Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'userinit' = '<SYSTEM32>\userinit.exe,<Full path to virus>,'
- <Auxiliary element>
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\posting[5].php
- %TEMP%\14.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\posting[5].php
- %TEMP%\12.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\posting[5].php
- %TEMP%\16.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\posting[6].php
- %TEMP%\15.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\posting[6].php
- %TEMP%\F.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\posting[4].php
- %TEMP%\E.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\posting[4].php
- %TEMP%\10.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\posting[5].php
- %TEMP%\11.tmp
- %APPDATA%\579f766\scrs\10.jpg
- %APPDATA%\199500.zip
- %TEMP%\17.tmp
- %TEMP%\1D.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\posting[8].php
- %TEMP%\1C.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\posting[7].php
- %TEMP%\1E.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\posting[8].php
- %TEMP%\20.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\posting[8].php
- %TEMP%\1F.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\posting[6].php
- %TEMP%\19.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\posting[6].php
- %TEMP%\18.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\posting[7].php
- %TEMP%\1B.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\posting[7].php
- %TEMP%\1A.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\posting[7].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\posting[1].php
- %TEMP%\4.tmp
- %TEMP%\3.tmp
- %APPDATA%\579f766\scrs\04.jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\posting[2].php
- %TEMP%\6.tmp
- %APPDATA%\579f766\scrs\05.jpg
- %TEMP%\5.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\posting[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\posting[1].php
- %TEMP%\1.tmp
- %APPDATA%\579f766\cmdline.txt
- %APPDATA%\579f766\scrs\01.jpg
- %APPDATA%\579f766\scrs\02.jpg
- %TEMP%\2.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\posting[1].php
- %APPDATA%\579f766\scrs\03.jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\posting[1].php
- %APPDATA%\579f766\scrs\06.jpg
- %APPDATA%\579f766\scrs\08.jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\posting[3].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\posting[3].php
- %TEMP%\B.tmp
- %TEMP%\C.tmp
- %TEMP%\D.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\posting[4].php
- %APPDATA%\579f766\scrs\09.jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\posting[4].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\posting[2].php
- %TEMP%\8.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\posting[2].php
- %TEMP%\7.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\posting[3].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\posting[3].php
- %TEMP%\A.tmp
- %TEMP%\9.tmp
- %APPDATA%\579f766\scrs\07.jpg
- <Full path to virus>
- %APPDATA%\579f766\scrs\10.jpg
- %APPDATA%\579f766\scrs\09.jpg
- %TEMP%\12.tmp
- %TEMP%\15.tmp
- %TEMP%\14.tmp
- %APPDATA%\579f766\scrs\05.jpg
- %APPDATA%\579f766\scrs\04.jpg
- %APPDATA%\579f766\scrs\06.jpg
- %APPDATA%\579f766\scrs\08.jpg
- %APPDATA%\579f766\scrs\07.jpg
- %TEMP%\16.tmp
- %TEMP%\1D.tmp
- %TEMP%\1C.tmp
- %TEMP%\1E.tmp
- %TEMP%\20.tmp
- %TEMP%\1F.tmp
- %TEMP%\18.tmp
- %TEMP%\17.tmp
- %TEMP%\19.tmp
- %TEMP%\1B.tmp
- %TEMP%\1A.tmp
- %TEMP%\7.tmp
- %TEMP%\6.tmp
- %TEMP%\8.tmp
- %TEMP%\A.tmp
- %TEMP%\9.tmp
- %TEMP%\2.tmp
- %TEMP%\1.tmp
- %TEMP%\3.tmp
- %TEMP%\5.tmp
- %TEMP%\4.tmp
- %TEMP%\B.tmp
- %APPDATA%\579f766\cmdline.txt
- %TEMP%\11.tmp
- %APPDATA%\579f766\scrs\01.jpg
- %APPDATA%\579f766\scrs\03.jpg
- %APPDATA%\579f766\scrs\02.jpg
- %TEMP%\D.tmp
- %TEMP%\C.tmp
- %TEMP%\E.tmp
- %TEMP%\10.tmp
- %TEMP%\F.tmp
- 'ry###el.info':80
- 'no###ec.info':80
- 'qe###oq.info':80
- 'tu###yp.info':80
- 'ci###ik.info':80
- 'xu###yn.info':80
- 'ly###ed.info':80
- 'vo###at.info':80
- 'ke###an.info':80
- 'fo###ew.info':80
- 'ly###yj.info':80
- 'di###ah.info':80
- 'ma###uf.info':80
- 'pu###iv.info':80
- 'ga###uz.info':80
- 'je###od.info':80
- 'ga###yh.info':80
- 'xu###ex.info':80
- 'vo###im.info':80
- 'ma###yt.info':80
- 'ly###or.info':80
- 'fo###oz.info':80
- 'www.bing.com':80
- 'no###ak.info':80
- 'ci###uf.info':80
- 'ke###ox.info':80
- 'fo###ab.info':80
- 'je###ur.info':80
- 'di###is.info':80
- 'ry###og.info':80
- 'qe###uv.info':80
- 'tu###eq.info':80
- 'pu###ul.info':80
- ry###el.info/posting.php
- no###ec.info/posting.php
- qe###oq.info/posting.php
- tu###yp.info/posting.php
- ci###ik.info/posting.php
- xu###yn.info/posting.php
- ly###ed.info/posting.php
- vo###at.info/posting.php
- ke###an.info/posting.php
- fo###ew.info/posting.php
- ly###yj.info/posting.php
- di###ah.info/posting.php
- ma###uf.info/posting.php
- pu###iv.info/posting.php
- ga###uz.info/posting.php
- je###od.info/posting.php
- ly###or.info/posting.php
- xu###ex.info/posting.php
- qe###uv.info/posting.php
- ma###yt.info/posting.php
- ci###uf.info/posting.php
- fo###oz.info/posting.php
- vo###im.info/posting.php
- no###ak.info/posting.php
- di###is.info/posting.php
- ke###ox.info/posting.php
- ga###yh.info/posting.php
- je###ur.info/posting.php
- pu###ul.info/posting.php
- ry###og.info/posting.php
- fo###ab.info/posting.php
- tu###eq.info/posting.php
- DNS ASK tu###yp.info
- DNS ASK ry###el.info
- DNS ASK qe###oq.info
- DNS ASK ma###uf.info
- DNS ASK pu###iv.info
- DNS ASK ci###ik.info
- DNS ASK xu###yn.info
- DNS ASK vo###at.info
- DNS ASK no###ec.info
- DNS ASK ly###ed.info
- DNS ASK ly###yj.info
- DNS ASK xu###ir.info
- DNS ASK ci###oc.info
- DNS ASK vo###ef.info
- DNS ASK no###um.info
- DNS ASK ga###uz.info
- DNS ASK je###od.info
- DNS ASK fo###ew.info
- DNS ASK di###ah.info
- DNS ASK ke###an.info
- DNS ASK ga###yh.info
- DNS ASK ci###uf.info
- DNS ASK ke###ij.info
- DNS ASK no###ak.info
- DNS ASK xu###ex.info
- DNS ASK vo###im.info
- DNS ASK fo###oz.info
- DNS ASK www.bing.com
- DNS ASK ga###as.info
- DNS ASK di###uw.info
- DNS ASK je###yn.info
- DNS ASK fo###ab.info
- DNS ASK pu###ul.info
- DNS ASK ke###ox.info
- DNS ASK je###ur.info
- DNS ASK di###is.info
- DNS ASK qe###uv.info
- DNS ASK ly###or.info
- DNS ASK ma###yt.info
- DNS ASK ry###og.info
- DNS ASK tu###eq.info
- ClassName: 'SunAwtDialog' WindowName: '??i? ? ???????'
- ClassName: 'SunAwtDialog' WindowName: '???? ? ???????'
- ClassName: 'SunAwtFrame' WindowName: '????????????? ? ??????'
- ClassName: 'SunAwtDialog' WindowName: '????????????? ? ??????'
- ClassName: 'SunAwtDialog' WindowName: 'Synchronization with bank'
- ClassName: 'javax.swing.JFrame' WindowName: '??i? ? ???????'
- ClassName: 'SunAwtFrame' WindowName: 'Welcome'
- ClassName: 'SunAwtFrame' WindowName: '???? ? ???????'
- ClassName: 'SunAwtFrame' WindowName: '??i? ? ???????'
- ClassName: 'javax.swing.JFrame' WindowName: 'Welcome'
- ClassName: 'javax.swing.JFrame' WindowName: '???? ? ???????'