Library
My library

+ Add to library

Profile

Win32.Rmnet.65

Added to the Dr.Web virus database: 2015-02-10

Virus description added:

Technical Information

To ensure autorun and distribution
Modifies the following registry keys
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = 'userinit.exe,%LOCALAPPDATA%\mserknjy\uyveuqsp.exe'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'UyvEuqsp' = '%LOCALAPPDATA%\mserknjy\uyveuqsp.exe'
Creates or modifies the following files
  • %APPDATA%\microsoft\windows\start menu\programs\startup\uyveuqsp.exe
Sets the following service settings
  • [<HKLM>\System\CurrentControlSet\Services\Micorsoft Windows Service] 'ImagePath' = '%TEMP%\cnwoxnlc.sys'
Creates the following services
  • 'Micorsoft Windows Service' %TEMP%\cnwoxnlc.sys
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
  • User Account Control (UAC)
Injects code into
the following system processes:
  • %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
  • <PATH_SAMPLE>mgr.exe
  • %TEMP%\metcaprvbeldboha.exe
  • %LOCALAPPDATA%\vayyvpxo.log
  • %LOCALAPPDATA%\mserknjy\uyveuqsp.exe
  • %TEMP%\cnwoxnlc.sys
  • %WINDIR%\temp\udd42e9.tmp
Sets the 'hidden' attribute to the following files
  • %APPDATA%\microsoft\windows\start menu\programs\startup\uyveuqsp.exe
Deletes the following files
  • %WINDIR%\temp\udd42e9.tmp
  • %TEMP%\cnwoxnlc.sys
Network activity
Connects to
  • 'google.com':80
  • 'aw#####qcherasntmin.com':443
  • 'ux#####vfnqcrfcf.com':443
  • 'pr###jpwvrl.com':443
  • 'je###prgph.com':443
  • 'hx####dwbevww.com':443
  • 'fi#####hserhycexjhf.com':443
  • 'ma####tqkpuban.com':443
  • 'jk#####lfhcwqkmai.com':443
  • 'cp#####gpibatpmswq.com':443
  • 'ms#####vylmullkqh.com':443
  • 'vx####rqkihafv.com':443
  • 'an####xpukbfmh.com':443
  • 'ih###anyker.com':443
  • 'ou####cnuiudw.com':443
  • 'qf###lxp.com':443
  • 'um#####mvsuiscitx.com':443
TCP
Other
  • 'ou####cnuiudw.com':443
  • 'an####xpukbfmh.com':443
  • 'ih###anyker.com':443
  • 'vx####rqkihafv.com':443
  • 'ms#####vylmullkqh.com':443
  • 'qf###lxp.com':443
  • 'jk#####lfhcwqkmai.com':443
  • 'fi#####hserhycexjhf.com':443
  • 'aw#####qcherasntmin.com':443
UDP
  • DNS ASK google.com
  • DNS ASK sg####rfosjeico.com
  • DNS ASK yq####gijbpmx.com
  • DNS ASK yn####ikorjg.com
  • DNS ASK gk####jchymn.com
  • DNS ASK oc#####rdplmewnyx.com
  • DNS ASK mm####rhvvohfnv.com
  • DNS ASK xn####funybxgn.com
  • DNS ASK yy#####gnsfrmswdygl.com
  • DNS ASK dp###ipbso.com
  • DNS ASK kg#####yixossjmk.com
  • DNS ASK pp####tktjvhgti.com
  • DNS ASK nw###bry.com
  • DNS ASK qa###xayck.com
  • DNS ASK kp####yytagbk.com
  • DNS ASK dy###lng.com
  • DNS ASK hb#####wwcdgfojuixm.com
  • DNS ASK ei###jdmm.com
  • DNS ASK hu#####ymbwnhtuh.com
  • DNS ASK gw#####ikclhthyivym.com
  • DNS ASK oq####unxmqdxo.com
  • DNS ASK wp###lstrs.com
  • DNS ASK bb####fgmljwj.com
  • DNS ASK eb#####nurkortapgs.com
  • DNS ASK ej####gfqcmc.com
  • DNS ASK vg#####wuxeaoxoh.com
  • DNS ASK oj####cyjsuyb.com
  • DNS ASK nt#####wgxwecrdxr.com
  • DNS ASK yk###anct.com
  • DNS ASK su#####juihmevldp.com
  • DNS ASK gj#####uvwiqvtewbu.com
  • DNS ASK rx###natt.com
  • DNS ASK bk#####iadlxxbjunwu.com
  • DNS ASK bx####yjcytf.com
  • DNS ASK pb###kgdo.com
  • DNS ASK tf###sjc.com
  • DNS ASK fk###fiv.com
  • DNS ASK il####bkcukps.com
  • DNS ASK me#####lxrfhguru.com
  • DNS ASK dg####kpmggukqo.com
  • DNS ASK qx#####echixcrgdb.com
  • DNS ASK fs###lipt.com
  • DNS ASK vm###ribbhm.com
  • DNS ASK uc####bdxvjexa.com
  • DNS ASK ag####bfubbvek.com
  • DNS ASK ob###jseku.com
  • DNS ASK ix###rqn.com
  • DNS ASK ny#####slkflyhulcgl.com
  • DNS ASK ui####daxqlaxuj.com
  • DNS ASK sp###uxubpj.com
  • DNS ASK dx#####yletmggxf.com
  • DNS ASK mp####hfpwhfvj.com
  • DNS ASK vm####wrquhb.com
  • DNS ASK sl#####cjuoaxdip.com
  • DNS ASK rw#####vkbspdjoedi.com
  • DNS ASK jd####tklqwqrv.com
  • DNS ASK wl#####kdxhdhvlpjc.com
  • DNS ASK gm###snn.com
  • DNS ASK ca####hgsvivlxh.com
  • DNS ASK ec###xukhtf.com
  • DNS ASK rc#####agerrquby.com
  • DNS ASK jm####piiqyixw.com
  • DNS ASK wa###vqnf.com
  • DNS ASK xo#####paujnikmpp.com
  • DNS ASK jn#####cehsdkbnl.com
  • DNS ASK ui###jfp.com
  • DNS ASK mc###eytoyh.com
  • DNS ASK ml####qylttjc.com
  • DNS ASK tx####dlsrtpea.com
  • DNS ASK ut####swnjjw.com
  • DNS ASK ld####mdiqtrot.com
  • DNS ASK rh####ddyhbg.com
  • DNS ASK cs#####uhixdwjgm.com
  • DNS ASK ug####tvhslgjm.com
  • DNS ASK kt####mltjyt.com
  • DNS ASK mw#####qcbjkudxd.com
  • DNS ASK vn####lkrdfnnp.com
  • DNS ASK kv####naggyqrcc.com
  • DNS ASK wq###mga.com
  • DNS ASK qa####pvpcyqsa.com
  • DNS ASK wi###tbhe.com
  • DNS ASK fu####gkpsxthf.com
  • DNS ASK lg####boqpngfap.com
  • DNS ASK hi###tpq.com
  • DNS ASK dr#####dttdkhgpqi.com
  • DNS ASK nt####gjijsgi.com
  • DNS ASK fo####ygnngm.com
  • DNS ASK us####ptgmspn.com
  • DNS ASK ie###gmofvk.com
  • DNS ASK om####dcpdsgpxm.com
  • DNS ASK fk####swknxd.com
  • DNS ASK qw###mkbuee.com
  • DNS ASK ni####sffmarpbp.com
  • DNS ASK re#####ngdrdxpyv.com
  • DNS ASK ca#####xowehqvfahu.com
  • DNS ASK gg####dfppkjirg.com
  • DNS ASK wn###hgffr.com
  • DNS ASK qq####cnvsigkh.com
  • DNS ASK vv###dpeog.com
  • DNS ASK dt#####dxywxlsng.com
  • DNS ASK nj####dhwhutar.com
  • DNS ASK qb###mcijn.com
  • DNS ASK ma####tqkpuban.com
  • DNS ASK by####odqfdx.com
  • DNS ASK pv###rybufe.com
  • DNS ASK um#####mvsuiscitx.com
  • DNS ASK ed#####jcxyjqnjjodh.com
  • DNS ASK kq#####gdtjxxcrvl.com
  • DNS ASK hh#####rcvdrwpdvsck.com
  • DNS ASK pp#####wnvtggifhbv.com
  • DNS ASK wx#####isqbmppqss.com
  • DNS ASK ud###iovrov.com
  • DNS ASK rt#####itmadupgl.com
  • DNS ASK ox#####pfnkvdprbr.com
  • DNS ASK kj#####qiwvfnuvvtkd.com
  • DNS ASK tv###utxo.com
  • DNS ASK vm###benh.com
  • DNS ASK bl#####tropiwymr.com
  • DNS ASK ra###prhwwm.com
  • DNS ASK pd####jwrqsq.com
  • DNS ASK mj####vuruldy.com
  • DNS ASK yk####bqxbvmns.com
  • DNS ASK xs###bpaef.com
  • DNS ASK aw#####qcherasntmin.com
  • DNS ASK km###odog.com
  • DNS ASK ux#####vfnqcrfcf.com
  • DNS ASK je###prgph.com
  • DNS ASK vx####rqkihafv.com
  • DNS ASK an####xpukbfmh.com
  • DNS ASK ih###anyker.com
  • DNS ASK ou####cnuiudw.com
  • DNS ASK vl#####uppipkrvbsdy.com
  • DNS ASK fs###tmti.com
  • DNS ASK oa###apl.com
  • DNS ASK ms#####vylmullkqh.com
  • DNS ASK gq#####nntccmawclmq.com
  • DNS ASK qd#####ovjlfegdcepm.com
  • DNS ASK he####giddyamqq.com
  • DNS ASK cp#####gpibatpmswq.com
  • DNS ASK qf###lxp.com
  • DNS ASK gk#####gjcauehgdjn.com
  • DNS ASK jk#####lfhcwqkmai.com
  • DNS ASK fi#####hserhycexjhf.com
  • DNS ASK vy####jnshtry.com
  • DNS ASK wg#####emnvhdrai.com
  • DNS ASK se#####yopjhyhuw.com
  • DNS ASK hx####dwbevww.com
  • DNS ASK sl#####nkjenhwgpjl.com
  • DNS ASK pr###jpwvrl.com
  • DNS ASK cq####ukplhlfdo.com
  • DNS ASK ou#####dnvxhrtxvuqr.com
  • DNS ASK fx####eygtffbkv.com
  • DNS ASK tf####mqhdowexm.com
  • DNS ASK fd#####pvgxigejgdfb.com
  • DNS ASK ir#####khgyrpsarcje.com
  • DNS ASK rg###ctp.com
  • DNS ASK am###agjgge.com
  • DNS ASK jf###fbgo.com
  • DNS ASK ad###svuayv.com
  • DNS ASK wv####bapujp.com
  • DNS ASK xe###bnop.com
  • DNS ASK la#####oxklvpcdfhu.com
  • DNS ASK hf####ufjkndwc.com
  • DNS ASK il###wag.com
  • DNS ASK ux#####dunihwscfl.com
  • DNS ASK bt###kqv.com
  • DNS ASK xx#####iiqpyecxoaka.com
  • DNS ASK df#####jxwtdkjjbiu.com
  • DNS ASK lv###vkyo.com
  • DNS ASK er#####pgitkpgudo.com
  • DNS ASK ly####ciguta.com
  • DNS ASK ki####behxexixl.com
  • DNS ASK dp###lufd.com
  • DNS ASK tn###qahys.com
  • DNS ASK tu#####hweflhvqyxh.com
  • DNS ASK ja####uridle.com
  • DNS ASK xq#####iqwwpahhk.com
  • DNS ASK ha#####kaigcdslnrlr.com
  • DNS ASK mg####pybfts.com
  • DNS ASK oh###viumie.com
  • DNS ASK nb#####tghtmsydrfq.com
  • DNS ASK hg###jdad.com
  • DNS ASK mc#####ndpadclga.com
  • DNS ASK yi####rtyoxaiu.com
  • DNS ASK jx###fwh.com
  • DNS ASK ar###oeeasi.com
  • DNS ASK ln####cjbiaov.com
  • DNS ASK dl#####niphnmxnvoeo.com
  • DNS ASK ti###jsce.com
  • DNS ASK eg####guclkoi.com
  • DNS ASK rk####nrgvpkgmc.com
  • DNS ASK sn####xygwcpifp.com
  • DNS ASK oj#####hbddmbfac.com
  • DNS ASK rs###fgpgw.com
  • DNS ASK ui#####asowqdiyp.com
  • DNS ASK ww###nil.com
  • DNS ASK qs#####lwhorwibvy.com
  • DNS ASK nw####pjovgxmj.com
  • DNS ASK dy#####esippbsjb.com
  • DNS ASK ex####manfaydv.com
  • DNS ASK ag###awvr.com
Miscellaneous
Creates and executes the following
  • '<PATH_SAMPLE>mgr.exe'
  • '%TEMP%\metcaprvbeldboha.exe'
Executes the following
  • '%WINDIR%\syswow64\svchost.exe'