Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'shell' = '%APPDATA%\dbu32.ocx,explorer.exe'
Malicious functions:
Executes the following:
- '<SYSTEM32>\svchost.exe'
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system:
Creates the following files:
- %WINDIR%\ppgoiu.npw
- %APPDATA%\dbu32.ocx
- %ALLUSERSPROFILE%\Application Data\shqm\xpnet.rud
- %WINDIR%\aazpq.kab
Moves the following files:
- from <Full path to file> to %TEMP%\1.tmp
Deletes itself.
Network activity:
Connects to:
- 'vj##xz.org':80
- 'bo###fgmo.org':80
- 'bh###lwpkmu.com':80
- 'bi###tsc.com':80
- 'uv###ohgvp.info':80
- 'oo##ku.com':80
- 'ot###hksqrk.org':80
- 'nc##vi.com':80
- 'os###pjbn.net':80
- 'kn###kseuny.org':80
- 'sh###unlw.net':80
- 'py###ywqywu.ru':80
- 'ff##sh.info':80
- 'lx###fxdum.net':80
- 'ca###jhgmgo.biz':80
- 'fw###haeh.ru':80
- 'ah###xugnup.com':80
- 'im##uf.net':80
- 'pv###vudxdq.net':80
- 'lg##vdh.org':80
- 'ge###atsp.ru':80
- 'ov###sgxbyt.ru':80
- 'pf###slpwyd.com':80
- 'rv###lcg.com':80
- 'om###pkq.com':80
- 'qh###ore.org':80
- 'sv###eoyzj.net':80
- 'ew###qyhcz.com':80
- 'bc###rchwu.net':80
- 'mf###jtfyh.org':80
- 'kb##mb.biz':80
TCP:
HTTP POST requests:
- http://ca###jhgmgo.biz/qWm4vU?hf####################################################################################
- http://fw###haeh.ru/chMKfk?tv#############################################################################################
- http://im##uf.net/AmrXy04ug?Lb##############################################################################
UDP:
- DNS ASK vj##xz.org
- DNS ASK bi###tsc.com
- DNS ASK bh###lwpkmu.com
- DNS ASK bo###fgmo.org
- DNS ASK uv###ohgvp.info
- DNS ASK fw###haeh.ru
- DNS ASK ot###hksqrk.org
- DNS ASK oo##ku.com
- DNS ASK os###pjbn.net
- DNS ASK py###ywqywu.ru
- DNS ASK sh###unlw.net
- DNS ASK kn###kseuny.org
- DNS ASK ff##sh.info
- DNS ASK nc##vi.com
- DNS ASK ca###jhgmgo.biz
- DNS ASK lx###fxdum.net
- DNS ASK ah###xugnup.com
- DNS ASK lg##vdh.org
- DNS ASK pv###vudxdq.net
- DNS ASK im##uf.net
- DNS ASK ge###atsp.ru
- DNS ASK microsoft.com
- DNS ASK pf###slpwyd.com
- DNS ASK ov###sgxbyt.ru
- DNS ASK om###pkq.com
- DNS ASK ew###qyhcz.com
- DNS ASK sv###eoyzj.net
- DNS ASK qh###ore.org
- DNS ASK bc###rchwu.net
- DNS ASK rv###lcg.com
- DNS ASK kb##mb.biz
- DNS ASK mf###jtfyh.org
Miscellaneous:
Searches for the following windows:
- ClassName: '58934' WindowName: '4930'
