Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'shell' = 'Explorer.exe sIRC4.exe'
Modifies file system
Creates the following files
- %WINDIR%\syswow64\sirc4.exe
- %WINDIR%\syswow64\dc++ share\setup.exe
- %WINDIR%\syswow64\dc++ share\oarpmany.exe
- %WINDIR%\syswow64\dc++ share\msoxmled.exe
- %WINDIR%\syswow64\dc++ share\msoicons.exe
- %WINDIR%\syswow64\dc++ share\liclua.exe
- %WINDIR%\syswow64\dc++ share\fltldr.exe
- %WINDIR%\syswow64\dc++ share\msinfo32.exe
- %WINDIR%\syswow64\dc++ share\tabtip.exe
- %WINDIR%\syswow64\xdccprograms\shapecollector.exe
- %WINDIR%\syswow64\xdccprograms\mip.exe
- %WINDIR%\syswow64\xdccprograms\inputpersonalization.exe
- %WINDIR%\syswow64\xdccprograms\inkwatson.exe
- %WINDIR%\syswow64\xdccprograms\flicklearningwizard.exe
- %WINDIR%\syswow64\xdccprograms\convertinkstore.exe
- C:\rar.bat
- %WINDIR%\syswow64\xdccprograms\eqnedt32.exe
- %WINDIR%\syswow64\xdccprograms\dwtrig20.exe
- %WINDIR%\syswow64\xdccprograms\dw20.exe
- C:\marijuana.txt
- %WINDIR%\syswow64\dc++ share\odeploy.exe
- %WINDIR%\syswow64\dc++ share\osetupui.exe
Miscellaneous
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c C:\rar.bat
- '%ProgramFiles%\winrar\winrar.exe' a -idp -inul -c- -m5 "<SYSTEM32>\xdccPrograms\InputPersonalization" "<SYSTEM32>\xdccPrograms\InputPersonalization.exe"
- '%ProgramFiles%\winrar\winrar.exe' a -idp -inul -c- -m5 "<SYSTEM32>\DC++ Share\ODeploy" "<SYSTEM32>\DC++ Share\ODeploy.exe"
- '%WINDIR%\syswow64\cmd.exe' /c C:\rar.bat' (with hidden window)
