Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,%ALLUSERSPROFILE%\vesswIQA\AcIcUcAM.exe,'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AcIcUcAM.exe' = '%ALLUSERSPROFILE%\vesswIQA\AcIcUcAM.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'jaQEcQMQ.exe' = '%HOMEPATH%\NIMMEwsg\jaQEcQMQ.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\vesswIQA\AcIcUcAM.exe'
- '%HOMEPATH%\NIMMEwsg\jaQEcQMQ.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\qugcYwgY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\nwgEEQYM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\pAUUosMQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\fOgYYccU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\jKocYYIM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\FEcIgwsw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\UkoUQcQk.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\HgEswoYs.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VQQAgssc.bat" "<Full path to virus>""
- C:\RCX12.tmp
- %TEMP%\XMAAEAUg.bat
- <Current directory>\mGoE.ico
- C:\RCX11.tmp
- <Current directory>\QuUk.ico
- <Current directory>\HYUs.exe
- <Current directory>\FQoW.exe
- <Current directory>\AswO.exe
- C:\RCX14.tmp
- %TEMP%\swYkosgQ.bat
- C:\RCX13.tmp
- %TEMP%\FEcIgwsw.bat
- <Current directory>\lOws.ico
- <Current directory>\RUsE.exe
- <Current directory>\AswQ.exe
- C:\RCXE.tmp
- %TEMP%\qugcYwgY.bat
- <Current directory>\KkwC.exe
- C:\RCXD.tmp
- <Current directory>\WScY.ico
- <Current directory>\SGIk.ico
- <Current directory>\coAe.exe
- C:\RCX10.tmp
- <Current directory>\yqoI.ico
- <Current directory>\iAYK.exe
- C:\RCXF.tmp
- <Current directory>\Umwc.ico
- <Current directory>\ggUc.ico
- <Current directory>\leEI.ico
- <Current directory>\jIYM.exe
- C:\RCX1A.tmp
- C:\RCX19.tmp
- %TEMP%\ooQMswsc.bat
- %TEMP%\fOgYYccU.bat
- <Current directory>\rOoY.ico
- <Current directory>\JIQk.exe
- <Current directory>\oSQQ.ico
- <Current directory>\JksY.exe
- <Current directory>\JsgI.exe
- C:\RCX1B.tmp
- <Current directory>\lMsM.ico
- <Current directory>\XEAo.exe
- <Current directory>\eakY.ico
- <Current directory>\Qssi.exe
- C:\RCX16.tmp
- <Current directory>\jEYu.exe
- C:\RCX15.tmp
- %TEMP%\jKocYYIM.bat
- <Current directory>\OAMA.ico
- <Current directory>\wgoW.exe
- C:\RCX18.tmp
- <Current directory>\TUog.ico
- <Current directory>\YcIo.exe
- C:\RCX17.tmp
- <Current directory>\HwYE.ico
- <Current directory>\jcga.exe
- C:\RCX2.tmp
- <Current directory>\NkAQ.ico
- %TEMP%\HgEswoYs.bat
- %TEMP%\QgYwkcos.bat
- %TEMP%\UkoUQcQk.bat
- <Current directory>\EEQi.exe
- <Current directory>\FgkS.exe
- C:\RCX4.tmp
- %TEMP%\pAUUosMQ.bat
- C:\RCX3.tmp
- %TEMP%\xwYAMEgM.bat
- <Current directory>\PgQY.ico
- %TEMP%\EasYUgUY.bat
- %ALLUSERSPROFILE%\casg.txt
- C:\Documents and Settings\LocalService\NIMMEwsg\jaQEcQMQ
- <Current directory>\KCIU.ico
- %HOMEPATH%\NIMMEwsg\jaQEcQMQ
- %ALLUSERSPROFILE%\vesswIQA\AcIcUcAM
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %TEMP%\CyYAQMgo.bat
- %TEMP%\VQQAgssc.bat
- %TEMP%\file.vbs
- <Current directory>\Qcgc.ico
- <Current directory>\<Virus name>
- <Current directory>\xcEo.exe
- C:\RCX1.tmp
- <Current directory>\nsoc.ico
- <Current directory>\bUYK.exe
- C:\RCXA.tmp
- <Current directory>\BSgk.ico
- C:\RCX9.tmp
- %TEMP%\nwgEEQYM.bat
- <Current directory>\pSQg.ico
- <Current directory>\CgAe.exe
- C:\RCXC.tmp
- %TEMP%\GoAIkcsc.bat
- <Current directory>\FyIg.ico
- C:\RCXB.tmp
- <Current directory>\hcss.ico
- <Current directory>\zkYG.exe
- <Current directory>\QYUE.exe
- <Current directory>\fAsG.exe
- C:\RCX6.tmp
- <Current directory>\jqoY.ico
- <Current directory>\TQQw.exe
- C:\RCX5.tmp
- <Current directory>\gCwE.ico
- <Current directory>\zAoO.exe
- <Current directory>\VkkC.exe
- C:\RCX8.tmp
- <Current directory>\XyME.ico
- C:\RCX7.tmp
- %TEMP%\susYYkYA.bat
- <Current directory>\ROQs.ico
- %TEMP%\XMAAEAUg.bat
- <Current directory>\FQoW.exe
- <Current directory>\HYUs.exe
- <Current directory>\QuUk.ico
- <Current directory>\lOws.ico
- %TEMP%\swYkosgQ.bat
- <Current directory>\mGoE.ico
- <Current directory>\AswO.exe
- <Current directory>\iAYK.exe
- <Current directory>\SGIk.ico
- <Current directory>\AswQ.exe
- <Current directory>\WScY.ico
- <Current directory>\RUsE.exe
- <Current directory>\yqoI.ico
- <Current directory>\coAe.exe
- <Current directory>\Umwc.ico
- <Current directory>\TUog.ico
- <Current directory>\jIYM.exe
- <Current directory>\XEAo.exe
- %TEMP%\ooQMswsc.bat
- <Current directory>\rOoY.ico
- <Current directory>\lMsM.ico
- <Current directory>\leEI.ico
- <Current directory>\JsgI.exe
- <Current directory>\Qssi.exe
- <Current directory>\eakY.ico
- <Current directory>\jEYu.exe
- <Current directory>\ggUc.ico
- <Current directory>\wgoW.exe
- <Current directory>\HwYE.ico
- <Current directory>\YcIo.exe
- <Current directory>\OAMA.ico
- <Current directory>\FgkS.exe
- <Current directory>\PgQY.ico
- <Current directory>\NkAQ.ico
- %TEMP%\xwYAMEgM.bat
- <Current directory>\fAsG.exe
- <Current directory>\gCwE.ico
- <Current directory>\TQQw.exe
- <Current directory>\nsoc.ico
- <Current directory>\KCIU.ico
- %TEMP%\EasYUgUY.bat
- %TEMP%\CyYAQMgo.bat
- <Current directory>\xcEo.exe
- <Current directory>\Qcgc.ico
- <Current directory>\EEQi.exe
- %TEMP%\QgYwkcos.bat
- <Current directory>\jcga.exe
- <Current directory>\BSgk.ico
- <Current directory>\zkYG.exe
- <Current directory>\pSQg.ico
- <Current directory>\CgAe.exe
- <Current directory>\KkwC.exe
- <Current directory>\FyIg.ico
- <Current directory>\hcss.ico
- %TEMP%\GoAIkcsc.bat
- %TEMP%\susYYkYA.bat
- <Current directory>\VkkC.exe
- <Current directory>\zAoO.exe
- <Current directory>\jqoY.ico
- <Current directory>\XyME.ico
- <Current directory>\bUYK.exe
- <Current directory>\ROQs.ico
- <Current directory>\QYUE.exe
- from C:\RCX12.tmp to <Current directory>\HYUs.exe
- from C:\RCX13.tmp to <Current directory>\FQoW.exe
- from C:\RCX14.tmp to <Current directory>\AswO.exe
- from C:\RCXF.tmp to <Current directory>\iAYK.exe
- from C:\RCX10.tmp to <Current directory>\coAe.exe
- from C:\RCX11.tmp to <Current directory>\RUsE.exe
- from C:\RCX15.tmp to <Current directory>\jEYu.exe
- from C:\RCX19.tmp to <Current directory>\XEAo.exe
- from C:\RCX1A.tmp to <Current directory>\jIYM.exe
- from C:\RCX1B.tmp to <Current directory>\JsgI.exe
- from C:\RCX16.tmp to <Current directory>\Qssi.exe
- from C:\RCX17.tmp to <Current directory>\YcIo.exe
- from C:\RCX18.tmp to <Current directory>\wgoW.exe
- from C:\RCXE.tmp to <Current directory>\AswQ.exe
- from C:\RCX4.tmp to <Current directory>\FgkS.exe
- from C:\RCX5.tmp to <Current directory>\TQQw.exe
- from C:\RCX6.tmp to <Current directory>\fAsG.exe
- from C:\RCX1.tmp to <Current directory>\xcEo.exe
- from C:\RCX2.tmp to <Current directory>\jcga.exe
- from C:\RCX3.tmp to <Current directory>\EEQi.exe
- from C:\RCX7.tmp to <Current directory>\zAoO.exe
- from C:\RCXB.tmp to <Current directory>\CgAe.exe
- from C:\RCXC.tmp to <Current directory>\zkYG.exe
- from C:\RCXD.tmp to <Current directory>\KkwC.exe
- from C:\RCX8.tmp to <Current directory>\VkkC.exe
- from C:\RCX9.tmp to <Current directory>\QYUE.exe
- from C:\RCXA.tmp to <Current directory>\bUYK.exe
- '74.##5.232.51':80
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'AcIcUcAM.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: 'Microsoft Windows'
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'jaQEcQMQ.exe'