The main executable contains three encrypted components. It's role is to drop and execute the following files:
- a Dynamic Link Library called killdll.dll into %windir%\System32, which will be deleted after 15 seconds
- an executable into %windir% with the name [random value]_xeex.exe after the killdll.dll has finished its job
- a driver called pcidump.sys into %windir%\system32\drivers, which will be loaded into memory and deleted afterwards
After replication in %windir%\system32\scvhost.exe it will delete itself and quit.
1. The decrypted dll (killdll.dll) is the Antivirus-killer part. It gets loaded first and contains two encrypted drivers.
1.1. The first is used to disable the following services belonging to antivirus vendors:
To achieve this the program will replace the file AsyncMac.sys file (Microsoft Remote Access Serial Network Driver) found in %windir%\system32\drivers, a non-critical Microsoft Windows component with the aforementioned driver. After loading it into memory, the driver will terminate the services listed above. After this AsyncMac.sys will be unloaded and deleted.
Besides terminating these processes, the dynamic link library will also disable the system start feature of these services, so they will not be loaded at system startup.
1.2. The second driver is used to deactivate a commonly used proactive detection technique, by undoing modifications made in kernel memory by antivirus software. To drop the driver, it will replace the file aec.sys (Microsoft Acoustic Echo Canceller), a non-critical Microsoft Windows component, load the driver into memory and after it has finished it will unload the driver and delete the file.
2. The decrypted executable ([random value]_xeex.exe) is the downloader part:
Upon execution the process will verify what the name of the image file is. If it's userinit.exe, then it will follow the normal behaviour of userinit.exe (that is launching explorer.exe) so that the victim doesn't notice the changes. After this it will continue with it's normal execution :
It will send the MAC address, the operating system version and the current version of the file (specified probably by its creation date) to a website located at: http://
[removed]518js.com/30330/count.asp?mac=[mac address]&ver=[file version]&os=[os version].
It will download a list of about 30 files from http://
[removed]518js.com/30330/newfz.txt. These files will be downloaded and executed. If the current version of the malware file is outdated the list will contain a newer version of the file too, the rest of the files belong to the OnlineGames family of password stealers.
The links inside the list are in form of:
It will register the parent executable image to start with system startup using the windows registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, with the following key name: RsTray.
3. The decrypted driver is the overwriter part:
Using low level functions it will overwrite userinit.exe (a core windows component), with the downloader part. Userinit.exe is loaded automatically at every system startup, so the downloader will be loaded at every system startup. Under normal circumstances, userinit.exe quits after launching explorer.exe, but in this case it will remain resident in memory. Besides this, the driver has process and file hiding properties, but these aren't used by the malware.