Here is a quick peek at what this bad-guy is doing...
Once loaded on to the victim's system, it silently executes with out any obvious indications to the end-user. (no Fake AV pop-ups, instant reboots, tray icons or ransom notes here.)

The UPX packed executable will proceed to write out a file (disguised as an innocent temp or backup file) 1 subdirectory beneath it's current location.
The dropped file, actually a .dll (18432 bytes in size), uses (3-6 character) randomly generated filename with the extension ".tmp", ".bak", ".dat" or ".old".

filename extensions visible when looking at the binary in a hex editor.

It goes on to delete a couple audio drivers from the "c:\windows\system32\" directory (sysaudio.sys & wdmaud.sys).
Along with deleting these, it adds the following registry key:

"HKLM/Software/Microsoft/Windows NT/Current Version/Drivers32/midi9"

The above registry key value "midi9" actually equates to executing "<dropped_file> 0yAAAAAAAA" when loaded.
The system will now use the evil .dll file anytime the browser is loaded.


(Note the .bak file followed by the "0yAAAAAAAA" string, it's always there).

The malware will also generate an ID string (32 characters long) that gets sent to the C&C.

Sample screen shots of the malware's string generation routine.

The malware will also attempt to rename itself with no filename (null) upon reboot, using the MOVEFILE_DELAY_UNTIL_REBOOT function & a flag of 0x4.

A quick peek at the registry shows it created an entry under

HLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Normally ok except in the value data there is only 1 entry when there should be a pair (the current file name & what to rename it to upon reboot). 

Once the infection process completes, it quietly waits for you to access a website site using your browser.
Here is where this guy really starts to go to work, stealing FTP credentials and potentially skewing search results. Anything your browser sees, IT sees...

A quick look at a running packet capture and we see that along with the normal HTTP traffic it has taken the opportunity to communicate with the C&C.
It has sent the 32 character string (prefixed with "?0E2" & followed by a "0" at the end) in the URI to the C&C & received back a response as displayed here:



Notice the "SS: " & "Xost: " fields in the HTTP Header.
The "SS:" field contains the URI you were accessing & the "Xost:" field holds the original destination host/site.

Also of note is the response from the server.
The "//fHqq0EDFBNEED" is always present followed by the 32 byte string that was sent to the C&C, and then 2 additional bytes (the "2y" at the end).
(If you see this type of traffic on your network, it's time to be a little concerned...)

The malware attempts to contact one of 3 IP's

1.) 67.215.246.34 - still alive & well.

OrgName: Secured Private Network 
OrgID: SPNW
Address: 1740 East Garry Ave.
Address: Suite 234
City: Santa Ana
StateProv: CA
PostalCode: 92705
Country: US
NetRange: 67.215.224.0 - 67.215.255.255
CIDR: 67.215.224.0/19
OriginAS: AS22298
NetName: SPN3W
NetHandle: NET-67-215-224-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.SECUREDPRIVATENETWORK.NET
NameServer: NS2.SECUREDPRIVATENETWORK.NET
Comment:
RegDate: 2007-10-18
Updated: 2008-10-08


2.) 67.212.81.67  - known Crimeware friendly ISP as mentioned here.

OrgName: Netelligent Hosting Services Inc.
OrgID: NHS-31
Address: 1396 Franklin Drive
City: Laval
StateProv: QC
PostalCode: H7W-1K6
Country: CA
NetRange: 67.212.64.0 - 67.212.95.255
CIDR: 67.212.64.0/19
NetName: NETEL-ARIN-BLK02
NetHandle: NET-67-212-64-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.NETELLIGENT.CA
NameServer: NS2.NETELLIGENT.CA
NameServer: NS3.NETELLIGENT.CA
Comment:
RegDate: 2007-08-30
Updated: 2008-06-20

3.) 195.24.76.250 - which appears to host 9 other sites, including some leading to pages serving FakeAV.

inetnum: 195.24.72.0 - 195.24.79.255
netname: ROOT-195-24-72-0-21
descr: root eSolutions
country: LU
admin-c: AB99-RIPE
tech-c: RE655-RIPE
status: ASSIGNED PI
mnt-by: ROOT-MNT
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
source: RIPE # Filtered

So while unsuspecting victims go about there usual web activity, the malware will quietly send data to any one of these 3 IP's (in the above order).

Without careful inspection, this communication can easily snake by perimeter defenses & security software.

More to come...

A special thanks to my colleagues Atif Mushtaq & Julia Wolf.

J.G. @ FireEye Malware Intelligence Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM