Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\jmK0eYSb] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\jmK0eYSb] 'ImagePath' = '<SYSTEM32>\svchost.exe -k jmK0eYSb'
- [HKLM\SYSTEM\CurrentControlSet\Services\jmK0eYSb\Parameters] 'ServiceDll' = '<SYSTEM32>\KSXC29.pic'
Creates the following services
- 'jmK0eYSb' <SYSTEM32>\svchost.exe -k jmK0eYSb
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
Modifies file system
Creates the following files
- %TEMP%\nst65d4.tmp
- %ProgramFiles(x86)%\thunder network\xmp.exe
- %ProgramFiles(x86)%\thunder network\program\mp.dll
- %TEMP%\nso6604.tmp\system.dll
- %TEMP%\nso6604.tmp\banner.dll
- %TEMP%\682270.jpg
- %TEMP%\683877.lz
- %TEMP%\683877.bmp
- %WINDIR%\syswow64\ksxc29.pic
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\desktop.ini
Deletes the following files
- %TEMP%\nso6604.tmp\banner.dll
- %TEMP%\nso6604.tmp\system.dll
- %TEMP%\683877.bmp
- %TEMP%\683877.lz
- %ProgramFiles(x86)%\thunder network\xmp.exe
Deletes itself.
Network activity
UDP
- DNS ASK ta####377.gicp.net
Miscellaneous
Creates and executes the following
- '%ProgramFiles(x86)%\thunder network\xmp.exe'
Executes the following
- '%WINDIR%\syswow64\svchost.exe' -k jmK0eYSb
- '%WINDIR%\syswow64\cmd.exe' \c del C:\PROGRA~2\THUNDE~1\XMP.exe
- '%WINDIR%\syswow64\rundll32.exe' <SYSTEM32>\ksxc29.pic,CreateExaminePage jmK0eYSb
- '%WINDIR%\syswow64\cmd.exe' \c del C:\PROGRA~2\THUNDE~1\XMP.exe' (with hidden window)
