Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\A53510A1] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\A53510A1] 'ImagePath' = '<SYSTEM32>\svchost.exe -k LocalService'
- [<HKLM>\SYSTEM\ControlSet001\services\A53510A1] 'ImagePath' = '<SYSTEM32>\svchost.exe -k LocalService�'
- [<HKLM>\SYSTEM\ControlSet001\services\A53510A1\Parameters] 'ServiceDll' = '%PROGRAMDATA%\A53510A1\66FE4AA5.dll�'
- [<HKLM>\SYSTEM\ControlSet001\services\A53510A1] 'Start' = '00000002'
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\winlogon.exe
- <SYSTEM32>\services.exe
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\syswow64\rundll32.exe
the following user processes:
- firefox.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\SOFTWARE\Mirabilis\ICQ\NewOwners]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar]
- [<HKCU>\Software\FlashFXP\3]
- [<HKCU>\Software\FlashFXP]
- [<HKLM>\Software\Wow6432Node\FlashFXP\3]
- [<HKLM>\Software\Wow6432Node\FlashFXP]
- [<HKCU>\Software\FileZilla]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
- [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar]
- [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKCU>\Software\FTP Explorer\Profiles]
- [<HKCU>\Software\VanDyke\SecureFX]
- [<HKCU>\Software\Cryer\WebSitePublisher]
- [<HKCU>\Software\ExpanDrive\Sessions]
- [<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKLM>\SOFTWARE\Wow6432Node\NCH Software\Fling\Accounts]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\TurboFTP]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar]
- [<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar]
- [<HKCU>\Software\Yahoo\Pager]
- [<HKCU>\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users]
- [<HKCU>\Software\Google\Google Talk\Accounts]
- [<HKCU>\Software\Paltalk]
- [<HKCU>\Software\AIM\AIMPro]
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
- [<HKCU>\Software\RimArts\B2\Settings]
- [<HKCU>\SOFTWARE\RIT\The Bat!]
- [<HKCU>\SOFTWARE\RIT\The Bat!\Users depot]
- [<HKCU>\Software\Microsoft\Internet Account Manager\Accounts]
- [<HKCU>\Software\Microsoft\MSNMessenger]
- [<HKLM>\Software\Wow6432Node\Microsoft\Internet Account Manager]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
- [<HKCU>\SOFTWARE\Far\Plugins\FTP\Hosts]
- [<HKCU>\SOFTWARE\Far2\Plugins\FTP\Hosts]
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\Wow6432Node\Ghisler\Windows Commander]
- [<HKLM>\Software\Wow6432Node\Ghisler\Total Commander]
- [<HKCU>\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
- [<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
Reads files which store third party applications passwords
- %APPDATA%\mozilla\firefox\profiles.ini
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\thunderbird\profiles.ini
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
Modifies settings of Windows Internet Explorer
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080�'
- [\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080�'
- [\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080�'
- [<HKCU>_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKCU>_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080�'
Modifies file system
Creates the following files
- %PROGRAMDATA%\a53510a1\6148e7e1
- %TEMP%\1192250.tmp-shm
- %TEMP%\1192250.tmp
- %TEMP%\1192203.tmp
- %TEMP%\1192187.tmp
- %TEMP%\1191421.tmp
- %TEMP%\1191109.tmp
- %TEMP%\1190828.tmp-shm
- %TEMP%\1190828.tmp
- %TEMP%\1190578.tmp-shm
- %TEMP%\1190578.tmp
- %TEMP%\1190562.tmp
- %TEMP%\1190515.tmp
- %TEMP%\1190187.tmp-shm
- %TEMP%\1190187.tmp
- %TEMP%\1190171.tmp
- %TEMP%\1189921.tmp
- %TEMP%\1189906.tmp
- %PROGRAMDATA%\a53510a1\8bfc3cc8\b9ede6cd69e1a8dccf85d90bedca0531
- %TEMP%\1175984.tmp
- %TEMP%\1175968.tmp
- %TEMP%\1175875.tmp
- %TEMP%\1175812.tmp
- %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\e160720ff8168b2cd0a188dd1fb9c960_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %PROGRAMDATA%\a53510a1\7023f732
- %PROGRAMDATA%\a53510a1\8bfc3cc8\9463473522d2db2bbc12d3b60ebe1b6b
- %PROGRAMDATA%\a53510a1\66fe4aa5.dll
- %PROGRAMDATA%\a53510a1\bcd31c6e.dll
- %TEMP%\1192296.tmp
- %TEMP%\1192296.tmp-shm
Sets the 'hidden' attribute to the following files
- %PROGRAMDATA%\a53510a1\bcd31c6e.dll
- %PROGRAMDATA%\a53510a1\66fe4aa5.dll
Deletes the following files
- %PROGRAMDATA%\a53510a1\7023f732
- %PROGRAMDATA%\a53510a1\8bfc3cc8\9463473522d2db2bbc12d3b60ebe1b6b
- %TEMP%\1190187.tmp-shm
- %TEMP%\1190578.tmp-shm
- %TEMP%\1190828.tmp-shm
- %TEMP%\1192250.tmp-shm
- %TEMP%\1192296.tmp-shm
Substitutes the following files
- %PROGRAMDATA%\a53510a1\7023f732
Deletes itself.
Network activity
TCP
- '45.##.175.208':443
Miscellaneous
Adds a root certificate
Searches for the following windows
- ClassName: '24DDA6B5' WindowName: '24DDA6B5'
Creates and executes the following
- '%WINDIR%\syswow64\rundll32.exe' <Full path to file>,f0' (with hidden window)
- '%WINDIR%\syswow64\rundll32.exe' %ProgramFiles%\A53510A1\66FE4AA5.dll,f1 <Full path to file>@1920' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\rundll32.exe' <Full path to file>,f0
- '%WINDIR%\syswow64\rundll32.exe' %ProgramFiles%\A53510A1\66FE4AA5.dll,f1 <Full path to file>@1920
- '<SYSTEM32>\rundll32.exe' %ProgramFiles%\A53510A1\66FE4AA5.dll,f1 <Full path to file>@1920
- '<SYSTEM32>\rundll32.exe' %PROGRAMDATA%\A53510A1\66FE4AA5.dll,f2 72D316C1CAD6D793C258DF23A1B24090
- '<SYSTEM32>\svchost.exe' -k LocalService
- '%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\A53510A1\BCD31C6E.dll,f7
- '%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\A53510A1\BCD31C6E.dll,f2 B003C6D5EF304D6EC18B5FD767831E49
