Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'UserInit' = '<SYSTEM32>\userinit.exe,%APPDATA%\Microsoft\Windows\CrashSLogs\{ABKLSG4DF56G4DFG6DFG4EFEGFD564GDF54GD6F54GDG4}\CashI...
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'XVTS_Printer_0000000000000000000000000000000PL_E340_Epson' = '%APPDATA%\Microsoft\Windows\CrashSLogs\{ABKLSG4DF56G4DFG6DFG4EFEGFD564GDF54...
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
blocks the following features:
- User Account Control (UAC)
Executes the following:
- '<SYSTEM32>\notepad.exe'
- '<SYSTEM32>\attrib.exe' "<Current directory>" +s +h
- '<SYSTEM32>\attrib.exe' "<Full path to virus>" +s +h
- '<SYSTEM32>\cmd.exe' /k attrib "<Full path to virus>" +s +h
- '<SYSTEM32>\cmd.exe' /k attrib "<Current directory>" +s +h
Injects code into
the following system processes:
- <SYSTEM32>\notepad.exe
Modifies file system :
Sets the 'hidden' attribute to the following files:
- <Full path to virus>
Network activity:
Connects to:
- 'fl######yerupdate.sytes.net':6624
UDP:
- DNS ASK fl######yerupdate.sytes.net
Miscellaneous:
Searches for the following windows:
- ClassName: '#32770' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
- ClassName: '#32770' WindowName: '<Auxiliary name>'
- ClassName: 'MS_WINHELP' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
