Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\9F618AA9] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\9F618AA9] 'ImagePath' = '<SYSTEM32>\svchost.exe -k LocalService'
- [<HKLM>\SYSTEM\ControlSet001\services\9F618AA9] 'ImagePath' = '<SYSTEM32>\svchost.exe -k LocalService�'
- [<HKLM>\SYSTEM\ControlSet001\services\9F618AA9\Parameters] 'ServiceDll' = '%PROGRAMDATA%\9F618AA9\F6DF918F.dll�'
- [<HKLM>\SYSTEM\ControlSet001\services\9F618AA9] 'Start' = '00000002'
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\services.exe
- <SYSTEM32>\winlogon.exe
- %WINDIR%\syswow64\rundll32.exe
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\syswow64\rundll32.exe
the following user processes:
- firefox.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\SOFTWARE\Mirabilis\ICQ\NewOwners]
- [<HKCU>\Software\Microsoft\MSNMessenger]
- [<HKCU>\Software\Yahoo\Pager]
- [<HKCU>\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users]
- [<HKCU>\Software\Google\Google Talk\Accounts]
- [<HKCU>\Software\Paltalk]
- [<HKCU>\Software\AIM\AIMPro]
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
Reads files which store third party applications passwords
- %APPDATA%\mozilla\firefox\profiles.ini
- %APPDATA%\opera software\opera stable\login data
Modifies settings of Windows Internet Explorer
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080�'
- [\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080�'
- [\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080�'
- [<HKCU>_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKCU>_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080�'
- [<HKCU>\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8080'
Modifies file system
Creates the following files
- <Full path to file>
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\low\history.ie5\index.dat
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\low\index.dat
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %TEMP%\1268437.tmp
- %TEMP%\1268406.tmp
- %TEMP%\1268343.tmp
- %TEMP%\1268171.tmp
- %WINDIR%\syswow64\config\systemprofile\favorites\desktop.ini
- %PROGRAMDATA%\9f618aa9\d8053a42\132bb37d97ba588167d413ef371ef4c5.zip
- %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\eefd640e5ff3e0e8735fec506b4a3354_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %PROGRAMDATA%\9f618aa9\75d733b0
- %PROGRAMDATA%\9f618aa9\8dc1c3ca\e75899413cace4e4ad49c8e36e68c89b
- %PROGRAMDATA%\9f618aa9\f6df918f.dll
- %PROGRAMDATA%\9f618aa9\1d6a2c09.dll
- %PROGRAMDATA%\9f618aa9\b37ab3a5
- %TEMP%\1285468.tmp-shm
- %TEMP%\1286718.tmp-shm
Sets the 'hidden' attribute to the following files
- %PROGRAMDATA%\9f618aa9\1d6a2c09.dll
- %PROGRAMDATA%\9f618aa9\f6df918f.dll
- %WINDIR%\syswow64\config\systemprofile\favorites\desktop.ini
Deletes the following files
- <Full path to file>
- %PROGRAMDATA%\9f618aa9\75d733b0
- %PROGRAMDATA%\9f618aa9\8dc1c3ca\e75899413cace4e4ad49c8e36e68c89b
- %PROGRAMDATA%\9f618aa9\d8053a42\132bb37d97ba588167d413ef371ef4c5.zip
- %TEMP%\1285468.tmp-shm
- %TEMP%\1286718.tmp-shm
Substitutes the following files
- %PROGRAMDATA%\9f618aa9\75d733b0
Network activity
TCP
- '2.##.213.39':443
Miscellaneous
Adds a root certificate
Searches for the following windows
- ClassName: 'E2BF9E8C' WindowName: 'E2BF9E8C'
Creates and executes the following
- '%WINDIR%\syswow64\regsvr32.exe' -s <Full path to file> f1 <Full path to file>@2656' (with hidden window)
- '%WINDIR%\syswow64\rundll32.exe' <Full path to file>,f0' (with hidden window)
- '%WINDIR%\syswow64\rundll32.exe' %ProgramFiles%\9F618AA9\F6DF918F.dll,f1 <Full path to file>@340' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\regsvr32.exe' -s <Full path to file> f1 <Full path to file>@2656
- '%WINDIR%\syswow64\rundll32.exe' <Full path to file>,f0
- '%WINDIR%\syswow64\rundll32.exe' %ProgramFiles%\9F618AA9\F6DF918F.dll,f1 <Full path to file>@340
- '<SYSTEM32>\rundll32.exe' %ProgramFiles%\9F618AA9\F6DF918F.dll,f1 <Full path to file>@340
- '<SYSTEM32>\rundll32.exe' %PROGRAMDATA%\9F618AA9\F6DF918F.dll,f2 1FCAAAC36182D72B5B244331A7421701
- '<SYSTEM32>\svchost.exe' -k LocalService
- '%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\9F618AA9\1D6A2C09.dll,f3
- '%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\9F618AA9\1D6A2C09.dll,f7
- '%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\9F618AA9\1D6A2C09.dll,f2 E48E292D52AA1264BCBA6B30A9CB2113
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\wininet.dll",DispatchAPICall 1
