Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\KIS_BZ] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\KIS_BZ] 'ImagePath' = '<Full path to file>'
Creates the following services
- 'KIS_BZ' <Full path to file>
Modifies file system
Creates the following files
- %WINDIR%\syswow64\diskinfo.dll
- %WINDIR%\syswow64\kdlock.dll
- %WINDIR%\syswow64\kisverifycontent.dll
- %WINDIR%\syswow64\mdlock.dll
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\system@fkw[1].txt
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\62axopq5\login_h[1].jsp
Sets the 'hidden' attribute to the following files
- %WINDIR%\syswow64\kdlock.dll
Network activity
Connects to
- 'fa##co.cn':80
- 'i.##w.com':80
TCP
HTTP GET requests
- http://i.##w.com/ajax/login_h.jsp?cm####################
HTTP POST requests
- http://www.fa##co.cn/ajax/login_h.jsp?cm####################
UDP
- DNS ASK fa##co.cn
- DNS ASK i.##w.com
Miscellaneous
Restarts the analyzed sample
Executes the following
- '%WINDIR%\syswow64\net.exe' start MySQL5_OA
- '%WINDIR%\syswow64\net1.exe' start MySQL5_OA
- '%WINDIR%\syswow64\net.exe' start MySQL5_OA' (with hidden window)
