Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,%WINDIR%\System\wininit.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\Autorun.inf
- <Drive name for removable media>:\SYSTEM.EXE
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\system\wininit.exe' = '%WINDIR%\system\wininit.exe:*:Enabled:WinServices'
Creates and executes the following:
- %WINDIR%\system\wininit.exe /k <Full path to virus>
Executes the following:
- <SYSTEM32>\netsh.exe firewall add allowedprogram "%WINDIR%\System\wininit.exe" WinServices Enable
Modifies file system :
Creates the following files:
- %WINDIR%\system\wininit.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\Autorun.inf
- <Drive name for removable media>:\SYSTEM.EXE
- %WINDIR%\system\wininit.exe
Deletes itself.
Network activity:
Connects to:
- 'sn######syou.dyndns.info':3178
UDP:
- DNS ASK sn######syou.dyndns.info
- '<Private IP address>':1036
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: 'BHH'
