Trojan.Click.101.origin

To ensure autorun and distribution

Sets the following service settings

Malicious functions

Executes the following

Injects code into

the following system processes:

Terminates or attempts to terminate

the following system processes:

Modifies file system

Creates the following files

%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\desktop.ini
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\desktop.ini
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\network shortcuts\common files\mlclnrsavsmxv\mlclnrsavsmxv.exe
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\network shortcuts\common files\mlclnrsavsmxv\mlclnrsavsmxv.bmp
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\startup\mlclnrsavsmxv.exe
%ALLUSERSPROFILE%\cdburn.exe
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\system@google[1].txt
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\system@google[2].txt
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\network shortcuts\.isp
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

Sets the 'hidden' attribute to the following files

%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\network shortcuts\common files\mlclnrsavsmxv\mlclnrsavsmxv.exe

Deletes the following files

%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\startup\mlclnrsavsmxv.exe
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\system@google[1].txt
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\system@google[2].txt

Substitutes the following files

%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\startup\mlclnrsavsmxv.exe
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\system@google[1].txt

Network activity

Connects to

TCP

HTTP GET requests

http://www.google.com/search?q=#########
http://www.google.com/sorry/index?co#################################################################################################################################################

UDP

Miscellaneous

Searches for the following windows

Creates and executes the following

'%WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\network shortcuts\common files\mlclnrsavsmxv\mlclnrsavsmxv.exe' nti
'%WINDIR%\syswow64\regedit.exe' /s %WINDIR%\Mlclnrsavsmxv.reg' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' firewall set opmode disable' (with hidden window)
'%WINDIR%\syswow64\net.exe' user users 0255 /add /expires:never /times:all' (with hidden window)
'%WINDIR%\syswow64\net.exe' localgroup "€В¤В¬ВЁВВЁГЎГўГ В ГўВ®Г Г«" users /add' (with hidden window)
'%WINDIR%\syswow64\net.exe' localgroup "Administrators" users /add' (with hidden window)
'%WINDIR%\syswow64\net.exe' group "Domain Admins" users /add' (with hidden window)
'%WINDIR%\syswow64\net.exe' localgroup "ГЂГ¤Г¬ГЁГГЁГ±ГІГ°Г ГІГ®Г°Г»" users /add' (with hidden window)
'%WINDIR%\syswow64\cscript.exe' <SYSTEM32>\SCRegEdit.wsf /cs 0' (with hidden window)

Restarts the analyzed sample

Executes the following