <SYSTEM32>\bopxenlls.exe
- %TEMP%\offkbiex2u79bpptpmkrhjgb.exe
- <SYSTEM32>\ctqmqqozrcpohd\tst
- <SYSTEM32>\tfqkhfltltyl.exe
- <SYSTEM32>\ctqmqqozrcpohd\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\bopxenlls.exe
- <SYSTEM32>\tfqkhfltltyl.exe
Deletes the following files:
- %WINDIR%\Temp\offkbiex3270bpptp.exe
- <DRIVERS>\etc\hosts
- %TEMP%\offkbiex2u79bpptpmkrhjgb.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'ar###fell.net':80
- 'so###fell.net':80
- 'ar###hour.net':80
- 'so###hour.net':80
- 'ar###count.net':80
- 'wh###compe.net':80
- 'up###our.net':80
- 'so###count.net':80
- 'up###ompe.net':80
- 'so###compe.net':80
- 'dr###march.net':80
- 'th###arch.net':80
- 'dr###pure.net':80
- 'th###ure.net':80
- 'dr###dish.net':80
- 'th###uly.net':80
- 'ar###compe.net':80
- 'th###ish.net':80
- 'dr###july.net':80
- 'wh###hour.net':80
- 'gl###ompe.net':80
- 'ta###compe.net':80
- 'sp###ount.net':80
- 'sa###ount.net':80
- 'gl###our.net':80
- 'ta###fell.net':80
- 'gl###ount.net':80
- 'ta###hour.net':80
- 'gl###ell.net':80
- 'sa###ell.net':80
- 'up###ount.net':80
- 'wh###count.net':80
- 'up###ell.net':80
- 'wh###fell.net':80
- 'sp###ompe.net':80
- 'sa###our.net':80
- 'sp###ell.net':80
- 'sa###ompe.net':80
- 'sp###our.net':80
- 'fa###uly.net':80
- 'gl###ish.net':80
- 'ta###dish.net':80
- 'be##lxc.com':80
- 'ta###march.net':80
- 'gl###uly.net':80
- 'gr###pure.net':80
- 'eq###march.net':80
- 'ta###july.net':80
- 'eq###pure.net':80
- 'ri###nstorm.net':80
- 'mo###ugust.net':80
- 'mi###hown.net':80
- 'cr#####onaraminta.net':80
- 'le###form.net':80
- 'ab###ell.net':80
- 'ca####nbring.net':80
- 'al###being.net':80
- 'mo###olor.net':80
- 'pr####tbottom.net':80
- 'gr###march.net':80
- 'wa###pure.net':80
- 'fa###ure.net':80
- 'sp###july.net':80
- 'vi###july.net':80
- 'wa###march.net':80
- 'fa###ish.net':80
- 'wa###july.net':80
- 'fa###arch.net':80
- 'wa###dish.net':80
- 'vi###dish.net':80
- 'eq###july.net':80
- 'gr###july.net':80
- 'eq###dish.net':80
- 'gr###dish.net':80
- 'sp###pure.net':80
- 'vi###march.net':80
- 'sp###dish.net':80
- 'vi###pure.net':80
- 'sp###march.net':80
TCP:
HTTP GET requests:
- http://ar###fell.net/index.php
- http://so###fell.net/index.php
- http://ar###hour.net/index.php
- http://so###hour.net/index.php
- http://ar###count.net/index.php
- http://wh###compe.net/index.php
- http://up###our.net/index.php
- http://so###count.net/index.php
- http://up###ompe.net/index.php
- http://so###compe.net/index.php
- http://dr###march.net/index.php
- http://th###arch.net/index.php
- http://dr###pure.net/index.php
- http://th###ure.net/index.php
- http://dr###dish.net/index.php
- http://th###uly.net/index.php
- http://ar###compe.net/index.php
- http://th###ish.net/index.php
- http://dr###july.net/index.php
- http://wh###hour.net/index.php
- http://gl###ompe.net/index.php
- http://ta###compe.net/index.php
- http://sp###ount.net/index.php
- http://sa###ount.net/index.php
- http://gl###our.net/index.php
- http://ta###fell.net/index.php
- http://gl###ount.net/index.php
- http://ta###hour.net/index.php
- http://gl###ell.net/index.php
- http://sa###ell.net/index.php
- http://up###ount.net/index.php
- http://wh###count.net/index.php
- http://up###ell.net/index.php
- http://wh###fell.net/index.php
- http://sp###ompe.net/index.php
- http://sa###our.net/index.php
- http://sp###ell.net/index.php
- http://sa###ompe.net/index.php
- http://sp###our.net/index.php
- http://fa###uly.net/index.php
- http://gl###ish.net/index.php
- http://ta###dish.net/index.php
- http://be##lxc.com/index.php
- http://ta###march.net/index.php
- http://gl###uly.net/index.php
- http://gr###pure.net/index.php
- http://eq###march.net/index.php
- http://ta###july.net/index.php
- http://eq###pure.net/index.php
- http://ri###nstorm.net/index.php
- http://mo###ugust.net/index.php
- http://mi###hown.net/index.php
- http://cr#####onaraminta.net/index.php
- http://le###form.net/index.php
- http://ab###ell.net/index.php
- http://ca####nbring.net/index.php
- http://al###being.net/index.php
- http://mo###olor.net/index.php
- http://pr####tbottom.net/index.php
- http://gr###march.net/index.php
- http://wa###pure.net/index.php
- http://fa###ure.net/index.php
- http://sp###july.net/index.php
- http://vi###july.net/index.php
- http://wa###march.net/index.php
- http://fa###ish.net/index.php
- http://wa###july.net/index.php
- http://fa###arch.net/index.php
- http://wa###dish.net/index.php
- http://vi###dish.net/index.php
- http://eq###july.net/index.php
- http://gr###july.net/index.php
- http://eq###dish.net/index.php
- http://gr###dish.net/index.php
- http://sp###pure.net/index.php
- http://vi###march.net/index.php
- http://sp###dish.net/index.php
- http://vi###pure.net/index.php
- http://sp###march.net/index.php
UDP:
- DNS ASK so###fell.net
- DNS ASK ar###count.net
- DNS ASK ar###fell.net
- DNS ASK ar###hour.net
- DNS ASK so###hour.net
- DNS ASK up###our.net
- DNS ASK wh###hour.net
- DNS ASK wh###compe.net
- DNS ASK so###count.net
- DNS ASK up###ompe.net
- DNS ASK th###arch.net
- DNS ASK dr###dish.net
- DNS ASK dr###march.net
- DNS ASK dr###pure.net
- DNS ASK th###ure.net
- DNS ASK ar###compe.net
- DNS ASK so###compe.net
- DNS ASK th###uly.net
- DNS ASK th###ish.net
- DNS ASK dr###july.net
- DNS ASK ta###compe.net
- DNS ASK gl###our.net
- DNS ASK gl###ompe.net
- DNS ASK sp###ount.net
- DNS ASK sa###ount.net
- DNS ASK gl###ount.net
- DNS ASK ta###count.net
- DNS ASK ta###fell.net
- DNS ASK ta###hour.net
- DNS ASK gl###ell.net
- DNS ASK wh###count.net
- DNS ASK sp###ompe.net
- DNS ASK up###ount.net
- DNS ASK up###ell.net
- DNS ASK wh###fell.net
- DNS ASK sp###ell.net
- DNS ASK sa###ell.net
- DNS ASK sa###our.net
- DNS ASK sa###ompe.net
- DNS ASK sp###our.net
- DNS ASK fa###uly.net
- DNS ASK gl###ish.net
- DNS ASK ta###dish.net
- DNS ASK be##lxc.com
- DNS ASK ta###march.net
- DNS ASK gl###uly.net
- DNS ASK gr###pure.net
- DNS ASK eq###march.net
- DNS ASK ta###july.net
- DNS ASK eq###pure.net
- DNS ASK ri###nstorm.net
- DNS ASK mo###ugust.net
- DNS ASK mi###hown.net
- DNS ASK cr#####onaraminta.net
- DNS ASK le###form.net
- DNS ASK ab###ell.net
- DNS ASK ca####nbring.net
- DNS ASK al###being.net
- DNS ASK mo###olor.net
- DNS ASK pr####tbottom.net
- DNS ASK gr###march.net
- DNS ASK wa###pure.net
- DNS ASK fa###ure.net
- DNS ASK sp###july.net
- DNS ASK vi###july.net
- DNS ASK wa###march.net
- DNS ASK fa###ish.net
- DNS ASK wa###july.net
- DNS ASK fa###arch.net
- DNS ASK wa###dish.net
- DNS ASK vi###dish.net
- DNS ASK eq###july.net
- DNS ASK gr###july.net
- DNS ASK eq###dish.net
- DNS ASK gr###dish.net
- DNS ASK sp###pure.net
- DNS ASK vi###march.net
- DNS ASK sp###dish.net
- DNS ASK vi###pure.net
- DNS ASK sp###march.net
- '23#.#55.255.250':1900
