JavaScript support is required for our site to be fully operational in your browser.
Win32.Sector.31
Added to the Dr.Web virus database:
2014-04-01
Virus description added:
2014-05-27
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '{759C631F-58B9-AC31-633B-0D69FA2D9B30}' = '%APPDATA%\Roaming\Ezzuco\exfi.exe'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
[<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
[<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
blocks the following features:
User Account Control (UAC)
Windows Security Center
Creates and executes the following:
'%APPDATA%\Roaming\Ezzuco\exfi.exe'
Executes the following:
'<SYSTEM32>\rundll32.exe' dfdts.dll,DfdGetDefaultPolicyAndSMART
'<SYSTEM32>\conhost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
'<SYSTEM32>\rundll32.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to virus>"
'<SYSTEM32>\DllHost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<SYSTEM32>\taskhost.exe"
Injects code into
the following system processes:
Modifies settings of Windows Internet Explorer:
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1406' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1609' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1406' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1609' = '00000000'
Modifies file system :
Creates the following files:
%TEMP%\ppcrlui_3300_2
%TEMP%\TarC9F3.tmp
%TEMP%\windrynl.exe
%WINDIR%\ServiceProfiles\LocalService\Desktop\debug.txt
%TEMP%\CabC9F2.tmp
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\config[1].bin
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\68BF3AFF-00000001.eml:OECustomProperty
<LS_APPDATA>Low\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
<LS_APPDATA>Low\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
%TEMP%\axbc.exe
%TEMP%\qxsw.exe
%TEMP%\fscgss.exe
%TEMP%\qadv.exe
%TEMP%\xnmc.exe
%TEMP%\winhbmiv.exe
%TEMP%\windlbtl.exe
%TEMP%\jfulu.exe
%TEMP%\winveesyp.exe
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\68BF3AFF-00000001.eml
<LS_APPDATA>\Microsoft\Windows Mail\tmp.edb
%APPDATA%\Roaming\Ibxe\mifya.awd
<LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log
<LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore
%TEMP%\tmpd5b9f8ce.bat
%HOMEPATH%\Desktop\debug.txt
%TEMP%\mruxdg.exe
%TEMP%\winnhknl.exe
%APPDATA%\Roaming\Ezzuco\exfi.exe
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat
<LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\edb00002.log
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\edb.log
Deletes the following files:
%TEMP%\jfulu.exe
%TEMP%\xnmc.exe
%TEMP%\winhbmiv.exe
%TEMP%\winveesyp.exe
%TEMP%\qadv.exe
%TEMP%\fscgss.exe
%TEMP%\qxsw.exe
%TEMP%\axbc.exe
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\config[1].bin
%TEMP%\CabC9F2.tmp
%TEMP%\mruxdg.exe
%TEMP%\winnhknl.exe
%TEMP%\windrynl.exe
%TEMP%\windlbtl.exe
%TEMP%\TarC9F3.tmp
%TEMP%\ppcrlui_3300_2
Moves the following files:
from %APPDATA%\Roaming\Ibxe\mifya.awd to %APPDATA%\Roaming\Ibxe\mifya.tmp
from <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log to <LS_APPDATA>\Microsoft\Windows Mail\edb.log
Deletes itself.
Network activity:
Connects to:
'72####metgrup.com':80
'www.bl#####ecreatives.com':80
'www.ce####ogullari.com':80
'17#.#93.19.14':80
'ce###pasa.com':80
'ya######cil.ya.funpic.de':80
'pe#####el.fm.interia.pl':80
'20#.#6.232.182':80
'pu###hss.com':80
'de###int-eg.com':80
'su###llie.com':80
'ch###stara.com':80
TCP:
HTTP GET requests:
72####metgrup.com/images/logosa.gif?a5###########
www.bl#####ecreatives.com/logos.gif?a5###########
www.ce####ogullari.com/logof.gif?a5###########
17#.#93.19.14/logo.gif?a6###########
ce###pasa.com/images/logos.gif?a6###########
ya######cil.ya.funpic.de/images/logos.gif?a5###########
pe#####el.fm.interia.pl/logos.gif?a4###########
20#.#6.232.182/pki/crl/products/CodeSignPCA.crl
pu###hss.com/images/link/BankofAmerica.Com/config.bin
de###int-eg.com/images/logosa.gif?a5##########
su###llie.com/images/logos.gif?a5###########
ch###stara.com/logof.gif?a4###########
UDP:
DNS ASK www.bl#####ecreatives.com
DNS ASK www.ce####ogullari.com
DNS ASK 72####metgrup.com
DNS ASK ce###pasa.com
DNS ASK ya######cil.ya.funpic.de
DNS ASK de###int-eg.com
DNS ASK crl.microsoft.com
DNS ASK pu###hss.com
DNS ASK pe#####el.fm.interia.pl
DNS ASK su###llie.com
DNS ASK ch###stara.com
Miscellaneous:
Searches for the following windows:
ClassName: 'Indicator' WindowName: '(null)'
ClassName: 'OutlookExpressHiddenWindow' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
ClassName: 'OleMainThreadWndClass' WindowName: '(null)'
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK