Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\software\Wow6432Node\microsoft\windows\currentversion\run] 'Windows Service Monitor' = '%WINDIR%\SysWOW64\Debugger\svchost.exe'
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Firewall
- Windows Update
- Windows Security Center
blocks the following features:
- Windows Security Center
Executes the following
- '%WINDIR%\syswow64\net.exe' stop "Security Center"
- '%WINDIR%\syswow64\net.exe' stop SharedAccess
- '%WINDIR%\syswow64\net.exe' stop MpsSvc
- '%WINDIR%\syswow64\net.exe' stop wscsvc
Modifies file system
Creates the following files
- %TEMP%\rarsfx0\disable_xtrap.exe
- %WINDIR%\syswow64\attr.bak
- %WINDIR%\syswow64\gizle.bak
- %WINDIR%\syswow64\screencapture.bak
- %WINDIR%\syswow64\bridge.bak
- %WINDIR%\syswow64\script.tmp
- %WINDIR%\syswow64\script.bak
- %WINDIR%\syswow64\debugger\aosmtp.dll
- %WINDIR%\new.vbs
- %WINDIR%\firstupdate.vbs
- %WINDIR%\update.vbs
- %WINDIR%\syswow64\aosmtp.dll
- %WINDIR%\syswow64\decomp.exe
- %WINDIR%\syswow64\debugger\comctlogs.dll
- %WINDIR%\syswow64\aosmtp.dll.mail
- %WINDIR%\syswow64\debugger\config.dat
- %WINDIR%\syswow64\debugger\aosmtp.dll.mail
- %WINDIR%\syswow64\debugger\svchost.exe
- %WINDIR%\syswow64\debugger\screencapture.exe
- %WINDIR%\syswow64\debugger\bridge.exe
- %WINDIR%\syswow64\debugger\script.exe
- %WINDIR%\syswow64\debugger\decomp.exe
- %WINDIR%\syswow64\debugger\gizle.vbs
- %WINDIR%\syswow64\debugger\kill_xp_firewall.bat
- %WINDIR%\syswow64\debugger\attr.exe
- %TEMP%\rarsfx0\xtrap.dll
- %TEMP%\rarsfx0\bangtrap.dll
- %WINDIR%\syswow64\debugger\extractor.exe
- %WINDIR%\syswow64\debugger\k.dat
Sets the 'hidden' attribute to the following files
- %WINDIR%\syswow64\debugger\bridge.exe
- %WINDIR%\syswow64\debugger\decomp.exe
- %WINDIR%\syswow64\debugger\screencapture.exe
- %WINDIR%\syswow64\debugger\script.exe
- %WINDIR%\syswow64\debugger\svchost.exe
Deletes the following files
- %WINDIR%\syswow64\debugger\extractor.exe
Network activity
Connects to
- 'po##.mynet.com':25
- 'sm##.gmail.com':25
TCP
Other
- 'sm##.gmail.com':25
UDP
- DNS ASK po##.mynet.com
- DNS ASK sm##.gmail.com
- 'localhost':64856
- 'localhost':60527
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: 'Generic Host Process for SpyNmail'
- ClassName: '' WindowName: 'SpyNmail Script Creator'
Creates and executes the following
- '%TEMP%\rarsfx0\disable_xtrap.exe'
- '%WINDIR%\syswow64\debugger\screencapture.exe' 1
- '%WINDIR%\syswow64\debugger\svchost.exe'
- '%WINDIR%\syswow64\debugger\attr.exe' doit
- '%WINDIR%\syswow64\wscript.exe' "%WINDIR%\FirstUpdate.vbs"
- '%WINDIR%\syswow64\wscript.exe' "%WINDIR%\SysWOW64\Debugger\gizle.vbs"
- '%WINDIR%\syswow64\debugger\script.exe'
- '%WINDIR%\syswow64\debugger\decomp.exe' /all
- '%WINDIR%\syswow64\debugger\bridge.exe'
- '%WINDIR%\syswow64\decomp.exe' aosmtp.dll
- '%TEMP%\rarsfx0\xtrap.dll'
- '%WINDIR%\syswow64\debugger\bridge.exe' ' (with hidden window)
- '%WINDIR%\syswow64\wscript.exe' "%WINDIR%\SysWOW64\Debugger\gizle.vbs"' (with hidden window)
- '%WINDIR%\syswow64\decomp.exe' aosmtp.dll' (with hidden window)
- '%WINDIR%\syswow64\debugger\decomp.exe' /all' (with hidden window)
- '%WINDIR%\syswow64\debugger\attr.exe' doit' (with hidden window)
- '%WINDIR%\syswow64\regsvr32.exe' /s "%WINDIR%\SysWOW64\Debugger\AOSMTP.DLL"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\SysWOW64\Debugger\kill_xp_firewall.bat" "' (with hidden window)
- '%TEMP%\rarsfx0\xtrap.dll' ' (with hidden window)
- '%WINDIR%\syswow64\debugger\svchost.exe' ' (with hidden window)
- '%WINDIR%\syswow64\debugger\screencapture.exe' 1' (with hidden window)
- '%WINDIR%\syswow64\regsvr32.exe' /s "<SYSTEM32>\aosmtp.dll"' (with hidden window)
- '%WINDIR%\syswow64\debugger\script.exe' ' (with hidden window)
- '%WINDIR%\syswow64\wscript.exe' "%WINDIR%\FirstUpdate.vbs"' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\regsvr32.exe' /s "<SYSTEM32>\aosmtp.dll"
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Microsoft\Security Center" /v FirewallOverride /t REG_DWORD /d 0x1 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Microsoft\Security Center" /v AntiVirusOverride /t REG_DWORD /d 0x1 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Microsoft\Security Center" /v UpdatesDisableNotify /t REG_DWORD /d 0x1 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wscntfy" /v Start /t REG_DWORD /d 0x4 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Microsoft\Security Center" /v FirewallDisableNotify /t REG_DWORD /d 0x1 /f
- '%WINDIR%\syswow64\net1.exe' stop wscsvc
- '%WINDIR%\syswow64\regsvr32.exe' /s "%WINDIR%\SysWOW64\Debugger\AOSMTP.DLL"
- '%WINDIR%\syswow64\net1.exe' stop MpsSvc
- '%WINDIR%\syswow64\net1.exe' stop SharedAccess
- '%WINDIR%\syswow64\net1.exe' stop "Security Center"
- '%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\SysWOW64\Debugger\kill_xp_firewall.bat" "
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Microsoft\Security Center" /v AntiVirusDisableNotify /t REG_DWORD /d 0x1 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v Start /t REG_DWORD /d 0x4 /f
