Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Classes\WinRAR.REV\shell\open\command] '' = '"%PROGRAM_FILES%\WinRAR\WinRAR.exe" "%1"'
- [<HKLM>\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command] '' = '"%PROGRAM_FILES%\WinRAR\WinRAR.exe" "%1"'
- [<HKLM>\SOFTWARE\Classes\WinRAR\shell\open\command] '' = '"%PROGRAM_FILES%\WinRAR\WinRAR.exe" "%1"'
Malicious functions:
Creates and executes the following:
- '%PROGRAM_FILES%\WinRAR\Uninstall.exe' /setup
- '%TEMP%\winrar_install.exe'
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\WinRAR\Formats\tar.fmt
- %PROGRAM_FILES%\WinRAR\Formats\lzh.fmt
- %PROGRAM_FILES%\WinRAR\Formats\uue.fmt
- %PROGRAM_FILES%\WinRAR\rarreg.key
- %PROGRAM_FILES%\WinRAR\Formats\z.fmt
- %PROGRAM_FILES%\WinRAR\Formats\iso.fmt
- %PROGRAM_FILES%\WinRAR\Formats\arj.fmt
- %PROGRAM_FILES%\WinRAR\Formats\ace.fmt
- %PROGRAM_FILES%\WinRAR\Formats\bz2.fmt
- %PROGRAM_FILES%\WinRAR\Formats\gz.fmt
- %PROGRAM_FILES%\WinRAR\Formats\cab.fmt
- %PROGRAM_FILES%\WinRAR\Default.SFX
- %HOMEPATH%\Start Menu\Programs\WinRAR\控制台 RAR 中文手册.lnk
- %HOMEPATH%\Start Menu\Programs\WinRAR\WinRAR 中文帮助.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\WinRAR\WinRAR.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\WinRAR\控制台 RAR 中文手册.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\WinRAR\WinRAR 中文帮助.lnk
- %HOMEPATH%\Start Menu\Programs\WinRAR\WinRAR.lnk
- %PROGRAM_FILES%\WinRAR\Zip.SFX
- %PROGRAM_FILES%\WinRAR\WinCon.SFX
- %PROGRAM_FILES%\WinRAR\WinRAR.chm
- %PROGRAM_FILES%\WinRAR\zipnew.dat
- %PROGRAM_FILES%\WinRAR\rarnew.dat
- %PROGRAM_FILES%\WinRAR\Rar.txt
- %PROGRAM_FILES%\WinRAR\License.txt
- %PROGRAM_FILES%\WinRAR\TechNote.txt
- %PROGRAM_FILES%\WinRAR\WhatsNew.txt
- %PROGRAM_FILES%\WinRAR\UnrarSrc.txt
- %PROGRAM_FILES%\WinRAR\ReadMe.txt
- %TEMP%\winrar_install.exe
- %TEMP%\aut1.tmp
- %TEMP%\xtCR.tmp
- %PROGRAM_FILES%\WinRAR\Descript.ion
- %PROGRAM_FILES%\WinRAR\File_Id.diz
- %PROGRAM_FILES%\WinRAR\Order.htm
- %PROGRAM_FILES%\WinRAR\RarExt.dll
- %PROGRAM_FILES%\WinRAR\Formats\7zxa.dll
- %PROGRAM_FILES%\WinRAR\RarExt64.dll
- %PROGRAM_FILES%\WinRAR\Formats\7z.fmt
- %PROGRAM_FILES%\WinRAR\Formats\UNACEV2.DLL
- %PROGRAM_FILES%\WinRAR\WinRAR.exe
- %PROGRAM_FILES%\WinRAR\Uninstall.lst
- %PROGRAM_FILES%\WinRAR\RarFiles.lst
- %PROGRAM_FILES%\WinRAR\Rar.exe
- %PROGRAM_FILES%\WinRAR\UnRAR.exe
- %PROGRAM_FILES%\WinRAR\Uninstall.exe
Deletes the following files:
- %TEMP%\winrar_install.exe.tmp
- %TEMP%\aut1.tmp
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: '' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
