[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:ipsec'
To complicate detection of its presence in the operating system,
forces the system hide from view:
hidden files
blocks the following features:
User Account Control (UAC)
Windows Security Center
Creates and executes the following:
%WINDIR%\system\DATA.exe
Injects code into
the following system processes:
<SYSTEM32>\cscript.exe
a large number of user processes.
Modifies file system :
Creates the following files:
%TEMP%\wincqmyy.exe
%TEMP%\winfquox.exe
C:\ejhi.exe
C:\autorun.inf
%TEMP%\winixawa.exe
%TEMP%\qbff.exe
%TEMP%\winllck.exe
%TEMP%\winmkjr.exe
%TEMP%\winxjcgv.exe
%TEMP%\gbbts.exe
%TEMP%\%USERNAME%7
%TEMP%\%USERNAME%8
%APPDATA%\%USERNAME%log.dat
%WINDIR%\system\DATA.exe
%TEMP%\%USERNAME%2.txt
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\sqlite3[1].dll
%TEMP%\mslwii.exe
%TEMP%\wingcwgja.exe
<DRIVERS>\ispqn.sys
%TEMP%\153687.tmp
%APPDATA%\%USERNAME%3SQLite3.dll
Sets the 'hidden' attribute to the following files:
C:\ejhi.exe
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\vcdtue.exe
%WINDIR%\system\DATA.exe
%APPDATA%\%USERNAME%log.dat
C:\autorun.inf
Deletes the following files:
%TEMP%\winxjcgv.exe
%TEMP%\winixawa.exe
%TEMP%\winfquox.exe
%TEMP%\gbbts.exe
%TEMP%\winllck.exe
%TEMP%\qbff.exe
%TEMP%\winmkjr.exe
<DRIVERS>\ispqn.sys
%TEMP%\%USERNAME%8
%TEMP%\%USERNAME%2.txt
%TEMP%\%USERNAME%7
%TEMP%\wincqmyy.exe
%TEMP%\wingcwgja.exe
%TEMP%\mslwii.exe
Network activity:
Connects to:
'www.as##us.nl':80
'as##.co.in':80
'ca####elefon.com.tr':80
'fe####er.jino.ru':80
'ta####ihousing.com':80
'www.ar###lexi.com':80
'www.se##er.com':80
'localhost':1037
'yo####fxp.no-ip.biz':83
'al###bilek.org':80
'al###kan.av.tr':80
TCP:
HTTP GET requests:
ca####elefon.com.tr/logo.gif?56##########
www.as##us.nl/logos.gif?56###########
fe####er.jino.ru/logo.gif?57##########
ta####ihousing.com/logo.gif?56###########
as##.co.in/logo.gif?55###########
al###kan.av.tr/images/logo.gif?53##########
www.se##er.com/sqlite3.dll
www.ar###lexi.com/images/logos.gif?55###########
al###bilek.org/logo.gif?54###########
UDP:
DNS ASK www.as##us.nl
DNS ASK as##.co.in
DNS ASK ca####elefon.com.tr
DNS ASK fe####er.jino.ru
DNS ASK ta####ihousing.com
DNS ASK yo####fxp.no-ip.biz
DNS ASK www.se##er.com
DNS ASK al###kan.av.tr
DNS ASK www.ar###lexi.com
DNS ASK al###bilek.org
Miscellaneous:
Searches for the following windows:
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'Indicator' WindowName: ''
Descargue Dr.Web para Android
Gratis por 3 meses
Todos los componentes de protección
Renovación de la demo a través de AppGallery/Google Pay
Si Vd. continúa usando este sitio web, esto significa que Vd. acepta el uso de archivos Cookie y otras tecnologías para que recabemos las estadísticas sobre los visitantes. Más información