Library
My library

+ Add to library

Profile

Win32.Sector.31

Added to the Dr.Web virus database: 2014-04-01

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '{759C631F-58B9-AC31-633B-0D69FA2D9B30}' = '%APPDATA%\Roaming\Ezzuco\exfi.exe'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
  • [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
  • [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
  • [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
  • hidden files
blocks the following features:
  • User Account Control (UAC)
  • Windows Security Center
Creates and executes the following:
  • '%APPDATA%\Roaming\Ezzuco\exfi.exe'
Executes the following:
  • '<SYSTEM32>\rundll32.exe' dfdts.dll,DfdGetDefaultPolicyAndSMART
  • '<SYSTEM32>\conhost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  • '<SYSTEM32>\rundll32.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  • '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to virus>"
  • '<SYSTEM32>\DllHost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  • '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<SYSTEM32>\taskhost.exe"
Injects code into
the following system processes:
  • <SYSTEM32>\DllHost.exe
Modifies settings of Windows Internet Explorer:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1406' = '00000000'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1609' = '00000000'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1406' = '00000000'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1609' = '00000000'
Modifies file system :
Creates the following files:
  • %TEMP%\ppcrlui_3300_2
  • %TEMP%\TarC9F3.tmp
  • %TEMP%\windrynl.exe
  • %WINDIR%\ServiceProfiles\LocalService\Desktop\debug.txt
  • %TEMP%\CabC9F2.tmp
  • <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\config[1].bin
  • <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\68BF3AFF-00000001.eml:OECustomProperty
  • <LS_APPDATA>Low\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
  • <LS_APPDATA>Low\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
  • %TEMP%\axbc.exe
  • %TEMP%\qxsw.exe
  • %TEMP%\fscgss.exe
  • %TEMP%\qadv.exe
  • %TEMP%\xnmc.exe
  • %TEMP%\winhbmiv.exe
  • %TEMP%\windlbtl.exe
  • %TEMP%\jfulu.exe
  • %TEMP%\winveesyp.exe
  • <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\68BF3AFF-00000001.eml
  • <LS_APPDATA>\Microsoft\Windows Mail\tmp.edb
  • %APPDATA%\Roaming\Ibxe\mifya.awd
  • <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log
  • <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore
  • %TEMP%\tmpd5b9f8ce.bat
  • %HOMEPATH%\Desktop\debug.txt
  • %TEMP%\mruxdg.exe
  • %TEMP%\winnhknl.exe
  • %APPDATA%\Roaming\Ezzuco\exfi.exe
  • <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol
  • <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol
  • <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol
  • <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol
  • <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol
  • <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat
  • <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\edb00002.log
  • <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol
  • <LS_APPDATA>\Microsoft\Windows Mail\edb.log
Deletes the following files:
  • %TEMP%\jfulu.exe
  • %TEMP%\xnmc.exe
  • %TEMP%\winhbmiv.exe
  • %TEMP%\winveesyp.exe
  • %TEMP%\qadv.exe
  • %TEMP%\fscgss.exe
  • %TEMP%\qxsw.exe
  • %TEMP%\axbc.exe
  • <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\config[1].bin
  • %TEMP%\CabC9F2.tmp
  • %TEMP%\mruxdg.exe
  • %TEMP%\winnhknl.exe
  • %TEMP%\windrynl.exe
  • %TEMP%\windlbtl.exe
  • %TEMP%\TarC9F3.tmp
  • %TEMP%\ppcrlui_3300_2
Moves the following files:
  • from %APPDATA%\Roaming\Ibxe\mifya.awd to %APPDATA%\Roaming\Ibxe\mifya.tmp
  • from <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log to <LS_APPDATA>\Microsoft\Windows Mail\edb.log
Deletes itself.
Network activity:
Connects to:
  • '72####metgrup.com':80
  • 'www.bl#####ecreatives.com':80
  • 'www.ce####ogullari.com':80
  • '17#.#93.19.14':80
  • 'ce###pasa.com':80
  • 'ya######cil.ya.funpic.de':80
  • 'pe#####el.fm.interia.pl':80
  • '20#.#6.232.182':80
  • 'pu###hss.com':80
  • 'de###int-eg.com':80
  • 'su###llie.com':80
  • 'ch###stara.com':80
TCP:
HTTP GET requests:
  • 72####metgrup.com/images/logosa.gif?a5###########
  • www.bl#####ecreatives.com/logos.gif?a5###########
  • www.ce####ogullari.com/logof.gif?a5###########
  • 17#.#93.19.14/logo.gif?a6###########
  • ce###pasa.com/images/logos.gif?a6###########
  • ya######cil.ya.funpic.de/images/logos.gif?a5###########
  • pe#####el.fm.interia.pl/logos.gif?a4###########
  • 20#.#6.232.182/pki/crl/products/CodeSignPCA.crl
  • pu###hss.com/images/link/BankofAmerica.Com/config.bin
  • de###int-eg.com/images/logosa.gif?a5##########
  • su###llie.com/images/logos.gif?a5###########
  • ch###stara.com/logof.gif?a4###########
UDP:
  • DNS ASK www.bl#####ecreatives.com
  • DNS ASK www.ce####ogullari.com
  • DNS ASK 72####metgrup.com
  • DNS ASK ce###pasa.com
  • DNS ASK ya######cil.ya.funpic.de
  • DNS ASK de###int-eg.com
  • DNS ASK crl.microsoft.com
  • DNS ASK pu###hss.com
  • DNS ASK pe#####el.fm.interia.pl
  • DNS ASK su###llie.com
  • DNS ASK ch###stara.com
Miscellaneous:
Searches for the following windows:
  • ClassName: 'Indicator' WindowName: '(null)'
  • ClassName: 'OutlookExpressHiddenWindow' WindowName: '(null)'
  • ClassName: 'Shell_TrayWnd' WindowName: '(null)'
  • ClassName: 'OleMainThreadWndClass' WindowName: '(null)'