Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /x'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /f'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /z'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /t'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /u'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /a'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /w'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /m'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /o'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /p'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /d'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /n'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /j'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /g'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /h'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /k'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /q'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /y'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /v'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /l'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /e'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /b'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /c'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /s'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /r'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'zuidah' = '%HOMEPATH%\zuidah.exe /i'
- <Drive name for removable media>:\Sexy.exe
- <Drive name for removable media>:\Porn.exe
- <Drive name for removable media>:\Passwords.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\zuidah.exe
- <Drive name for removable media>:\Secret.exe
- hidden files
- '%HOMEPATH%\zuidah.exe'
- '<SYSTEM32>\wsqmcons.exe'
- '<SYSTEM32>\rundll32.exe' dfdts.dll,DfdGetDefaultPolicyAndSMART
- '<SYSTEM32>\schtasks.exe' /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader"
- '<SYSTEM32>\sc.exe' start w32time task_started
- '<SYSTEM32>\sdclt.exe' /CONFIGNOTIFICATION
- '<SYSTEM32>\taskhost.exe' $(Arg0)
- %HOMEPATH%\c\Sexy.exe
- %HOMEPATH%\c\RCXBD61.tmp
- %HOMEPATH%\c\Porn.exe
- %HOMEPATH%\c\Secret.exe
- %HOMEPATH%\RCXAF0D.tmp
- %HOMEPATH%\RCXAF4C.tmp
- %HOMEPATH%\c\autorun.inf
- %HOMEPATH%\c\RCXBDCF.tmp
- %HOMEPATH%\c\RCXBF4A.tmp
- C:\ProgramData\Microsoft\RAC\Temp\sql8B3E.tmp
- C:\ProgramData\Microsoft\RAC\Temp\sql8B8D.tmp
- %HOMEPATH%\c\RCXBEEB.tmp
- %HOMEPATH%\c\RCXBE2E.tmp
- %HOMEPATH%\c\Passwords.exe
- %HOMEPATH%\c\RCXBE8C.tmp
- %HOMEPATH%\RCXAEBE.tmp
- %HOMEPATH%\RCX9A4B.tmp
- %HOMEPATH%\Porn.exe
- %HOMEPATH%\RCX9BA3.tmp
- %HOMEPATH%\Sexy.exe
- %HOMEPATH%\zuidah.exe
- %HOMEPATH%\Secret.exe
- %HOMEPATH%\RCX9BE3.tmp
- %HOMEPATH%\RCXADD1.tmp
- %HOMEPATH%\RCXAE20.tmp
- %HOMEPATH%\RCXAE6F.tmp
- %HOMEPATH%\RCX9CFE.tmp
- %HOMEPATH%\Passwords.exe
- %HOMEPATH%\RCX9C41.tmp
- %HOMEPATH%\RCX9C81.tmp
- <Drive name for removable media>:\zuidah.exe
- %HOMEPATH%\c\autorun.inf
- %HOMEPATH%\zuidah.exe
- <Drive name for removable media>:\autorun.inf
- %HOMEPATH%\c\Sexy.exe
- %HOMEPATH%\c\Secret.exe
- %HOMEPATH%\c\Passwords.exe
- %HOMEPATH%\c\Porn.exe
- %HOMEPATH%\c\autorun.inf
- %HOMEPATH%\Sexy.exe
- %HOMEPATH%\Secret.exe
- %HOMEPATH%\Passwords.exe
- %HOMEPATH%\Porn.exe
- from %HOMEPATH%\RCXAF4C.tmp to %HOMEPATH%\Passwords.exe
- from %HOMEPATH%\c\RCXBD61.tmp to %HOMEPATH%\c\Sexy.exe
- from %HOMEPATH%\RCXAEBE.tmp to %HOMEPATH%\Passwords.exe
- from %HOMEPATH%\RCXAF0D.tmp to %HOMEPATH%\Passwords.exe
- from %HOMEPATH%\c\RCXBDCF.tmp to %HOMEPATH%\c\Porn.exe
- from %HOMEPATH%\c\RCXBEEB.tmp to %HOMEPATH%\c\Passwords.exe
- from %HOMEPATH%\c\RCXBF4A.tmp to %HOMEPATH%\c\Passwords.exe
- from %HOMEPATH%\c\RCXBE2E.tmp to %HOMEPATH%\c\Porn.exe
- from %HOMEPATH%\c\RCXBE8C.tmp to %HOMEPATH%\c\Passwords.exe
- from %HOMEPATH%\RCX9BE3.tmp to %HOMEPATH%\Porn.exe
- from %HOMEPATH%\RCX9C41.tmp to %HOMEPATH%\Passwords.exe
- from %HOMEPATH%\RCX9A4B.tmp to %HOMEPATH%\Sexy.exe
- from %HOMEPATH%\RCX9BA3.tmp to %HOMEPATH%\Porn.exe
- from %HOMEPATH%\RCX9C81.tmp to %HOMEPATH%\Passwords.exe
- from %HOMEPATH%\RCXAE20.tmp to %HOMEPATH%\Porn.exe
- from %HOMEPATH%\RCXAE6F.tmp to %HOMEPATH%\Porn.exe
- from %HOMEPATH%\RCX9CFE.tmp to %HOMEPATH%\Passwords.exe
- from %HOMEPATH%\RCXADD1.tmp to %HOMEPATH%\Sexy.exe
- 'ns#.##ytime3.net':7001
- 'ns#.##ytime2.org':7001
- 'ns#.##ytime3.org':7001
- 'ns#.##ytime4.com':7001
- 'ns#.##ytime2.net':7001
- 'ns#.##ytime1.net':7001
- 'ns#.##ytime1.com':7001
- 'ns#.##ytime2.com':7001
- 'ns#.##ytime1.org':7001
- DNS ASK ns#.##ytime3.net
- DNS ASK ns#.##ytime2.org
- DNS ASK ns#.##ytime4.com
- DNS ASK ns#.##ytime3.org
- DNS ASK ti##.#indows.com
- DNS ASK ns#.##ytime2.net
- DNS ASK dn#.##ftncsi.com
- DNS ASK ns#.##ytime1.com
- DNS ASK ns#.##ytime1.net
- DNS ASK ns#.##ytime2.com
- DNS ASK ns#.##ytime1.org
- 'ti##.#indows.com':123
- ClassName: 'Indicator' WindowName: '(null)'