Technical Information
To ensure autorun and distribution:
Changes the following executable system files:
- %WINDIR%\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\ComSvcConfig.ni.exe
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\dfsvc\a2865dcec9c5d3cc9c55f026cbad6fcc\dfsvc.ni.exe
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\MSBuild\87c84ffaaad81d8d106a9aa9d68b5926\MSBuild.ni.exe
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\9469981a17c01dd154c540127e678b35\PresentationFontCache.ni.exe
Infects the following executable files:
- %WINDIR%\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\ComSvcConfig.ni.exe
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\dfsvc\a2865dcec9c5d3cc9c55f026cbad6fcc\dfsvc.ni.exe
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\MSBuild\87c84ffaaad81d8d106a9aa9d68b5926\MSBuild.ni.exe
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\9469981a17c01dd154c540127e678b35\PresentationFontCache.ni.exe
Modifies file system:
Creates the following files:
- %TEMP%\znwr_1d1.0.cs
- <Current directory>\CSC7.tmp
- %TEMP%\RES8.tmp
- <Current directory>\cdptdbw1944.exe
- %TEMP%\djz6asrv.0.cs
- %TEMP%\djz6asrv.cmdline
- %TEMP%\djz6asrv.out
- <Current directory>\CSC9.tmp
- <Current directory>\qjenshq950.exe
- %WINDIR%\Temp\scsD.tmp
- %TEMP%\opgxtiu2.0.cs
- %TEMP%\opgxtiu2.cmdline
- %TEMP%\opgxtiu2.out
- <Current directory>\CSCB.tmp
- %TEMP%\RESC.tmp
- <Current directory>\wwihhmj994.exe
- <Current directory>\p585h.exe
- %TEMP%\gyu1dpc8.out
- %TEMP%\RESA.tmp
- %TEMP%\gyu1dpc8.cmdline
- %TEMP%\dk8qpac1.out
- %TEMP%\znwr_1d1.cmdline
- %TEMP%\znwr_1d1.out
- <Current directory>\CSC1.tmp
- %TEMP%\RES2.tmp
- <Current directory>\wzxqppr1814.exe
- %TEMP%\dk8qpac1.0.cs
- %TEMP%\dk8qpac1.cmdline
- <Current directory>\CSC3.tmp
- <Current directory>\xjtpsiy24.exe
- %TEMP%\RES4.tmp
- <Current directory>\gfdaybj1979.exe
- %TEMP%\dx4r4hpx.0.cs
- %TEMP%\dx4r4hpx.cmdline
- %TEMP%\dx4r4hpx.out
- <Current directory>\CSC5.tmp
- %TEMP%\RES6.tmp
- %TEMP%\gyu1dpc8.0.cs
- %WINDIR%\Temp\scsE.tmp
Deletes the following files:
- %TEMP%\RES2.tmp
- %TEMP%\gyu1dpc8.out
- <Current directory>\cdptdbw1944.exe
- %TEMP%\RESA.tmp
- <Current directory>\CSC9.tmp
- %TEMP%\djz6asrv.cmdline
- %TEMP%\djz6asrv.out
- %TEMP%\dk8qpac1.cmdline
- %TEMP%\djz6asrv.0.cs
- %TEMP%\RESC.tmp
- <Current directory>\CSCB.tmp
- %TEMP%\opgxtiu2.out
- %TEMP%\opgxtiu2.cmdline
- %TEMP%\opgxtiu2.0.cs
- <Current directory>\wwihhmj994.exe
- %TEMP%\gyu1dpc8.0.cs
- %TEMP%\gyu1dpc8.cmdline
- <Current directory>\CSC7.tmp
- %TEMP%\RES8.tmp
- <Current directory>\xjtpsiy24.exe
- %TEMP%\znwr_1d1.0.cs
- %TEMP%\znwr_1d1.cmdline
- %TEMP%\znwr_1d1.out
- <Current directory>\wzxqppr1814.exe
- %TEMP%\RES4.tmp
- <Current directory>\CSC3.tmp
- %WINDIR%\Temp\scsD.tmp
- <Current directory>\qjenshq950.exe
- %TEMP%\dk8qpac1.out
- <Current directory>\gfdaybj1979.exe
- %TEMP%\RES6.tmp
- <Current directory>\CSC5.tmp
- %TEMP%\dx4r4hpx.0.cs
- %TEMP%\dx4r4hpx.out
- %TEMP%\dx4r4hpx.cmdline
- <Current directory>\CSC1.tmp
- %TEMP%\dk8qpac1.0.cs
- %WINDIR%\Temp\scsE.tmp
Network activity:
Connects to:
- 'wp#d':80
- '20#.#6.232.182':80
TCP:
HTTP GET requests:
- http://11#.#11.111.1/wpad.dat via wp#d
- http://crl.microsoft.com/pki/crl/products/CSPCA.crl via 20#.#6.232.182
UDP:
- DNS ASK wp#d
- DNS ASK crl.microsoft.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-cf0.cf4.3e0001'
Executes the following:
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\znwr_1d1.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "<Current directory>\CSC1.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\dk8qpac1.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4.tmp" "<Current directory>\CSC3.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\dx4r4hpx.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6.tmp" "<Current directory>\CSC5.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gyu1dpc8.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8.tmp" "<Current directory>\CSC7.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\djz6asrv.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA.tmp" "<Current directory>\CSC9.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\opgxtiu2.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC.tmp" "<Current directory>\CSCB.tmp"
- '<SYSTEM32>\ntvdm.exe' -f -i1
