Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run] '1E8NAmhfRO' = '<Full path to file>'
Creates the following files on removable media
- <Drive name for removable media>:\81o29451-readme.txt
Malicious functions
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\168.jpeg
- %HOMEPATH%\desktop\about.htm
- %HOMEPATH%\desktop\about.html
- %HOMEPATH%\desktop\applicantform_en.doc
- %HOMEPATH%\desktop\archer.avi
- %HOMEPATH%\desktop\contoso.cer
- %HOMEPATH%\desktop\contoso_1.cer
- %HOMEPATH%\desktop\dashborder_96.bmp
- %HOMEPATH%\desktop\default.bmp
- %HOMEPATH%\desktop\file_p_00000000_1371597592.docx
- %HOMEPATH%\desktop\glidescope_review_rev_010.docx
- %HOMEPATH%\desktop\hadac_newsletter_july_2010_final.docx
- %HOMEPATH%\desktop\hanni_umami_chapter.doc
- %HOMEPATH%\desktop\issi2013_template_for_posters.docx
- %HOMEPATH%\desktop\lisp_success.doc
- %HOMEPATH%\desktop\nwfieldnotes1966.docx
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\sdkfailsafeemulator.cer
- %HOMEPATH%\desktop\sdksampleprivdeveloper.cer
- %HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx
- %HOMEPATH%\desktop\tree_view.htm
- %HOMEPATH%\desktop\weeklysheet1215.doc
Modifies file system
Creates the following files
- C:\81o29451-readme.txt
- <Current directory>\81o29451-readme.txt
- C:\kms\81o29451-readme.txt
- C:\recovery\81o29451-readme.txt
- C:\users\81o29451-readme.txt
- %ProgramFiles(x86)%\microsoft sql server\81o29451-readme.txt
- C:\recovery\windowsre\81o29451-readme.txt
- C:\users\default\81o29451-readme.txt
- C:\users\public\81o29451-readme.txt
- %HOMEPATH%\81o29451-readme.txt
- %ProgramFiles(x86)%\microsoft sql server\110\81o29451-readme.txt
- C:\users\default\desktop\81o29451-readme.txt
- C:\users\default\documents\81o29451-readme.txt
- C:\users\default\downloads\81o29451-readme.txt
- C:\users\default\favorites\81o29451-readme.txt
- C:\users\default\links\81o29451-readme.txt
- C:\users\default\music\81o29451-readme.txt
- C:\users\default\pictures\81o29451-readme.txt
- C:\users\default\saved games\81o29451-readme.txt
- C:\users\default\videos\81o29451-readme.txt
- C:\users\public\accountpictures\81o29451-readme.txt
- C:\users\public\desktop\81o29451-readme.txt
- C:\users\public\documents\81o29451-readme.txt
- C:\users\public\downloads\81o29451-readme.txt
- C:\users\public\libraries\81o29451-readme.txt
- C:\users\public\music\81o29451-readme.txt
- C:\users\public\pictures\81o29451-readme.txt
- C:\users\public\videos\81o29451-readme.txt
- %HOMEPATH%\.oracle_jre_usage\81o29451-readme.txt
- %HOMEPATH%\3d objects\81o29451-readme.txt
- %HOMEPATH%\contacts\81o29451-readme.txt
- %HOMEPATH%\desktop\81o29451-readme.txt
- %HOMEPATH%\documents\81o29451-readme.txt
- %HOMEPATH%\downloads\81o29451-readme.txt
- %HOMEPATH%\favorites\81o29451-readme.txt
- %HOMEPATH%\links\81o29451-readme.txt
- %HOMEPATH%\music\81o29451-readme.txt
- %HOMEPATH%\pictures\81o29451-readme.txt
- %HOMEPATH%\saved games\81o29451-readme.txt
- %HOMEPATH%\searches\81o29451-readme.txt
- %HOMEPATH%\videos\81o29451-readme.txt
- %ProgramFiles(x86)%\microsoft sql server\110\shared\81o29451-readme.txt
- %HOMEPATH%\favorites\links\81o29451-readme.txt
- %HOMEPATH%\pictures\camera roll\81o29451-readme.txt
- D:\81o29451-readme.txt
- %TEMP%\rf8d.bmp
Moves the following system files
- from C:\recovery\windowsre\reagent.xml to C:\recovery\windowsre\reagent.xml.81o29451
- from C:\recovery\windowsre\boot.sdi to C:\recovery\windowsre\boot.sdi.81o29451
- from C:\recovery\windowsre\winre.wim to C:\recovery\windowsre\winre.wim.81o29451
Modifies the following files
- C:\users\public\libraries\recordedtv.library-ms
- %HOMEPATH%\.oracle_jre_usage\90737d32e3aba6b.timestamp
- %HOMEPATH%\desktop\168.jpeg
- %HOMEPATH%\desktop\about.htm
- %HOMEPATH%\desktop\about.html
- %HOMEPATH%\favorites\bing.url
- %HOMEPATH%\searches\everywhere.search-ms
- %HOMEPATH%\searches\indexed locations.search-ms
- %HOMEPATH%\searches\winrt--{s-1-5-21-4226853953-3309226944-3078887307-1000}-.searchconnector-ms
- %APPDATA%\microsoft\windows\themes\transcodedwallpaper
Substitutes the following files
- <Drive name for removable media>:\DissolveAnother.png
- <Drive name for removable media>:\WaterResourcesAg.pptx
- <Drive name for removable media>:\1sm_price.xls
Modifies user data files (Trojan.Encoder).
Changes user data files extensions (Trojan.Encoder).
Network activity
Connects to
- 'di##g.fr':443
- 'x1.#.lencr.org':80
- 'th##.network':443
- 'ir###verwer.com':443
- 'ro###lden.com':443
- 'di#####sanitario.biz':443
- 'sp#####rein-tambach.de':443
- 've###harma.fr':443
- 'te#####eprohealthuk.com':443
- 're###tmtn.com':443
- 'oc####studios.com':443
- 'ca####sasdigest.com':443
- 'vi####scenter.es':443
TCP
HTTP GET requests
- http://x1.#.lencr.org/
Other
- 'di##g.fr':443
- 'th##.network':443
- 'ir###verwer.com':443
- 'di#####sanitario.biz':443
- 'sp#####rein-tambach.de':443
- 've###harma.fr':443
- 'te#####eprohealthuk.com':443
- 're###tmtn.com':443
- 'oc####studios.com':443
- 'ca####sasdigest.com':443
UDP
- DNS ASK bi####ratica.com
- DNS ASK di##g.fr
- DNS ASK x1.#.lencr.org
- DNS ASK th##.network
- DNS ASK ir###verwer.com
- DNS ASK kr###e-zily.eu
- DNS ASK ro###lden.com
- DNS ASK di#####sanitario.biz
- DNS ASK to####racoles.com
- DNS ASK sp#####rein-tambach.de
- DNS ASK ve###harma.fr
- DNS ASK te#####eprohealthuk.com
- DNS ASK re###tmtn.com
- DNS ASK oc####studios.com
- DNS ASK ca####sasdigest.com
- DNS ASK vi####scenter.es
