<Drive name for removable media>:\Removable Disk (1GB).lnk
<Drive name for removable media>:\desktop.ini
<Drive name for removable media>:\ \desktop.ini
<Drive name for removable media>:\_WRVUEZNLU.init
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
hidden files
Creates and executes the following:
%TEMP%\_install_\msiexec.exe
Executes the following:
<SYSTEM32>\wuauclt.exe
Injects code into
the following system processes:
<SYSTEM32>\wuauclt.exe
Modifies file system :
Creates the following files:
%TEMP%\03.tmp
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\rodbpmbznkzxlixujgushesqfcqodaos[1]
%TEMP%\04.tmp
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\dbpebpecqfcqfdrgdrgesheshftiftid[1]
%TEMP%\02.tmp
%TEMP%\01.tmp
%TEMP%\_install_\msiexec.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\iyeszodjzftapekagubqflbhvcrgebhv[1]
%ALLUSERSPROFILE%\Local Settings\Temp\ccexfv.com
Sets the 'hidden' attribute to the following files:
<Full path to virus>
Deletes the following files:
%TEMP%\03.tmp
%TEMP%\04.tmp
%TEMP%\01.tmp
%TEMP%\02.tmp
Network activity:
Connects to:
'a.##bea.in':80
'b.##bea.in':80
'c.##bea.in':80
'20#.#6.232.182':80
'localhost':1038
'8.#.8.8':80
TCP:
HTTP GET requests:
c.##bea.in/dbpebpecqfcqfdrgdrgesheshftiftid
b.##bea.in/rodbpmbznkzxlixujgushesqfcqodaos
a.##bea.in/iyeszodjzftapekagubqflbhvcrgebhv
HTTP POST requests:
8.#.8.8/xxxxxxxxx.php
UDP:
DNS ASK b.##bea.in
DNS ASK c.##bea.in
DNS ASK www.up####.microsoft.com
DNS ASK a.##bea.in
Scaricate Dr.Web per Android
Gratis per 3 mesi
Tutti i componenti di protezione
Rinnovo versione di prova tramite AppGallery/Google Pay
Continuando a utilizzare questo sito, l'utente acconsente al nostro utilizzo di file Cookie e di altre tecnologie per la raccolta di informazioni statistiche sui visitatori. Per maggiori informazioni