Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Beng' = '<Full path to file>'
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\uTorrent] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\uTorrent] 'ImagePath' = '%WINDIR%\srvany.exe'
Creates the following services
- 'uTorrent' %WINDIR%\srvany.exe
Malicious functions
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="uTorrent" dir=in action=allow profile=any description=uTorrent program="<Full path to file>" enable=yes
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="uTorrent" dir=out action=allow profile=any description=uTorrent program="<Full path to file>" enable=yes
Modifies file system
Creates the following files
- %TEMP%\aut50ae.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\utorrent\settings.dat.new
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\96rtj96i\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\mexl2y7p\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\07g48pnn\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\mp0hbu0g\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %WINDIR%\srvany.exe
- %TEMP%\aut5821.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\utorrent\settings.dat.old
- %TEMP%\aut5775.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\utorrent\settings.dat
- %TEMP%\aut5716.tmp
- %ProgramFiles%\utorrent_\utorrent.exe
- %TEMP%\aut56c7.tmp
- %TEMP%\fjkaxun
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\utorrent\dlimagecache\2d78c93ec367e6c1d9894103fa04b3be5b20a84e
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\utorrent\dlimagecache\bbeec0395d21a2a7f91889d7c7509f3d5d46fc05
Sets the 'hidden' attribute to the following files
- %ProgramFiles%\utorrent_\utorrent.exe
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\utorrent\settings.dat
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\utorrent\settings.dat.old
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\mp0hbu0g\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\07g48pnn\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\mexl2y7p\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\96rtj96i\desktop.ini
Deletes the following files
- %TEMP%\aut50ae.tmp
- %TEMP%\fjkaxun
- %TEMP%\aut56c7.tmp
- %TEMP%\aut5716.tmp
- %TEMP%\aut5775.tmp
- %TEMP%\aut5821.tmp
Moves the following files
- from %WINDIR%\syswow64\config\systemprofile\appdata\roaming\utorrent\settings.dat to %WINDIR%\syswow64\config\systemprofile\appdata\roaming\utorrent\settings.dat.old
Substitutes the following files
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\utorrent\settings.dat
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\utorrent\settings.dat.new
Network activity
Connects to
- 'pr####putation.com':80
- 'pr####putation.com':443
- 'bi###rrent.com':80
- 'google.com':80
- 'mi###ova.org':80
- 'se###h.vuze.com':80
TCP
HTTP GET requests
- http://Pr####putation.com/test/webseeds/Win7x86RNFinal.torrent
- http://Pr####putation.com/test/webseeds/Win7x64RNFinal.torrent
- http://www.bi###rrent.com/sites/default/files/bittorrent2_favicon.ico
- http://google.com/favicon.ico
- http://www.google.com/favicon.ico
- http://www.mi###ova.org/favicon.ico
- http://mi###ova.org/favicon.ico
- http://se###h.vuze.com/favicon.ico
Other
- 'pr####putation.com':443
UDP
- DNS ASK pr####putation.com
- DNS ASK mi###ova.org
- DNS ASK google.com
- DNS ASK ro####.utorrent.com
- DNS ASK ro####.bittorrent.com
- DNS ASK se###h.vuze.com
- DNS ASK bi###rrent.com
- DNS ASK ap##.#ittorrent.com
- '24.##6.220.196':32951
- '17#.#.120.135':6666
- '78.##.84.104':11973
- '1.###.11.198':12366
- '95.##.219.227':13012
- '17#.#62.173.151':28003
- '12#.#29.2.135':10570
- '84.##.185.48':6881
- '49.##8.224.244':17063
- '14.##.184.230':40861
- '17#.#62.174.228':28012
- '22#.#6.16.95':13749
- '22#.#47.13.60':32991
- '16#.#3.3.191':6881
- '15#.#1.158.57':6881
- '12#.#17.24.238':34170
- '8.###.126.236':22727
- '36.##.132.250':25949
- '11#.80.9.63':6885
- '15#.#9.86.100':43964
- '15#.#3.45.107':7386
- '10#.#74.103.138':14441
- '17#.#.210.94':45867
- '18#.#6.39.138':13557
- '54.##9.131.199':6892
- '16#.#72.226.132':6060
- '15#.#3.45.107':7389
- '12#.#0.45.78':42395
- '18#.#22.47.63':37321
- '18#.#3.160.39':8251
- '17#.#6.233.123':55961
- '11#.#4.165.53':28901
- '18#.#49.91.42':51559
- '61.##.132.203':33308
- '11#.#90.128.247':20838
- '20#.#59.238.209':51743
- '58.##6.33.157':57005
- '14#.#26.103.138':37007
- '18#.#17.189.161':15974
- '18#.#6.39.138':25064
- '11#.#10.167.138':41551
- '15#.#9.214.100':49571
- '19#.#08.215.246':38721
- '78.##9.90.185':2079
- '2.##.228.242':6881
- '72.##.17.105':13091
- '11#.#03.177.181':40641
- '24.##6.36.151':6881
- '18#.#03.56.59':27760
- '20#.#21.210.112':40833
- '83.##.178.123':8999
- '16#.#72.76.3':55555
- '70.#3.73.1':6889
- '95.##1.228.35':53900
- 'ro####.utorrent.com':6881
- '90.##6.21.126':45553
- '23#.#55.255.250':1900
- 'ro####.bittorrent.com':6881
- '<LOCALNET>.112.1':5351
- '13#.#9.226.117':13673
- '70.##.118.86':9285
- '84.##5.216.24':30042
- '12#.#44.218.147':40316
- '38.##2.25.124':32788
- '12#.#34.171.115':15000
- '15#.#10.165.96':51702
- '17#.#20.151.246':27650
- '21#.#50.175.215':60437
- '70.##.158.57':6881
- '18#.#63.34.37':42872
- '19#.#70.172.38':10240
- '15#.#3.105.61':10240
- '14#.#17.72.98':6881
- '19#.#3.63.132':6882
- '85.##5.96.207':46796
- '14#.#6.27.121':59079
- '78.##2.231.133':6767
- '15#.#3.52.107':10240
- '75.##9.138.164':6881
- '19#.#9.101.83':10240
- '20#.#23.150.232':6666
- '54.##.107.165':51957
- '12#.#89.19.173':65029
- '19#.#2.151.246':60485
- '17#.#63.96.198':52959
- '35.##3.251.58':6881
Miscellaneous
Searches for the following windows
- ClassName: 'ВµTorrent4823DF041B09' WindowName: ''
Creates and executes the following
- '%WINDIR%\srvany.exe'
- '%ProgramFiles%\utorrent_\utorrent.exe'
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="uTorrent" dir=out action=allow profile=any description=uTorrent program="<Full path to file>" enable=yes
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="uTorrent" dir=in action=allow profile=any description=uTorrent program="<Full path to file>" enable=yes
- '%WINDIR%\syswow64\cmd.exe' /c sc create uTorrent binPath= "%WINDIR%\srvany.exe" start= auto
- '%WINDIR%\syswow64\sc.exe' create uTorrent binPath= "%WINDIR%\srvany.exe" start= auto
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%WINDIR%\syswow64\cmd.exe' /c sc start uTorrent
- '%WINDIR%\syswow64\sc.exe' start uTorrent
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="uTorrent" dir=out action=allow profile=any description=uTorrent program="<Full path to file>" enable=yes' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="uTorrent" dir=in action=allow profile=any description=uTorrent program="<Full path to file>" enable=yes' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c sc create uTorrent binPath= "%WINDIR%\srvany.exe" start= auto' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c sc start uTorrent' (with hidden window)
