Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'CmdWindows' = '%WINDIR%\win32cmd.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\system32.vbs
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:Microsoft Windows Update Platform'
Creates and executes the following:
- '%WINDIR%\nokia32.exe'
- '%WINDIR%\win32explor.exe'
- '%WINDIR%\systemerror.exe'
- '<SYSTEM32>\xcopy.exe' (downloaded from the Internet)
- '%WINDIR%\win32explor.exe' (downloaded from the Internet)
- '%WINDIR%\systemerror.exe' (downloaded from the Internet)
- '%WINDIR%\nokia32.exe' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs C:\system32.vbs
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf M:\autorun.inf
- '<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs E:\system32.vbs
- '<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs <Drive name for removable media>:\system32.vbs
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf J:\autorun.inf
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf I:\autorun.inf
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf L:\autorun.inf
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf K:\autorun.inf
- '<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs F:\system32.vbs
- '<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs L:\system32.vbs
- '<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs K:\system32.vbs
- '<SYSTEM32>\xcopy.exe'
- '<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs M:\system32.vbs
- '<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs H:\system32.vbs
- '<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs G:\system32.vbs
- '<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs J:\system32.vbs
- '<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs I:\system32.vbs
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe H:\win32cmd.exe
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe G:\win32cmd.exe
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe J:\win32cmd.exe
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe I:\win32cmd.exe
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe C:\win32cmd.exe
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe <Drive name for removable media>:\win32cmd.exe
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe E:\win32cmd.exe
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe F:\win32cmd.exe
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe K:\win32cmd.exe
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf F:\autorun.inf
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf E:\autorun.inf
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf H:\autorun.inf
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf G:\autorun.inf
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe M:\win32cmd.exe
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe L:\win32cmd.exe
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf <Drive name for removable media>:\autorun.inf
- '<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf C:\autorun.inf
Injects code into
the following system processes:
- <SYSTEM32>\xcopy.exe
the following user processes:
- iexplore.exe
Modifies file system :
Creates the following files:
- %WINDIR%\systemerror.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\systeml[1].exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\system[1].exe
- %WINDIR%\files\Lesbi.Games2.mpg.exe
- %WINDIR%\files\Russian.Girls.avi.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\system[1].exe
- %WINDIR%\mind32red.exe
- %WINDIR%\win32explor.exe
- %WINDIR%\nokia32.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\system[1].exe
- %WINDIR%\multihosts.exe
- %WINDIR%\files\ICQ.hacking.exe
- %WINDIR%\win32cmd.exe
- %WINDIR%\autorun.inf
- <SYSTEM32>.vbs
- %WINDIR%\files\My.Porno.Video.avi.exe
- %WINDIR%\files\Lesbi.Games.mpg.exe
- %WINDIR%\files\hotmail_hacker.exe
- %WINDIR%\files\invisible_IP.exe
- %WINDIR%\files\msn_crack.exe
Sets the 'hidden' attribute to the following files:
- %WINDIR%\win32cmd.exe
- <Drive name for removable media>:\system32.vbs
- %WINDIR%\autorun.inf
- <SYSTEM32>.vbs
Modifies the HOSTS file.
Network activity:
Connects to:
- 'www.po##pics.ru':80
- 'il####natigear.com':80
- 'www.dm##ca6.org':80
- 'localhost':1037
- 'www.ma###sallem.ro':80
TCP:
HTTP GET requests:
- www.po##pics.ru/data/vt/system.exe
- il####natigear.com/catalog/images/system.exe
- www.ma###sallem.ro/forum/Smileys/system.exe
- www.dm##ca6.org/systeml.exe
UDP:
- DNS ASK www.po##pics.ru
- DNS ASK il####natigear.com
- DNS ASK www.ma###sallem.ro
- DNS ASK www.dm##ca6.org
