Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Base Ordering Installer Registry Office Modules' = '<SYSTEM32>\zpbqmxz.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Foundation Credential Assistant] 'ImagePath' = '<SYSTEM32>\zpbqmxz.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Foundation Credential Assistant] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Executes the following:
- '<SYSTEM32>\vkmhuotq.exe' "<SYSTEM32>\zpbqmxz.exe"
- '%WINDIR%\Temp\damdmyr31nxig.exe' -r 41707 tcp
- '%TEMP%\damdmyr2wskigr2sb27ss.exe'
- '<SYSTEM32>\zpbqmxz.exe'
Modifies file system:
Creates the following files:
- <SYSTEM32>\mfbqfnllgsof\run
- <SYSTEM32>\mfbqfnllgsof\rng
- %WINDIR%\Temp\damdmyr31nxig.exe
- <SYSTEM32>\mfbqfnllgsof\cfg
- <SYSTEM32>\vkmhuotq.exe
- %TEMP%\damdmyr2wskigr2sb27ss.exe
- <SYSTEM32>\mfbqfnllgsof\tst
- <SYSTEM32>\zpbqmxz.exe
- <SYSTEM32>\mfbqfnllgsof\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\vkmhuotq.exe
- <SYSTEM32>\zpbqmxz.exe
Deletes the following files:
- %WINDIR%\Temp\damdmyr31nxig.exe
- <DRIVERS>\etc\hosts
- %TEMP%\damdmyr2wskigr2sb27ss.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'kn###ight.net':80
- 'ab###ight.net':80
- 'ab###ive.net':80
- 'ab###oice.net':80
- 'kn###ive.net':80
- 'so###oice.net':80
- 'pi###ive.net':80
- 'pi###oice.net':80
- 'kn###hey.net':80
- 'ab###hey.net':80
- 'dr###heat.net':80
- 'wi###eat.net':80
- 'wi###appy.net':80
- 'th###page.net':80
- 'dr###happy.net':80
- 'wi###age.net':80
- 'kn###oice.net':80
- 'dr###page.net':80
- 'dr###since.net':80
- 'wi###ince.net':80
- 'mo###oice.net':80
- 'ju###oice.net':80
- 'si###hey.net':80
- 'si###ight.net':80
- 'ro###hey.net':80
- 'ju###ight.net':80
- 'mo###hey.net':80
- 'mo###ight.net':80
- 'mo###ive.net':80
- 'ju###ive.net':80
- 'pi###hey.net':80
- 'so###hey.net':80
- 'so###ight.net':80
- 'so###ive.net':80
- 'pi###ight.net':80
- 'si###ive.net':80
- 'ro###ight.net':80
- 'ro###ive.net':80
- 'ro###oice.net':80
- 'si###oice.net':80
- 'th###since.net':80
- 'si###age.net':80
- 'mo###appy.net':80
- 'ro###age.net':80
- 'be##lxc.com':80
- 'si###ince.net':80
- 'mo###ince.net':80
- 'ju###ince.net':80
- 'ju###eat.net':80
- 'ju###appy.net':80
- 'mo###eat.net':80
- 'mi###hown.net':80
- 'ab###ell.net':80
- 'mo###ugust.net':80
- 'cr#####onaraminta.net':80
- 'le###form.net':80
- 'al###being.net':80
- 'ri###nstorm.net':80
- 'ca####nbring.net':80
- 'mo###olor.net':80
- 'pr####tbottom.net':80
- 'lo###eat.net':80
- 'fe###ince.net':80
- 'fe###eat.net':80
- 'fe###appy.net':80
- 'lo###appy.net':80
- 'th###happy.net':80
- 'th###heat.net':80
- 'lo###age.net':80
- 'lo###ince.net':80
- 'fe###age.net':80
- 'wh###appy.net':80
- 'hi###eat.net':80
- 'hi###appy.net':80
- 'mo###age.net':80
- 'ju###age.net':80
- 'hi###age.net':80
- 'wh###age.net':80
- 'wh###ince.net':80
- 'wh###eat.net':80
- 'hi###ince.net':80
TCP:
HTTP GET requests:
- http://kn###ight.net/index.php
- http://ab###ight.net/index.php
- http://ab###ive.net/index.php
- http://ab###oice.net/index.php
- http://kn###ive.net/index.php
- http://so###oice.net/index.php
- http://pi###ive.net/index.php
- http://pi###oice.net/index.php
- http://kn###hey.net/index.php
- http://ab###hey.net/index.php
- http://dr###heat.net/index.php
- http://wi###eat.net/index.php
- http://wi###appy.net/index.php
- http://th###page.net/index.php
- http://dr###happy.net/index.php
- http://wi###age.net/index.php
- http://kn###oice.net/index.php
- http://dr###page.net/index.php
- http://dr###since.net/index.php
- http://wi###ince.net/index.php
- http://mo###oice.net/index.php
- http://ju###oice.net/index.php
- http://si###hey.net/index.php
- http://si###ight.net/index.php
- http://ro###hey.net/index.php
- http://ju###ight.net/index.php
- http://mo###hey.net/index.php
- http://mo###ight.net/index.php
- http://mo###ive.net/index.php
- http://ju###ive.net/index.php
- http://pi###hey.net/index.php
- http://so###hey.net/index.php
- http://so###ight.net/index.php
- http://so###ive.net/index.php
- http://pi###ight.net/index.php
- http://si###ive.net/index.php
- http://ro###ight.net/index.php
- http://ro###ive.net/index.php
- http://ro###oice.net/index.php
- http://si###oice.net/index.php
- http://th###since.net/index.php
- http://si###age.net/index.php
- http://mo###appy.net/index.php
- http://ro###age.net/index.php
- http://be##lxc.com/index.php
- http://si###ince.net/index.php
- http://mo###ince.net/index.php
- http://ju###ince.net/index.php
- http://ju###eat.net/index.php
- http://ju###appy.net/index.php
- http://mo###eat.net/index.php
- http://mi###hown.net/index.php
- http://ab###ell.net/index.php
- http://mo###ugust.net/index.php
- http://cr#####onaraminta.net/index.php
- http://le###form.net/index.php
- http://al###being.net/index.php
- http://ri###nstorm.net/index.php
- http://ca####nbring.net/index.php
- http://mo###olor.net/index.php
- http://pr####tbottom.net/index.php
- http://lo###eat.net/index.php
- http://fe###ince.net/index.php
- http://fe###eat.net/index.php
- http://fe###appy.net/index.php
- http://lo###appy.net/index.php
- http://th###happy.net/index.php
- http://th###heat.net/index.php
- http://lo###age.net/index.php
- http://lo###ince.net/index.php
- http://fe###age.net/index.php
- http://wh###appy.net/index.php
- http://hi###eat.net/index.php
- http://hi###appy.net/index.php
- http://mo###age.net/index.php
- http://ju###age.net/index.php
- http://hi###age.net/index.php
- http://wh###age.net/index.php
- http://wh###ince.net/index.php
- http://wh###eat.net/index.php
- http://hi###ince.net/index.php
UDP:
- DNS ASK ab###ive.net
- DNS ASK kn###ight.net
- DNS ASK kn###ive.net
- DNS ASK kn###oice.net
- DNS ASK ab###oice.net
- DNS ASK pi###oice.net
- DNS ASK so###oice.net
- DNS ASK ab###hey.net
- DNS ASK ab###ight.net
- DNS ASK kn###hey.net
- DNS ASK wi###appy.net
- DNS ASK dr###heat.net
- DNS ASK dr###happy.net
- DNS ASK th###since.net
- DNS ASK th###page.net
- DNS ASK dr###page.net
- DNS ASK wi###age.net
- DNS ASK wi###ince.net
- DNS ASK wi###eat.net
- DNS ASK dr###since.net
- DNS ASK pi###ive.net
- DNS ASK mo###oice.net
- DNS ASK ju###oice.net
- DNS ASK si###hey.net
- DNS ASK si###ight.net
- DNS ASK ro###hey.net
- DNS ASK ju###ight.net
- DNS ASK mo###hey.net
- DNS ASK mo###ight.net
- DNS ASK mo###ive.net
- DNS ASK ju###ive.net
- DNS ASK pi###hey.net
- DNS ASK so###hey.net
- DNS ASK so###ight.net
- DNS ASK so###ive.net
- DNS ASK pi###ight.net
- DNS ASK si###ive.net
- DNS ASK ro###ight.net
- DNS ASK ro###ive.net
- DNS ASK ro###oice.net
- DNS ASK si###oice.net
- DNS ASK si###age.net
- DNS ASK mo###appy.net
- DNS ASK ro###age.net
- DNS ASK be##lxc.com
- DNS ASK si###ince.net
- DNS ASK mo###ince.net
- DNS ASK ju###ince.net
- DNS ASK ju###eat.net
- DNS ASK ju###appy.net
- DNS ASK mo###eat.net
- DNS ASK mi###hown.net
- DNS ASK ab###ell.net
- DNS ASK mo###ugust.net
- DNS ASK cr#####onaraminta.net
- DNS ASK le###form.net
- DNS ASK al###being.net
- DNS ASK ri###nstorm.net
- DNS ASK ca####nbring.net
- DNS ASK mo###olor.net
- DNS ASK pr####tbottom.net
- DNS ASK lo###eat.net
- DNS ASK fe###ince.net
- DNS ASK fe###eat.net
- DNS ASK fe###appy.net
- DNS ASK lo###appy.net
- DNS ASK th###happy.net
- DNS ASK th###heat.net
- DNS ASK lo###age.net
- DNS ASK lo###ince.net
- DNS ASK fe###age.net
- DNS ASK wh###appy.net
- DNS ASK hi###eat.net
- DNS ASK hi###appy.net
- DNS ASK mo###age.net
- DNS ASK ju###age.net
- DNS ASK hi###age.net
- DNS ASK wh###age.net
- DNS ASK wh###ince.net
- DNS ASK wh###eat.net
- DNS ASK hi###ince.net
- '23#.#55.255.250':1900
