Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\AudioSrv] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\Dhcp] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\Dnscache] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\eventlog] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\LanmanServer] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\LanmanWorkstation] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\PlugPlay] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\ProtectedStorage] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\SamSs] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\seclogon] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\SENS] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\ShellHWDetection] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\Spooler] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\Themes] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\Winmgmt] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\wuauserv] 'Start' = '00000002'
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Security Center
Launches a large number of processes
Modifies file system
Creates the following files
- %TEMP%\1313497.bat
Deletes the following files
- %TEMP%\1313497.bat
Miscellaneous
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c %TEMP%\1313497.bat
- '%WINDIR%\syswow64\sc.exe' config WebClient start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config W32Time start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config VSS start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config UPS start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config UMWdf start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config TrkWks start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config Themes start= AUTO
- '%WINDIR%\syswow64\sc.exe' config TermService start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config TapiSrv start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config SysmonLog start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config swprv start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config stisvc start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config Spooler start= AUTO
- '%WINDIR%\syswow64\sc.exe' config ShellHWDetection start= AUTO
- '%WINDIR%\syswow64\sc.exe' config SharedAccess start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config SENS start= AUTO
- '%WINDIR%\syswow64\sc.exe' config seclogon start= AUTO
- '%WINDIR%\syswow64\sc.exe' config Schedule start= AUTO
- '%WINDIR%\syswow64\sc.exe' config SCardSvr start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config winmgmt start= AUTO
- '%WINDIR%\syswow64\sc.exe' config WmdmPmSN start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config Wmi start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config WmiApSrv start= DISABLED
- '%WINDIR%\syswow64\wbem\wmic.exe' nteventlog where filename="System" Call cleareventlog
- '%WINDIR%\syswow64\wbem\wmic.exe' nteventlog where filename="Security" Call cleareventlog
- '%WINDIR%\syswow64\wbem\wmic.exe' nteventlog where filename="OAlerts" Call cleareventlog
- '%WINDIR%\syswow64\wbem\wmic.exe' nteventlog where filename="Media" Call cleareventlog
- '%WINDIR%\syswow64\wbem\wmic.exe' nteventlog where filename="Key" Call cleareventlog
- '%WINDIR%\syswow64\wbem\wmic.exe' nteventlog where filename="Internet" Call cleareventlog
- '%WINDIR%\syswow64\wbem\wmic.exe' nteventlog where filename="HardwareEvents" Call cleareventlog
- '%WINDIR%\syswow64\wbem\wmic.exe' nteventlog where filename="Application" Call cleareventlog
- '%WINDIR%\syswow64\wbem\wmic.exe' nteventlog get filename
- '%WINDIR%\syswow64\sc.exe' config MDM start= DISABLED
- '%WINDIR%\syswow64\cmd.exe' /c wmic nteventlog get filename
- '%WINDIR%\syswow64\sc.exe' config wscsvc start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config upnphost start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config TlntSvr start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config SSDPSRV start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config srservice start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config FastUserSwitchingCompatibility start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config xmlprov start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config WZCSVC start= AUTO
- '%WINDIR%\syswow64\sc.exe' config wuauserv start= AUTO
- '%WINDIR%\syswow64\wbem\wmic.exe' nteventlog where filename="Windows" Call cleareventlog
- '%WINDIR%\syswow64\sc.exe' config SamSs start= AUTO
- '%WINDIR%\syswow64\sc.exe' config RpcSs start= AUTO
- '%WINDIR%\syswow64\sc.exe' config NtLmSsp start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config HidServ start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config helpsvc start= AUTO
- '%WINDIR%\syswow64\sc.exe' config EventSystem start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config Eventlog start= AUTO
- '%WINDIR%\syswow64\sc.exe' config ERSvc start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config Dnscache start= AUTO
- '%WINDIR%\syswow64\sc.exe' config dmserver start= AUTO
- '%WINDIR%\syswow64\sc.exe' config dmadmin start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config Dhcp start= AUTO
- '%WINDIR%\syswow64\sc.exe' config DcomLaunch start= AUTO
- '%WINDIR%\syswow64\sc.exe' config CryptSvc start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config COMSysApp start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config ClipSrv start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config CiSvc start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config Browser start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config BITS start= AUTO
- '%WINDIR%\syswow64\sc.exe' config AudioSrv start= AUTO
- '%WINDIR%\syswow64\sc.exe' config AppMgmt start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config Alerter start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config HTTPFilter start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config RpcLocator start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config ImapiService start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config lanmanworkstation start= AUTO
- '%WINDIR%\syswow64\sc.exe' config remoteAccess start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config RDSessMgr start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config RasMan start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config RasAuto start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config ProtectedStorage start= AUTO
- '%WINDIR%\syswow64\sc.exe' config PolicyAgent start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config PlugPlay start= AUTO
- '%WINDIR%\syswow64\sc.exe' config NtmsSvc start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config lanmanserver start= AUTO
- '%WINDIR%\syswow64\wbem\wmic.exe' nteventlog where filename="" Call cleareventlog
- '%WINDIR%\syswow64\sc.exe' config Netman start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config Netlogon start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config NetDDEdsdm start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config NetDDE start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config MSIServer start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config MSDTC start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config mnmsrvc start= DEMAND
- '%WINDIR%\syswow64\sc.exe' config Messenger start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config LmHosts start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config Nla start= DISABLED
- '%WINDIR%\syswow64\sc.exe' config remoteRegistry start= DISABLED
- '%WINDIR%\syswow64\cmd.exe' /c %TEMP%\1313497.bat' (with hidden window)
