Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WinXPService' = '%APPDATA%\mirc\DriverUpdate.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Creates and executes the following:
- %APPDATA%\mIRC\mirc.exe
- %APPDATA%\mIRC\DriverUpdate.exe
Executes the following:
- %WINDIR%\regedit.exe /s l82.Reg
- %WINDIR%\regedit.exe /s b24.Reg
- %WINDIR%\regedit.exe /s t87.Reg
- %WINDIR%\regedit.exe /s k12.Reg
- %WINDIR%\regedit.exe /s l13.Reg
- %WINDIR%\regedit.exe /s x57.Reg
- %WINDIR%\regedit.exe /s i17.Reg
- %WINDIR%\regedit.exe /s j85.Reg
- %WINDIR%\regedit.exe /s h81.Reg
- %WINDIR%\regedit.exe /s w97.Reg
- %WINDIR%\regedit.exe /s f48.Reg
- %WINDIR%\regedit.exe /s i37.Reg
- %WINDIR%\regedit.exe /s j22.Reg
- %WINDIR%\regedit.exe /s m4.Reg
- %WINDIR%\regedit.exe /s t5.Reg
- %WINDIR%\regedit.exe /s w8.Reg
- <SYSTEM32>\attrib.exe +S +H mirc\mirc.exe
- <SYSTEM32>\reg.exe ADD HKEY_CURRENT_USER\Software\mIRC\UserName /v "" /t REG_SZ /d "cCTeam" /f
- <SYSTEM32>\attrib.exe +S +H mirc\system.mrc
- <SYSTEM32>\attrib.exe +S +H mirc\RegKeys.bat
- <SYSTEM32>\cmd.exe /c ""%APPDATA%\mirc\RegKeys.bat" "
- <SYSTEM32>\netsh.exe firewall set opmode disable
- <SYSTEM32>\attrib.exe +S +H mirc
- <SYSTEM32>\reg.exe ADD HKEY_CURRENT_USER\Software\mIRC\License /v "" /t REG_SZ /d "3546-331847" /f
- %WINDIR%\regedit.exe /s l3.Reg
- %WINDIR%\regedit.exe /s v17.Reg
- %WINDIR%\regedit.exe /s a67.Reg
- %WINDIR%\regedit.exe /s i15.Reg
- <SYSTEM32>\attrib.exe +S +H mirc\DriverUpdate.exe
- <SYSTEM32>\attrib.exe +S +H mirc\mirc.ini
- %WINDIR%\regedit.exe /s k25.Reg
- <SYSTEM32>\taskkill.exe /F /IM VCSPAWN.EXE /T
Modifies file system :
Creates the following files:
- %APPDATA%\mIRC\k12.Reg
- %APPDATA%\mIRC\mirc17.tm_
- %APPDATA%\mIRC\t87.Reg
- %APPDATA%\mIRC\l82.Reg
- %APPDATA%\mIRC\j85.Reg
- %APPDATA%\mIRC\i17.Reg
- %APPDATA%\mIRC\b24.Reg
- %APPDATA%\mIRC\m4.Reg
- %APPDATA%\mIRC\h81.Reg
- %APPDATA%\mIRC\i37.Reg
- %APPDATA%\mIRC\f48.Reg
- %APPDATA%\mIRC\w97.Reg
- %APPDATA%\mIRC\j22.Reg
- %APPDATA%\mIRC\w8.Reg
- %APPDATA%\mIRC\t5.Reg
- %APPDATA%\mIRC\system.mrc
- %APPDATA%\mIRC\logs\status.log
- %APPDATA%\mIRC\k25.Reg
- %APPDATA%\mIRC\DriverUpdate.exe
- %APPDATA%\mIRC\mirc.ini
- %APPDATA%\mIRC\RegKeys.bat
- %APPDATA%\mIRC\mirc.exe
- %APPDATA%\mIRC\mirc1.tm_
- %APPDATA%\mIRC\a67.Reg
- %APPDATA%\mIRC\x57.Reg
- %APPDATA%\mIRC\l13.Reg
- %APPDATA%\mIRC\i15.Reg
- %APPDATA%\mIRC\mirc3.tm_
- %APPDATA%\mIRC\v17.Reg
- %APPDATA%\mIRC\l3.Reg
Sets the 'hidden' attribute to the following files:
- %APPDATA%\mIRC\mirc.ini
- %APPDATA%\mIRC\DriverUpdate.exe
- %APPDATA%\mIRC\system.mrc
- %APPDATA%\mIRC\mirc.exe
- %APPDATA%\mIRC\RegKeys.bat
Deletes the following files:
- %APPDATA%\mIRC\mirc19.tm_
- %APPDATA%\mIRC\mirc20.tm_
- %APPDATA%\mIRC\mirc21.tm_
- %APPDATA%\mIRC\mirc16.tm_
- <Drive name for removable media>:\mirc18.tm_
- %APPDATA%\mIRC\mirc17.tm_
- %APPDATA%\mIRC\mirc25.tm_
- %APPDATA%\mIRC\mirc26.tm_
- %APPDATA%\mIRC\mirc27.tm_
- %APPDATA%\mIRC\mirc22.tm_
- %APPDATA%\mIRC\mirc23.tm_
- %APPDATA%\mIRC\mirc24.tm_
- %APPDATA%\mIRC\mirc7.tm_
- %APPDATA%\mIRC\mirc8.tm_
- %APPDATA%\mIRC\mirc9.tm_
- %APPDATA%\mIRC\mirc4.tm_
- %APPDATA%\mIRC\mirc5.tm_
- %APPDATA%\mIRC\mirc6.tm_
- %APPDATA%\mIRC\mirc13.tm_
- %APPDATA%\mIRC\mirc14.tm_
- %APPDATA%\mIRC\mirc15.tm_
- %APPDATA%\mIRC\mirc10.tm_
- %APPDATA%\mIRC\mirc11.tm_
- %APPDATA%\mIRC\mirc12.tm_
Moves the following files:
- from %APPDATA%\mIRC\t87.Reg to %APPDATA%\mIRC\mirc19.tm_
- from %APPDATA%\mIRC\m4.Reg to %APPDATA%\mIRC\mirc20.tm_
- from %APPDATA%\mIRC\j22.Reg to %APPDATA%\mIRC\mirc21.tm_
- from %APPDATA%\mIRC\b24.Reg to %APPDATA%\mIRC\mirc14.tm_
- from %APPDATA%\mIRC\l82.Reg to %APPDATA%\mIRC\mirc15.tm_
- from %APPDATA%\mIRC\k12.Reg to %APPDATA%\mIRC\mirc16.tm_
- from %APPDATA%\mIRC\h81.Reg to %APPDATA%\mIRC\mirc25.tm_
- from %APPDATA%\mIRC\i37.Reg to %APPDATA%\mIRC\mirc26.tm_
- from %APPDATA%\mIRC\f48.Reg to %APPDATA%\mIRC\mirc27.tm_
- from %APPDATA%\mIRC\w8.Reg to %APPDATA%\mIRC\mirc22.tm_
- from %APPDATA%\mIRC\t5.Reg to %APPDATA%\mIRC\mirc23.tm_
- from %APPDATA%\mIRC\w97.Reg to %APPDATA%\mIRC\mirc24.tm_
- from %APPDATA%\mIRC\mirc3.tm_ to %APPDATA%\mIRC\mirc.ini
- from %APPDATA%\mIRC\v17.Reg to %APPDATA%\mIRC\mirc6.tm_
- from %APPDATA%\mIRC\l3.Reg to %APPDATA%\mIRC\mirc7.tm_
- from %APPDATA%\mIRC\mirc1.tm_ to %APPDATA%\mIRC\vars.ini
- from %APPDATA%\mIRC\k25.Reg to %APPDATA%\mIRC\mirc4.tm_
- from %APPDATA%\mIRC\mirc.ini to %APPDATA%\mIRC\mirc5.tm_
- from %APPDATA%\mIRC\l13.Reg to %APPDATA%\mIRC\mirc11.tm_
- from %APPDATA%\mIRC\j85.Reg to %APPDATA%\mIRC\mirc12.tm_
- from %APPDATA%\mIRC\i17.Reg to %APPDATA%\mIRC\mirc13.tm_
- from %APPDATA%\mIRC\i15.Reg to %APPDATA%\mIRC\mirc8.tm_
- from %APPDATA%\mIRC\a67.Reg to %APPDATA%\mIRC\mirc9.tm_
- from %APPDATA%\mIRC\x57.Reg to %APPDATA%\mIRC\mirc10.tm_
Network activity:
Connects to:
- 'fi###all.yi.org':33725
UDP:
- DNS ASK Fi###all.yi.org
Miscellaneous:
Searches for the following windows:
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'CicLoaderWndClass' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
