Creates the following infected Files on user's System
Delete the following Files to remove Infection
Also creates the following files on user's System which are also created by Genuine Software :-
These file(s) can be kept as they are also created by genuine Software.
The following Registry Values are added to the provided Registry Keys which are also created by Genuine Software :-
These Values can be left as they are also created by legitimate Software :-
Creates the following child process(s) on execution:
%systemdrive%\docume~1\antisp~1\locals~1\temp\$$a4.bat
net stop kingsoft antivirus service
%programfiles%\internet explorer\iexplore.exe
%programfiles%\internet explorer\iedw.exe -h 780
net1 stop kingsoft antivirus service
%windir%\system32\dwwin.exe -x -s 2008
%workingdir%\[random name].exe
%systemdrive%\docume~1\antisp~1\locals~1\temp\$$a16.bat
%programfiles%\internet explorer\iexplore.exe http://ok.onniro.cn/power.asp?myid=1014431359841
Tries to Download Files from the following links :-
http://cha.onniro.cn/text/a841.txt
Creates the Following MUTEX(s) on user's System:-
iexplore.xpexceptionfilter
raspbfile
sfaee5353g#2007
shell.cmrupidllist
msratingmutex
ctf.lbes.mutexdefaults-1-5-21-3940780282-119073973-2237615918-1010
ctf.compart.mutexdefaults-1-5-21-3940780282-119073973-2237615918-1010
ctf.asm.mutexdefaults-1-5-21-3940780282-119073973-2237615918-1010
ctf.layouts.mutexdefaults-1-5-21-3940780282-119073973-2237615918-1010
ctf.tmd.mutexdefaults-1-5-21-3940780282-119073973-2237615918-1010
Tries To Connect's to the following IP Address(s) through UDP(User DataGram Protocal) :-
Copies the Following Files to Given Location :-
Copies :%windir%\logo1_.exe
To : \10.10.36.1\admin$\logo1_.exe
Copies :%windir%\logo1_.exe
To : \10.10.36.2\admin$\logo1_.exe
Copies :%windir%\logo1_.exe
To : \10.10.36.4\admin$\logo1_.exe
Copies :%workingdir%\[random name].exe
Copies :%workingdir%\[random name].exe
To : %windir%\ee9ad7cee7501f1bd3293fb1af6df955.exe
Moves the Following Files to Given Location :-
Moves :%workingdir%\[random name].exe.exe
To : %workingdir%\[random name].exe
NOTE:
1. %networkpath% Refers to the any network location on Local Area Network(LAN).
2. %systemdrive% Refers to the windows System drive folder. By default it is 'C:\'
3. %temp% Refers to the windows temp folder. By default it is 'C:\Documents and Settings\[user]\Local Settings\Temp'
4. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
5. %workingdir% Refers to the current directory in which user is working.
6. %userprofile% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'
Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.
Click Here for more spywarelib.com recommended PC Security and Optimization Tools
To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.