Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'XiOSS' = '<Full path to file>'
- '' (downloaded from the Internet)
- <SYSTEM32>\gzq.exe
- <SYSTEM32>\xmyy28\gzip.dll
- <SYSTEM32>\xmyy28\ss.txt
- <SYSTEM32>\xmyy28\xmyy.exe
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs2.tmp
- <SYSTEM32>\spoolsx.exe
- C:\cd.bat
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs2.tmp
- <Full path to file>
- '12#.#48.245.10':88
- 'localhost':1040
- '19#.#88.104.85':80
- http://19#.#88.104.85/vp.exe
- http://19#.#88.104.85/soft/spoolsx.jpg
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bb8.bbc.380001'
- '<SYSTEM32>\gzq.exe'
- '<SYSTEM32>\spoolsx.exe'
- '<SYSTEM32>\ntvdm.exe' -f -i1
- '<SYSTEM32>\cmd.exe' /c echo ping 127.1 -n 3 >nul 2>nul >c:\cd.bat&echo del "<Full path to file>">>c:\cd.bat&echo del c:\cd.bat>>c:\cd.bat&c:\cd.bat
- '<SYSTEM32>\ping.exe' 127.1 -n 3