Virus Characteristics
These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%UserProfile% = \Documents and Settings\Administrator
%AllUserProfile% = \Documents and Settings\All Users
%AppData% = \Documents and Settings\Administrator\Application Data
%CommonProgramFiles% = \Program Files\Common Files
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files
Upon execution Rscan.gen launches iexplore.exe process in the background passing it a parameter as shell code, that attempts to take advantage of un-patched versions of iexplore.exe resulting in possible further exploitation of the browser for purposes of downloading additional malware.
At the time of testing, a file was dropped in %AppData% using one of the following filenames(there may be more):
- event.exe
- lsas.exe
- dumpreport.exe
- msiexeca.exe
- unpnpsvc.exe
- rundll.exe
- service.exe
- helper.exe
- logon.exe
- svchosts.exe
- taskmon.exe
- uninstall.exe
The dropped file on exection spawns off iexplore.exe with injected threads
The following registry key values were added:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
- GatesList = [Many hex bytes representing remote domains]
- GID = [DWORD value]
- KeyM = [MANY hex bytes]
- KeyE = [DWORD]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- CrashDump = %AppData%\dumpreport.exe
At the time of testing, connections to the following servers was observed:
- criticalfactor.cc
- anamality.info
Though no download attempts were observed during testing, its possible these servers may have hosted additional downloads or may serve as command and control for further instructions