Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\stub.free.by.mr.detox.exe
Creates the following files on removable media
- <Drive name for removable media>:\stub.free.by.mr.detox.exe
- <Drive name for removable media>:\holycrosschurchinstructions.docx.lnk
- <Drive name for removable media>:\nwfieldnotes1966.docx.lnk
- <Drive name for removable media>:\uep_form_786_bulletin_1726i602.doc.lnk
- <Drive name for removable media>:\applicantform_en.doc.lnk
- <Drive name for removable media>:\february_catalogue__2015.doc.lnk
- <Drive name for removable media>:\ovp25012015.doc.lnk
- <Drive name for removable media>:\contosoroot_1.cer.lnk
- <Drive name for removable media>:\contoso_1.cer.lnk
- <Drive name for removable media>:\file_p_00000000_1371597592.docx.lnk
- <Drive name for removable media>:\dashborder_144.bmp.lnk
- <Drive name for removable media>:\dashborder_120.bmp.lnk
- <Drive name for removable media>:\dashborder_192.bmp.lnk
- <Drive name for removable media>:\dial.bmp.lnk
- <Drive name for removable media>:\archer.avi.lnk
- <Drive name for removable media>:\correct.avi.lnk
- <Drive name for removable media>:\000814251_video_01.avi.lnk
- <Drive name for removable media>:\join.avi.lnk
- <Drive name for removable media>:\delete.avi.lnk
- <Drive name for removable media>:\coffee.bmp.lnk
- <Drive name for removable media>:\sdszfo.docx.lnk
Malicious functions
Executes the following
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "<Full path to file>" "<File name>.exe" ENABLE
Modifies file system
Sets the 'hidden' attribute to the following files
- <Drive name for removable media>:\stub.free.by.mr.detox.exe
Network activity
UDP
- DNS ASK mi####.no-ip.org
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "<Full path to file>" "<File name>.exe" ENABLE' (with hidden window)
