Technical Information
- %HOMEPATH%\Start Menu\Programs\Startup\360safe.lnk
- %HOMEPATH%\Start Menu\Programs\Startup\ЅрЙЅНш¶Ь.lnk
- '%TEMP%\Vshion9312.exe'
- '%TEMP%\klivesetup_1.15.0.595_18.8.exe'
- '%TEMP%\uaua9312.exe'
- '%ALLUSERSPROFILE%\Start Menu\<Virus name>.exe'
- '%TEMP%\Chaosuq.exe'
- '%TEMP%\klivesetup_1.15.0.595_18.8.exe' (downloaded from the Internet)
- '%TEMP%\uaua9312.exe' (downloaded from the Internet)
- '%TEMP%\Chaosuq.exe' (downloaded from the Internet)
- '%TEMP%\Vshion9312.exe' (downloaded from the Internet)
- '<SYSTEM32>\attrib.exe' "%HOMEPATH%\Desktop\├└┼о╩╙╞╡.url" +R +S
- '<SYSTEM32>\attrib.exe' "%HOMEPATH%\Desktop\╘┌╧▀╡ч╙░.url" +R +S
- '<SYSTEM32>\attrib.exe' "%HOMEPATH%\Desktop\┴ў╨╨╥Ї└╓.url" +R +S
- '<SYSTEM32>\cacls.exe' "%HOMEPATH%\Desktop\╠╘▒ж╣║╬я.url" /p everyone:f
- '<SYSTEM32>\attrib.exe' "%ALLUSERSPROFILE%\Application Data\Kingsoft\kws\kws.ini" +R +S
- '<SYSTEM32>\attrib.exe' "%HOMEPATH%\Desktop\░╦╪╘╔л═╝.url" +R +S
- '<SYSTEM32>\attrib.exe' "%HOMEPATH%\Desktop\╠╘▒ж╣║╬я.url" +R +S
- '<SYSTEM32>\cacls.exe' "%HOMEPATH%\Desktop\╘┌╧▀╡ч╙░.url" /p everyone:R
- '<SYSTEM32>\cacls.exe' "%HOMEPATH%\Desktop\┴ў╨╨╥Ї└╓.url" /p everyone:R
- '<SYSTEM32>\cacls.exe' "%HOMEPATH%\Desktop\╠╘▒ж╣║╬я.url" /p everyone:R
- '<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Application Data\Kingsoft\kws\kws.ini" /p everyone:R
- '<SYSTEM32>\cacls.exe' "%HOMEPATH%\Desktop\░╦╪╘╔л═╝.url" /p everyone:R
- '<SYSTEM32>\cacls.exe' "%HOMEPATH%\Desktop\├└┼о╩╙╞╡.url" /p everyone:R
- '<SYSTEM32>\cmd.exe' /c %TEMP%\ivVBS.bat
- '<SYSTEM32>\expand.exe' "%TEMP%\kingsoft.cab" -F:*.* "%PROGRAM_FILES%\kingsofta"
- '<SYSTEM32>\expand.exe' "%TEMP%\url.cab" -F:*.* "%HOMEPATH%\Desktop
- '%WINDIR%\explorer.exe' http://www.77##h.com/?uk#
- '<SYSTEM32>\cmd.exe' /c %TEMP%\zCrFE.bat
- '<SYSTEM32>\expand.exe' "%TEMP%\ico.cab" -F:*.* "<SYSTEM32>"
- '<SYSTEM32>\cmd.exe' /c %TEMP%\lnk.bat
- '<SYSTEM32>\cacls.exe' "%HOMEPATH%\Desktop\├└┼о╩╙╞╡.url" /p everyone:f
- '<SYSTEM32>\cacls.exe' "%HOMEPATH%\Desktop\╘┌╧▀╡ч╙░.url" /p everyone:f
- '<SYSTEM32>\cacls.exe' "%HOMEPATH%\Desktop\┴ў╨╨╥Ї└╓.url" /p everyone:f
- '<SYSTEM32>\ping.exe' -n 3 127.0.0.1
- '<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Application Data\Kingsoft\kws\kws.ini" /p everyone:f
- '<SYSTEM32>\cacls.exe' "%HOMEPATH%\Desktop\░╦╪╘╔л═╝.url" /p everyone:f
- %ALLUSERSPROFILE%\Desktopkws\kws.ini
- %TEMP%\kingsoft.cab
- %TEMP%\ivVBS.bat
- %ALLUSERSPROFILE%\Start Menu\ЅрЙЅНш¶Ь.lnk
- %PROGRAM_FILES%\kingsofta\kingsoft.cab
- <SYSTEM32>\Video.ico
- <SYSTEM32>\taobao.ico
- <SYSTEM32>\Beauty.ico
- <SYSTEM32>\Music.ico
- <SYSTEM32>\Film.ico
- %TEMP%\Chaosuq.exe
- %HOMEPATH%\Desktop\ФЪПЯµзУ°.url
- %TEMP%\Vshion9312.exe
- %TEMP%\klivesetup_1.15.0.595_18.8.exe
- %TEMP%\uaua9312.exe
- %HOMEPATH%\Desktop\°ЛШФЙ«Нј.url
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\779dh[1]
- %HOMEPATH%\Desktop\БчРРТфАЦ.url
- %HOMEPATH%\Desktop\МФ±¦№єОп.url
- %HOMEPATH%\Desktop\ГАЕ®КУЖµ.url
- %TEMP%\zCrFE.bat
- %PROGRAM_FILES%\FireFox\uninstall\BHXFb.dll
- %PROGRAM_FILES%\FireFox\BHXFb.dll
- %PROGRAM_FILES%\Messenger\BHXFb.dll
- %PROGRAM_FILES%\MSN\MSNCoreFiles\Install\BHXFb.dll
- %PROGRAM_FILES%\Movie Maker\BHXFb.dll
- %TEMP%\zs.bat
- %ALLUSERSPROFILE%\Start Menu\<Virus name>.exe
- C:\Far2\BHXFb.dll
- %CommonProgramFiles%\Microsoft Shared\MSInfo\BHXFb.dll
- %CommonProgramFiles%\Microsoft Shared\DW\BHXFb.dll
- %TEMP%\lnk.bat
- <Auxiliary element>
- %TEMP%\ico.cab
- <SYSTEM32>\safe.ico
- %TEMP%\url.cab
- %PROGRAM_FILES%\MSN Gaming Zone\Windows\BHXFb.dll
- %PROGRAM_FILES%\MSN\MSNCoreFiles\Install\MSN9Components\BHXFb.dll
- %PROGRAM_FILES%\Outlook Express\BHXFb.dll
- %PROGRAM_FILES%\Windows NT\Pinball\BHXFb.dll
- %PROGRAM_FILES%\Windows NT\BHXFb.dll
- %PROGRAM_FILES%\MSN Gaming Zone\Windows\BHXFb.dll
- %PROGRAM_FILES%\MSN\MSNCoreFiles\Install\MSN9Components\BHXFb.dll
- %PROGRAM_FILES%\MSN\MSNCoreFiles\Install\BHXFb.dll
- %PROGRAM_FILES%\Outlook Express\BHXFb.dll
- <Auxiliary element>
- %PROGRAM_FILES%\Windows NT\Pinball\BHXFb.dll
- %PROGRAM_FILES%\Windows NT\BHXFb.dll
- %CommonProgramFiles%\Microsoft Shared\MSInfo\BHXFb.dll
- %CommonProgramFiles%\Microsoft Shared\DW\BHXFb.dll
- C:\Far2\BHXFb.dll
- %PROGRAM_FILES%\FireFox\BHXFb.dll
- %PROGRAM_FILES%\Movie Maker\BHXFb.dll
- %PROGRAM_FILES%\Messenger\BHXFb.dll
- %PROGRAM_FILES%\FireFox\uninstall\BHXFb.dll
- %TEMP%\kingsoft.cab
- %TEMP%\ico.cab
- 'www.77##h.com':80
- 'localhost':1041
- 't.##ad.com':80
- '22#.#17.240.30':80
- 'www.33##.org':80
- 'v.##o63.com':80
- 'tt.#kad.com':80
- 'ht.##down.com':80
- 22#.#17.240.30/soft/Vshion9312.exe
- tt.#kad.com/Chaosuq.exe
- t.##ad.com/klivesetup_1.15.0.595_18.8.exe
- 22#.#17.240.30/soft/uaua9312.exe
- www.77##h.com/?uk#
- www.33##.org/dyndns/getip
- v.##o63.com/rundll.dll
- tt.#kad.com/kingsoft.cab
- ht.##down.com/cj4/up_1.asp?a=###########################
- DNS ASK tt.#kad.com
- DNS ASK www.77##h.com
- DNS ASK t.##ad.com
- DNS ASK v.##o63.com
- DNS ASK www.33##.org
- DNS ASK ht.##down.com
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: '' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: '(null)' WindowName: '(null)'