Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'pcAnywhere' = '"<SYSTEM32>\inetsrv\svchost.exe"'
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\inetsrv\svchost.exe'
Executes the following:
- '<SYSTEM32>\dumprep.exe' 2864 -dm 7 7 %TEMP%\WERbc64.dir00\svchost.exe.hdmp 16325836412027096
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\sysdm.cpl,NoExecuteProcessException <SYSTEM32>\inetsrv\svchost.exe
- '<SYSTEM32>\services.exe'
- '<SYSTEM32>\dumprep.exe' 2864 -dm 7 7 %TEMP%\WERbc64.dir00\svchost.exe.mdmp 16325836412027076
Injects code into
the following system processes:
- <SYSTEM32>\services.exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\inetsrv\topul.head
- <SYSTEM32>\inetsrv\ustat.txt
- <SYSTEM32>\inetsrv\who.body
- <SYSTEM32>\inetsrv\topul.foot
- <SYSTEM32>\inetsrv\topdl.foot
- <SYSTEM32>\inetsrv\topdl.head
- <SYSTEM32>\inetsrv\topul.body
- %TEMP%\WERbc64.dir00\svchost.exe.hdmp
- %TEMP%\WERbc64.dir00\appcompat.txt
- %TEMP%\WERbc64.dir00\manifest.txt
- %TEMP%\WERbc64.dir00\svchost.exe.mdmp
- <SYSTEM32>\inetsrv\who.foot
- <SYSTEM32>\inetsrv\who.head
- <SYSTEM32>\inetsrv\svchost.exe
- <SYSTEM32>\inetsrv\topdl.body
- <SYSTEM32>\inetsrv\JAstat.ini
- <SYSTEM32>\inetsrv\JAstat.stats
- <SYSTEM32>\inetsrv\libeay32.dll
- <SYSTEM32>\inetsrv\JAstat.dll
- <SYSTEM32>\inetsrv\acctres.dll
- <SYSTEM32>\inetsrv\dirchange.txt
- <SYSTEM32>\inetsrv\help.txt
- <SYSTEM32>\inetsrv\ServUCert.key
- <SYSTEM32>\inetsrv\ssleay32.dll
- <SYSTEM32>\inetsrv\stat.txt
- <SYSTEM32>\inetsrv\ServUCert.crt
- <SYSTEM32>\inetsrv\login.txt
- <SYSTEM32>\inetsrv\logoff.txt
- <SYSTEM32>\inetsrv\rules.txt
Network activity:
Connects to:
- 'vi#####hmer.vi.ohost.de':80
TCP:
HTTP GET requests:
- vi#####hmer.vi.ohost.de/wbb2/maxinj.php
UDP:
- DNS ASK vi#####hmer.vi.ohost.de
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
