Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'Load' = '<SYSTEM32>\update.exe'
Malicious functions:
Hides the following processes:
- <Full path to virus>
Modifies file system :
Creates the following files:
- %TEMP%\5F.tmp
- %TEMP%\5E.tmp
- %TEMP%\61.tmp
- %TEMP%\60.tmp
- %TEMP%\5D.tmp
- %TEMP%\5A.tmp
- %TEMP%\59.tmp
- %TEMP%\5C.tmp
- %TEMP%\5B.tmp
- %TEMP%\68.tmp
- %TEMP%\67.tmp
- %TEMP%\6A.tmp
- %TEMP%\69.tmp
- %TEMP%\66.tmp
- %TEMP%\63.tmp
- %TEMP%\62.tmp
- %TEMP%\65.tmp
- %TEMP%\64.tmp
- %TEMP%\58.tmp
- %TEMP%\4C.tmp
- %TEMP%\4B.tmp
- %TEMP%\4E.tmp
- %TEMP%\4D.tmp
- %TEMP%\4A.tmp
- %TEMP%\47.tmp
- %TEMP%\46.tmp
- %TEMP%\49.tmp
- %TEMP%\48.tmp
- %TEMP%\55.tmp
- %TEMP%\54.tmp
- %TEMP%\57.tmp
- %TEMP%\56.tmp
- %TEMP%\53.tmp
- %TEMP%\50.tmp
- %TEMP%\4F.tmp
- %TEMP%\52.tmp
- %TEMP%\51.tmp
- %TEMP%\84.tmp
- %TEMP%\83.tmp
- %TEMP%\86.tmp
- %TEMP%\85.tmp
- %TEMP%\82.tmp
- %TEMP%\7F.tmp
- %TEMP%\7E.tmp
- %TEMP%\81.tmp
- %TEMP%\80.tmp
- %TEMP%\8D.tmp
- %TEMP%\8C.tmp
- %TEMP%\8F.tmp
- %TEMP%\8E.tmp
- %TEMP%\8B.tmp
- %TEMP%\88.tmp
- %TEMP%\87.tmp
- %TEMP%\8A.tmp
- %TEMP%\89.tmp
- %TEMP%\7D.tmp
- %TEMP%\71.tmp
- %TEMP%\70.tmp
- %TEMP%\73.tmp
- %TEMP%\72.tmp
- %TEMP%\6F.tmp
- %TEMP%\6C.tmp
- %TEMP%\6B.tmp
- %TEMP%\6E.tmp
- %TEMP%\6D.tmp
- %TEMP%\7A.tmp
- %TEMP%\79.tmp
- %TEMP%\7C.tmp
- %TEMP%\7B.tmp
- %TEMP%\78.tmp
- %TEMP%\75.tmp
- %TEMP%\74.tmp
- %TEMP%\77.tmp
- %TEMP%\76.tmp
- %TEMP%\45.tmp
- %TEMP%\14.tmp
- %TEMP%\13.tmp
- %TEMP%\16.tmp
- %TEMP%\15.tmp
- %TEMP%\12.tmp
- %TEMP%\F.tmp
- %TEMP%\E.tmp
- %TEMP%\11.tmp
- %TEMP%\10.tmp
- %TEMP%\1D.tmp
- %TEMP%\1C.tmp
- %TEMP%\1F.tmp
- %TEMP%\1E.tmp
- %TEMP%\1B.tmp
- %TEMP%\18.tmp
- %TEMP%\17.tmp
- %TEMP%\1A.tmp
- %TEMP%\19.tmp
- %TEMP%\D.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\botnet[1].txt
- %TEMP%\1.tmp
- %TEMP%\3.tmp
- %TEMP%\2.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\botnet[1].txt
- <SYSTEM32>\update.exe
- <DRIVERS>\hideproc.sys
- %TEMP%\hideproc.sys
- %TEMP%\A.tmp
- %TEMP%\9.tmp
- %TEMP%\C.tmp
- %TEMP%\B.tmp
- %TEMP%\8.tmp
- %TEMP%\5.tmp
- %TEMP%\4.tmp
- %TEMP%\7.tmp
- %TEMP%\6.tmp
- %TEMP%\39.tmp
- %TEMP%\38.tmp
- %TEMP%\3B.tmp
- %TEMP%\3A.tmp
- %TEMP%\37.tmp
- %TEMP%\34.tmp
- %TEMP%\33.tmp
- %TEMP%\36.tmp
- %TEMP%\35.tmp
- %TEMP%\42.tmp
- %TEMP%\41.tmp
- %TEMP%\44.tmp
- %TEMP%\43.tmp
- %TEMP%\40.tmp
- %TEMP%\3D.tmp
- %TEMP%\3C.tmp
- %TEMP%\3F.tmp
- %TEMP%\3E.tmp
- %TEMP%\32.tmp
- %TEMP%\26.tmp
- %TEMP%\25.tmp
- %TEMP%\28.tmp
- %TEMP%\27.tmp
- %TEMP%\24.tmp
- %TEMP%\21.tmp
- %TEMP%\20.tmp
- %TEMP%\23.tmp
- %TEMP%\22.tmp
- %TEMP%\2F.tmp
- %TEMP%\2E.tmp
- %TEMP%\31.tmp
- %TEMP%\30.tmp
- %TEMP%\2D.tmp
- %TEMP%\2A.tmp
- %TEMP%\29.tmp
- %TEMP%\2C.tmp
- %TEMP%\2B.tmp
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\botnet[1].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\botnet[1].txt
- <SYSTEM32>\upinfo.info
- %TEMP%\hideproc.sys
- <DRIVERS>\hideproc.sys
Moves the following files:
- from %TEMP%\60.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\5F.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\62.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\61.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\5C.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\5B.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\5E.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\5D.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\63.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\69.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\68.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\6B.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\6A.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\65.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\64.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\67.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\66.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\5A.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\4E.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\4D.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\50.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\4F.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\4A.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\49.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\4C.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\4B.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\51.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\57.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\56.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\59.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\58.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\53.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\52.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\55.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\54.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\6C.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\84.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\83.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\86.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\85.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\80.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\7F.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\82.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\81.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\87.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\8D.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\8C.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\8F.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\8E.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\89.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\88.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\8B.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\8A.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\7E.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\72.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\71.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\74.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\73.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\6E.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\6D.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\70.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\6F.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\75.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\7B.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\7A.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\7D.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\7C.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\77.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\76.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\79.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\78.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\48.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\18.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\17.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\1A.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\19.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\14.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\13.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\16.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\15.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\1B.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\21.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\20.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\23.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\22.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\1D.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\1C.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\1F.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\1E.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\12.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\6.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\5.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\8.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\7.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\2.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\1.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\4.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\3.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\9.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\F.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\E.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\11.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\10.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\B.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\A.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\D.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\C.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\24.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\3C.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\3B.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\3E.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\3D.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\38.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\37.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\3A.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\39.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\3F.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\45.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\44.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\47.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\46.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\41.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\40.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\43.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\42.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\36.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\2A.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\29.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\2C.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\2B.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\26.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\25.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\28.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\27.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\2D.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\33.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\32.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\35.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\34.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\2F.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\2E.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\31.tmp to <SYSTEM32>\upinfo.info
- from %TEMP%\30.tmp to <SYSTEM32>\upinfo.info
Network activity:
Connects to:
- 'ph###emvn.net':80
- 'localhost':1038
TCP:
HTTP GET requests:
- ph###emvn.net/game/botnet.txt
UDP:
- DNS ASK ph###emvn.net
