Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\Scheduler CardSpace Adapter] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\Scheduler CardSpace Adapter] 'ImagePath' = 'C:\zoulhhqhsotxl\exurxdxll.exe'
Creates the following services
- 'Scheduler CardSpace Adapter' C:\zoulhhqhsotxl\exurxdxll.exe
Modifies file system
Creates the following files
- %WINDIR%\zoulhhqhsotxl\u1fxaxkfda
- C:\zoulhhqhsotxl\u1fxaxkfda
- C:\zoulhhqhsotxl\ryipi0kr2jjesnisjf.exe
- C:\zoulhhqhsotxl\exurxdxll.exe
- C:\zoulhhqhsotxl\bqowlkave.exe
- C:\zoulhhqhsotxl\unpf5pfm
Sets the 'hidden' attribute to the following files
- C:\zoulhhqhsotxl\exurxdxll.exe
- C:\zoulhhqhsotxl\bqowlkave.exe
Deletes the following files
- %WINDIR%\zoulhhqhsotxl\u1fxaxkfda
- C:\zoulhhqhsotxl\ryipi0kr2jjesnisjf.exe
Substitutes the following files
- %WINDIR%\zoulhhqhsotxl\u1fxaxkfda
Network activity
Connects to
- 'wa####roblem.net':80
- 'wo###animal.net':80
- 'fi###escape.net':80
- 'pa###animal.net':80
- 'fi####roblem.net':80
- 'fr###valley.net':80
TCP
HTTP GET requests
- http://wa####roblem.net/index.php
- http://wo###animal.net/index.php
- http://fi###escape.net/index.php
- http://pa###animal.net/index.php
- http://fi####roblem.net/index.php
- http://fr###valley.net/index.php
UDP
- DNS ASK fi####tranger.net
- DNS ASK sm###modern.net
- DNS ASK wo###modern.net
- DNS ASK sm####roblem.net
- DNS ASK wo####roblem.net
- DNS ASK sm###animal.net
- DNS ASK wo###animal.net
- DNS ASK sm###escape.net
- DNS ASK wo###escape.net
- DNS ASK wa###modern.net
- DNS ASK th####tmodern.net
- DNS ASK wa####roblem.net
- DNS ASK th####tproblem.net
- DNS ASK wa###animal.net
- DNS ASK th####tanimal.net
- DNS ASK wa###escape.net
- DNS ASK th####tescape.net
- DNS ASK cr###modern.net
- DNS ASK pa###escape.net
- DNS ASK fi###escape.net
- DNS ASK pa###animal.net
- DNS ASK fi###animal.net
- DNS ASK al####yvalley.net
- DNS ASK ge####manvalley.net
- DNS ASK al####ysister.net
- DNS ASK ge####mansister.net
- DNS ASK al####ysilver.net
- DNS ASK ge####mansilver.net
- DNS ASK ex####encelabor.net
- DNS ASK fr###labor.net
- DNS ASK fr###valley.net
- DNS ASK ex#####ncevalley.net
- DNS ASK ex#####ncesister.net
- DNS ASK fr###sister.net
- DNS ASK ex#####ncesilver.net
- DNS ASK fr###silver.net
- DNS ASK fi###modern.net
- DNS ASK pa###modern.net
- DNS ASK fi####roblem.net
- DNS ASK pa####roblem.net
- DNS ASK ge####manlabor.net
- DNS ASK su####modern.net
- DNS ASK cr####roblem.net
- DNS ASK su####problem.net
- DNS ASK ge#####anproblem.net
- DNS ASK al####yanimal.net
- DNS ASK ge####mananimal.net
- DNS ASK al####yescape.net
- DNS ASK ge####manescape.net
- DNS ASK ex#####ncemodern.net
- DNS ASK fr###modern.net
- DNS ASK ex#####nceproblem.net
- DNS ASK fr####roblem.net
- DNS ASK ex#####nceanimal.net
- DNS ASK fr###animal.net
- DNS ASK ex#####nceescape.net
- DNS ASK fr###escape.net
- DNS ASK fi####ortieth.net
- DNS ASK pa####ortieth.net
- DNS ASK fi####oodbye.net
- DNS ASK pa####oodbye.net
- DNS ASK al####yproblem.net
- DNS ASK ge####manmodern.net
- DNS ASK al####ymodern.net
- DNS ASK fo####escape.net
- DNS ASK su####animal.net
- DNS ASK cr###escape.net
- DNS ASK su####escape.net
- DNS ASK kn###modern.net
- DNS ASK be###modern.net
- DNS ASK kn####roblem.net
- DNS ASK be####roblem.net
- DNS ASK kn###animal.net
- DNS ASK kn###escape.net
- DNS ASK be###animal.net
- DNS ASK be###escape.net
- DNS ASK me####modern.net
- DNS ASK fo####modern.net
- DNS ASK me####problem.net
- DNS ASK fo####problem.net
- DNS ASK me####animal.net
- DNS ASK fo####animal.net
- DNS ASK me####escape.net
- DNS ASK cr###animal.net
- DNS ASK al####ylabor.net
Miscellaneous
Creates and executes the following
- 'C:\zoulhhqhsotxl\ryipi0kr2jjesnisjf.exe'
- 'C:\zoulhhqhsotxl\exurxdxll.exe'
- 'C:\zoulhhqhsotxl\bqowlkave.exe' "c:\zoulhhqhsotxl\exurxdxll.exe"
