Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'UPDATE_Exe' = '%PROGRAM_FILES%\mcafee.com\teen.exe'
- [<HKLM>\SOFTWARE\Classes\irc\Shell\open\command] '' = '"%PROGRAM_FILES%\mcafee.com\teen.exe" -noconnect'
- [<HKLM>\SOFTWARE\Classes\ChatFile\Shell\open\command] '' = '"%PROGRAM_FILES%\mcafee.com\teen.exe" -noconnect'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Creates and executes the following:
- '%PROGRAM_FILES%\mcafee.com\fx.exe'
- '%PROGRAM_FILES%\mcafee.com\kill.exe'
- '%PROGRAM_FILES%\mcafee.com\teen.exe'
- '%PROGRAM_FILES%\mcafee.com\hd.exe' /n /fh mirc
Executes the following:
- '%WINDIR%\regedit.exe' /s 582.reg
- '%WINDIR%\regedit.exe' /s 747.reg
- '%WINDIR%\regedit.exe' /s 680.reg
- '%WINDIR%\regedit.exe' /s 734.reg
- '%WINDIR%\regedit.exe' /s 635.reg
- '%WINDIR%\regedit.exe' /s 741.reg
- '%WINDIR%\regedit.exe' /s 783.reg
- '%WINDIR%\regedit.exe' /s 856.reg
- '%WINDIR%\regedit.exe' /s 362.reg
- '%WINDIR%\regedit.exe' /s 150.reg
- '%WINDIR%\regedit.exe' /s 123.reg
- '%WINDIR%\regedit.exe' /s 178.reg
- '%WINDIR%\regedit.exe' /s 803.reg
- '%WINDIR%\regedit.exe' /s 943.reg
- '%WINDIR%\regedit.exe' /s 147.reg
- '%WINDIR%\regedit.exe' /s 779.reg
- '%WINDIR%\regedit.exe' /s 780.reg
- '%WINDIR%\regedit.exe' /s 306.reg
- '%WINDIR%\regedit.exe' /s 322.reg
- '%WINDIR%\regedit.exe' /s 474.reg
- '%WINDIR%\regedit.exe' /s 931.reg
- '%WINDIR%\regedit.exe' /s 169.reg
- '%WINDIR%\msagent\agentsvr.exe' -Embedding
- '%WINDIR%\regedit.exe' /s 814.reg
- '%WINDIR%\regedit.exe' /s 127.reg
- '%WINDIR%\regedit.exe' /s 759.reg
- '%WINDIR%\regedit.exe' /s 429.reg
- '%WINDIR%\regedit.exe' /s 631.reg
- '%WINDIR%\regedit.exe' /s 602.reg
- '%WINDIR%\regedit.exe' /s 632.reg
- '%WINDIR%\regedit.exe' /s 764.reg
- '%WINDIR%\regedit.exe' /s 525.reg
- '%WINDIR%\regedit.exe' /s 603.reg
Terminates or attempts to terminate
the following user processes:
- NAVAPW32.EXE
- AVPM.EXE
- AVPCC.EXE
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\mcafee.com\856.reg
- %PROGRAM_FILES%\mcafee.com\635.reg
- %PROGRAM_FILES%\mcafee.com\783.reg
- %PROGRAM_FILES%\mcafee.com\582.reg
- %PROGRAM_FILES%\mcafee.com\747.reg
- %PROGRAM_FILES%\mcafee.com\741.reg
- %PROGRAM_FILES%\mcafee.com\759.reg
- %PROGRAM_FILES%\mcafee.com\429.reg
- %PROGRAM_FILES%\mcafee.com\602.reg
- %PROGRAM_FILES%\mcafee.com\780.reg
- %PROGRAM_FILES%\mcafee.com\631.reg
- %PROGRAM_FILES%\mcafee.com\362.reg
- %PROGRAM_FILES%\mcafee.com\150.reg
- %PROGRAM_FILES%\mcafee.com\178.reg
- %PROGRAM_FILES%\mcafee.com\remote.ini
- %PROGRAM_FILES%\mcafee.com\123.reg
- %PROGRAM_FILES%\mcafee.com\147.reg
- %PROGRAM_FILES%\mcafee.com\680.reg
- %PROGRAM_FILES%\mcafee.com\734.reg
- %PROGRAM_FILES%\mcafee.com\943.reg
- %PROGRAM_FILES%\mcafee.com\779.reg
- %PROGRAM_FILES%\mcafee.com\803.reg
- %PROGRAM_FILES%\mcafee.com\v1rg1n
- %PROGRAM_FILES%\mcafee.com\teen.exe
- %PROGRAM_FILES%\mcafee.com\Sys.mrc
- %PROGRAM_FILES%\mcafee.com\kill.exe
- %PROGRAM_FILES%\mcafee.com\fx.exe
- %PROGRAM_FILES%\mcafee.com\mirc.ini
- %PROGRAM_FILES%\mcafee.com\ChaseM.mrc
- %PROGRAM_FILES%\mcafee.com\ChaseX.mrc
- %PROGRAM_FILES%\mcafee.com\ChaseI.mrc
- %PROGRAM_FILES%\mcafee.com\hd.exe
- %PROGRAM_FILES%\mcafee.com\ChaseC.mrc
- %PROGRAM_FILES%\mcafee.com\764.reg
- %PROGRAM_FILES%\mcafee.com\474.reg
- %PROGRAM_FILES%\mcafee.com\632.reg
- %PROGRAM_FILES%\mcafee.com\525.reg
- %PROGRAM_FILES%\mcafee.com\603.reg
- %PROGRAM_FILES%\mcafee.com\931.reg
- %PROGRAM_FILES%\mcafee.com\127.reg
- %PROGRAM_FILES%\mcafee.com\169.reg
- %PROGRAM_FILES%\mcafee.com\814.reg
- %PROGRAM_FILES%\mcafee.com\306.reg
- %PROGRAM_FILES%\mcafee.com\322.reg
Deletes the following files:
- %PROGRAM_FILES%\mcafee.com\747.reg
- %PROGRAM_FILES%\mcafee.com\582.reg
- %PROGRAM_FILES%\mcafee.com\734.reg
- %PROGRAM_FILES%\mcafee.com\783.reg
- %PROGRAM_FILES%\mcafee.com\741.reg
- %PROGRAM_FILES%\mcafee.com\635.reg
- %PROGRAM_FILES%\mcafee.com\856.reg
- %PROGRAM_FILES%\mcafee.com\680.reg
- %PROGRAM_FILES%\mcafee.com\150.reg
- %PROGRAM_FILES%\mcafee.com\362.reg
- %PROGRAM_FILES%\mcafee.com\178.reg
- %PROGRAM_FILES%\mcafee.com\147.reg
- %PROGRAM_FILES%\mcafee.com\943.reg
- %PROGRAM_FILES%\mcafee.com\803.reg
- %PROGRAM_FILES%\mcafee.com\779.reg
- %PROGRAM_FILES%\mcafee.com\780.reg
- %PROGRAM_FILES%\mcafee.com\306.reg
- %PROGRAM_FILES%\mcafee.com\931.reg
- %PROGRAM_FILES%\mcafee.com\474.reg
- %PROGRAM_FILES%\mcafee.com\322.reg
- %PROGRAM_FILES%\mcafee.com\169.reg
- %PROGRAM_FILES%\mcafee.com\127.reg
- %PROGRAM_FILES%\mcafee.com\814.reg
- %PROGRAM_FILES%\mcafee.com\764.reg
- %PROGRAM_FILES%\mcafee.com\759.reg
- %PROGRAM_FILES%\mcafee.com\602.reg
- %PROGRAM_FILES%\mcafee.com\631.reg
- %PROGRAM_FILES%\mcafee.com\429.reg
- %PROGRAM_FILES%\mcafee.com\632.reg
- %PROGRAM_FILES%\mcafee.com\603.reg
- %PROGRAM_FILES%\mcafee.com\525.reg
Network activity:
Connects to:
- 'ma###.guccino.us':9050
UDP:
- DNS ASK ma###.guccino.us
Miscellaneous:
Searches for the following windows:
- ClassName: '(null)' WindowName: 'mirc'
- ClassName: 'RegEdit_RegEdit' WindowName: '(null)'
- ClassName: 'NDDEAgnt' WindowName: 'NetDDE Agent'
- ClassName: 'EDIT' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
