Technical Information
Malicious functions:
Executes the following:
- <SYSTEM32>\wscript.exe "%WINDIR%\3.wsf"
- <SYSTEM32>\wscript.exe "%WINDIR%\2.wsf"
- <SYSTEM32>\wscript.exe "%WINDIR%\1.wsf"
Modifies file system :
Creates the following files:
- %TEMP%\rad0B2BE.tmp
- %TEMP%\rad93F53.tmp
- %TEMP%\rad4D5F2.tmp
- %WINDIR%\1.wsf
- %WINDIR%\2.wsf
- %WINDIR%\3.wsf
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''