Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
This virus copies itself to %SystemRoot% as svchost.com. It modifies the system registry so that it is run every time an .exe file is opened:
In subkey: HKCR\exefile\shell\open\command Sets value: "@" With data: "%SystemRoot%\svchost.com "%1" %*"
It updates %SystemRoot%\directx.sys with the path of the last infected file to be run.
Spreads Via...
File Infection
This virus infects files by prepending its virus code to executable files.
Payload
Connects to remote server
We have seen this threat connect to the following remote server:
Server : link-on.tu1.ru Script : /gate/gate.php
It uses POST to upload information gathered from the infected system, such as currently installed applications, running programs, and SMTP email accounts. The script file is currently detected as PWS:Win32/Ldpinch.gen!LogA.