Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\prvdisk] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\ianoSvrup] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\PolicyAgent] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '%PROGRAM_FILES%\estknwbvl\ikqtmlb.exe' -p Pass1 -r Pass1 -f 125.39.100.74+0 -n PASS -x
- '%TEMP%\nsu2.tmp\ns10.tmp' ikqtmlb.exe -p Pass2 -r Pass2 -f 220.181.126.15+0 -n PASS -x
- '%TEMP%\nsu2.tmp\nsF.tmp' ikqtmlb.exe -p Pass1 -r Pass1 -f 125.39.100.74+0 -n PASS -x
- '%CommonProgramFiles%\Intel\ianotife.exe'
- '%TEMP%\nsxA.tmp\nsE.tmp' sc create prvdisk binpath= <SYSTEM32>\PrvMon\prvdisk.sys type= kernel start= system group= Base tag= yes
- '%PROGRAM_FILES%\estknwbvl\un0517000000187.exe'
- '%TEMP%\~nsu.tmp\Au_.exe' _?=%PROGRAM_FILES%\estknwbvl\
- '%PROGRAM_FILES%\estknwbvl\ikqtmlb.exe' -p Pass3 -r Pass3 -f 220.181.126.7+0 -n PASS -x
- '%PROGRAM_FILES%\estknwbvl\ikqtmlb.exe' -p Pass2 -r Pass2 -f 220.181.126.15+0 -n PASS -x
- '%TEMP%\nsu2.tmp\ns11.tmp' ikqtmlb.exe -p Pass3 -r Pass3 -f 220.181.126.7+0 -n PASS -x
- '%TEMP%\nsxA.tmp\nsD.tmp' sc start ianoSvrup
- '%TEMP%\nsu2.tmp\ns5.tmp' regedit /s info.reg
- '%TEMP%\nsu2.tmp\ns6.tmp' sc stop PolicyAgent
- '%PROGRAM_FILES%\estknwbvl\ikqtmlb.exe' -file 4j374elt18ho.txt
- '%TEMP%\nsu2.tmp\ns3.tmp' sc start PolicyAgent
- '%TEMP%\nsu2.tmp\ns4.tmp' "ikqtmlb.exe" -file 4j374elt18ho.txt
- '%TEMP%\nsxA.tmp\nsB.tmp' sc create ianoSvrup binpath= "%CommonProgramFiles%\Intel\ianotife.exe" type= share start= auto displayname= "Ianno Web Cache Services"
- '%TEMP%\nsxA.tmp\nsC.tmp' sc description ianoSvrup "К№УГIanno Web CahceјјКхМṩЅшРР»ҐБЄНшдЇААФ¤¶БјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМṩµДјУЛЩ№¦ДЬЎЈ"
- '%PROGRAM_FILES%\estknwbvl\mysetup.exe'
- '%TEMP%\nsu2.tmp\ns7.tmp' sc start PolicyAgent
- '%TEMP%\nsu2.tmp\ns8.tmp' sc config PolicyAgent start= auto
Executes the following:
- '<SYSTEM32>\sc.exe' start ianoSvrup
- '<SYSTEM32>\sc.exe' description ianoSvrup "К№УГIanno Web CahceјјКхМṩЅшРР»ҐБЄНшдЇААФ¤¶БјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМṩµДјУЛЩ№¦ДЬЎЈ"
- '<SYSTEM32>\wscript.exe' "%CommonProgramFiles%\Intel\note.vbs"
- '<SYSTEM32>\sc.exe' create prvdisk binpath= <SYSTEM32>\PrvMon\prvdisk.sys type= kernel start= system group= Base tag= yes
- '<SYSTEM32>\sc.exe' create ianoSvrup binpath= "%CommonProgramFiles%\Intel\ianotife.exe" type= share start= auto displayname= "Ianno Web Cache Services"
- '%WINDIR%\regedit.exe' /s info.reg
- '<SYSTEM32>\sc.exe' start PolicyAgent
- '<SYSTEM32>\sc.exe' config PolicyAgent start= auto
- '<SYSTEM32>\sc.exe' stop PolicyAgent
Modifies file system :
Creates the following files:
- %TEMP%\nsxA.tmp\nsExec.dll
- %TEMP%\nsxA.tmp\System.dll
- %TEMP%\nsxA.tmp\nsC.tmp
- %TEMP%\nsxA.tmp\nsB.tmp
- %CommonProgramFiles%\Intel\config-s.xml
- %CommonProgramFiles%\Intel\prvdisk.sys
- %TEMP%\nsxA.tmp\AccessControl.dll
- %CommonProgramFiles%\Intel\config-n.xml
- %TEMP%\nsxA.tmp\nsD.tmp
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\ol[1].asp
- %CommonProgramFiles%\Intel\note.vbs
- %CommonProgramFiles%\Intel\suject.db-journal
- %TEMP%\~nsu.tmp\Au_.exe
- %WINDIR%\tudouva.pac
- %CommonProgramFiles%\Intel\pro.txt
- %TEMP%\nsxA.tmp\nsE.tmp
- <SYSTEM32>\PrvMon\prvdisk.sys
- %CommonProgramFiles%\Intel\suject.db
- %PROGRAM_FILES%\estknwbvl\un0517000000187.exe
- %PROGRAM_FILES%\estknwbvl\temp0517000000187.ini
- %PROGRAM_FILES%\estknwbvl\ikqtmlb.exe
- <Current directory>\op.ini
- %PROGRAM_FILES%\estknwbvl\s0001.xml
- %PROGRAM_FILES%\estknwbvl\menu.xml
- %PROGRAM_FILES%\estknwbvl\ser000.xml
- %PROGRAM_FILES%\estknwbvl\reginfo.xml
- <Current directory>\tx.ini
- %CommonProgramFiles%\Intel\note.txt
- %CommonProgramFiles%\Intel\ypac.txt
- %CommonProgramFiles%\Intel\ianotife.exe
- %CommonProgramFiles%\Intel\vison.txt
- %PROGRAM_FILES%\estknwbvl\info.reg
- %PROGRAM_FILES%\estknwbvl\4j374elt18ho.txt
- %CommonProgramFiles%\Intel\sqlite3.dll
- %PROGRAM_FILES%\estknwbvl\mysetup.exe
Deletes the following files:
- %PROGRAM_FILES%\estknwbvl\ikqtmlb.exe
- <Current directory>\tx.ini
- %PROGRAM_FILES%\estknwbvl\info.reg
- %PROGRAM_FILES%\estknwbvl\menu.xml
- %PROGRAM_FILES%\estknwbvl\reginfo.xml
- <Current directory>\op.ini
- %PROGRAM_FILES%\estknwbvl\4j374elt18ho.txt
- %CommonProgramFiles%\Intel\suject.db-journal
- %PROGRAM_FILES%\estknwbvl\temp0517000000187.ini
- %CommonProgramFiles%\Intel\note.vbs
- %PROGRAM_FILES%\estknwbvl\un0517000000187.exe
- %TEMP%\nsxA.tmp\nsE.tmp
- %CommonProgramFiles%\Intel\prvdisk.sys
- %TEMP%\nsxA.tmp\nsD.tmp
- %TEMP%\nsxA.tmp\nsB.tmp
- %TEMP%\nsxA.tmp\nsC.tmp
- %TEMP%\nsxA.tmp\AccessControl.dll
- %PROGRAM_FILES%\estknwbvl\ser000.xml
- %PROGRAM_FILES%\estknwbvl\s0001.xml
- %PROGRAM_FILES%\estknwbvl\mysetup.exe
- %TEMP%\nsxA.tmp\nsExec.dll
- %TEMP%\nsxA.tmp\System.dll
Deletes itself.
Network activity:
Connects to:
- 'localhost':1040
- 'tj.###mitogu.com':80
- 'm.###nong.com':888
- 'tj.##nzhuan.co':80
TCP:
HTTP GET requests:
- tj.###mitogu.com/ps.txt
- tj.###mitogu.com/wl.txt
- tj.##nzhuan.co/svr.asp?c=########################################
- tj.###mitogu.com/ol.asp?c=###########################
UDP:
- DNS ASK tj.###mitogu.com
- DNS ASK tj.##nzhuan.co
- DNS ASK m.###nong.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'RegEdit_RegEdit' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
