Technical Information
To ensure autorun and distribution
Changes the following executable system files
- %WINDIR%\flash_sa.exe
- %WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess32.exe
- %WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\vbc.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\regsvcs.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\regasm.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\ngen.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\migpolwin.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\migpol.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\jsc.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\installutil.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\ilasm.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\ieexec.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\cvtres.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\csc.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\configwizards.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\caspol.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\aspnet_wp.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\aspnet_state.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\aspnet_regiis.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\al.exe
- %WINDIR%\microsoft.net\assembly\gac_msil\microsoft.workflow.compiler\v4.0_4.0.0.0__31bf3856ad364e35\microsoft.workflow.compiler.exe
- %WINDIR%\microsoft.net\framework\v4.0.30319\addinutil.exe
- %WINDIR%\microsoft.net\framework\v4.0.30319\applaunch.exe
Infects the following executable files
- C:\far2\far.exe
- %WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess32.exe
- %WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\vbc.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\regsvcs.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\regasm.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\ngen.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\migpolwin.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\migpol.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\jsc.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\installutil.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\ilasm.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\ieexec.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\cvtres.exe
- %WINDIR%\microsoft.net\framework\v4.0.30319\addinutil.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\csc.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\caspol.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\aspnet_wp.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\aspnet_state.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\aspnet_regiis.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\al.exe
- %WINDIR%\microsoft.net\assembly\gac_msil\microsoft.workflow.compiler\v4.0_4.0.0.0__31bf3856ad364e35\microsoft.workflow.compiler.exe
- %WINDIR%\flash_sa.exe
- C:\totalcmd\totalcmd64.exe
- C:\totalcmd\tcusbrun.exe
- C:\totalcmd\tcunin64.exe
- C:\totalcmd\tcmdx32.exe
- C:\totalcmd\tcmadm64.exe
- C:\totalcmd\noclose64.exe
- %WINDIR%\microsoft.net\framework\v1.1.4322\configwizards.exe
- %WINDIR%\microsoft.net\framework\v4.0.30319\applaunch.exe
