Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'autoload' = '<LS_APPDATA>\cftmon.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ntuser' = '<DRIVERS>\spools.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'autoload' = '<LS_APPDATA>\cftmon.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ntuser' = '<DRIVERS>\spools.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Schedule] 'ImagePath' = '<DRIVERS>\spools.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.exe
- <Drive name for removable media>:\autorun.inf
Malicious functions:
Creates and executes the following:
- '' (downloaded from the Internet)
Modifies file system:
Creates the following files:
- <SYSTEM32>\ftpdll.dll
- %HOMEPATH%\ftpdll.dll
- %TEMP%\699E.tmp
- <LS_APPDATA>\cftmon.exe
- <DRIVERS>\spools.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.exe
- <LS_APPDATA>\cftmon.exe
- <DRIVERS>\spools.exe
Network activity:
Connects to:
- 'xe##ce.cn':80
- 'hq###arma.org':80
TCP:
HTTP GET requests:
- http://xe##ce.cn/DDOS2.exe
- http://xe##ce.cn/?&v##############
- http://hq###arma.org/manda.php?id############################
UDP:
- DNS ASK xe##ce.cn
- DNS ASK hq###arma.org
Miscellaneous:
Creates and executes the following:
- '<Full path to file>'
- '%TEMP%\699E.tmp'
Executes the following:
- '<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
