Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'ReferenceAssembliesw' = '%ALLUSERSPROFILE%\Reference Assemblies\ReferenceAssembliesw.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Ny' = '%APPDATA%\Uninstall Information\Ny.exe'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
- Windows Security Center
blocks the following features:
- Windows Action Center
modifies the following system settings:
- Hides taskbar notifications
Executes the following:
- '<SYSTEM32>\msiexec.exe'
Injects code into
the following system processes:
- <SYSTEM32>\msiexec.exe
Modifies file system:
Creates the following files:
- %ALLUSERSPROFILE%\Reference Assemblies\ReferenceAssembliesw.exe
- %APPDATA%\Uninstall Information\Ny.exe
Deletes the following files:
- %APPDATA%\Uninstall Information\Ny.exe
Deletes itself.
Network activity:
Connects to:
- '25#.#55.255.255':53
- '19#.#83.98.154':53
- '45.##.117.118':53
- '23.#4.5.133':53
- '5.###.183.146':53
- '96.##.175.167':53
- '10#.#38.186.189':53
- '84.##1.32.108':53
- '18#.#33.72.100':53
- '21#.#61.5.12':53
- '45.#3.25.55':53
- '5.#.49.12':53
- '14#.#6.133.38':53
- '89.#8.27.34':53
- '87.##.175.85':53
- '45.##.28.232':53
- '10#.#1.164.218':53
- '14#.#38.157.53':53
- '45.##.99.180':53
