Injecter.GX attempts to downloads files from:
• http://88.255.[Removed]/e521.gif
• http://88.255.[Removed]/e514.gif
• http://88.255.[Removed]/e509.gif
It drops the downloaded files to the following location:
• %windir%\system32\cdmk.dll
• %temp%\dm4.exe
Injecter.GX also drops a DLL file from itself to the default temp folder which uses a name of tmp2.tmp. The file appears to be the downloader component itself.
The malware also creates a temp file called _vdmstmsnd_.dat.
It also attempts to send out information by performing the following command:
• HTTP GET http://85.255.[Removed]/count.php?u=346&e=521&r=1
It searches for a process named teatimer.exe. It will attempt to terminate the process if discovered.
The malware uses a mutex named STDP117.
To ensure that the malware starts with Windows, it copies the malware file to:
• C:\Documents and Settings\All Users\Start Menu
\Programs\Startup\msupd[number].exe
Note: [number] is random.
The malware creates the following registry entries:
• HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\PUID
UID = 6727150054040000de564349
(Seems to be some kind of hash of the victim's computer.)
UID2 = trojan.exe
(Filename of the malware on execution.)
• HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\PUID\set
thPCvzSYyScLKSRaW3l3jquJRD382MNqz3P4yEfx = "mult"
thPCvzSYyScLKSRaW3l3jquJRD382MNqzHb4yEfx = "mult"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\Session Manager PendingFileRenameOperations ="
\??\C:\Samples\trojan.exe.1
\??\C:\Documents and Settings\All Users\Start Menu\
Programs\Startup\msupd43616.exe"