The main service module is also generated randomly according to the above three character string lists: Windows, Microsoft, Network, Remote, Function, Secure, Application String list 2: Update, Time, NetBIOS, RPC, Protocol, SSDP, UPnP String list 3: Service, Host, Client, Event, Manager, Helper, System The encrypted data packets are appended with the following extensions: xml, log, dat, xsl, ini, tlb, msc
That is to say, ApplicationNetBIOSClient is a combination of character string 1, character string 2, and character string 3 in order of character string 1+ character string 2 + character string 3.
The main service ApplicationNetBIOSClient and its DLL change as above every time the virus starts due to complex combination. What is more, the randomly-combined character strings will be hardcoded to file when its vector generates main service module DLL, causing generated hash value different every time.
|