Technical Information
- [<HKLM>\System\CurrentControlSet\Services\msupdate] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\msupdate] 'ImagePath' = '<SYSTEM32>\msupdate.exe /service'
- %WINDIR%\syswow64\msupdate.exe
- %WINDIR%\syswow64\rcx71cc.tmp
- from %WINDIR%\syswow64\rcx71cc.tmp to %WINDIR%\syswow64\msupdate.exe
- http://ms###ate2.net/comm.php?us####################
- http://ms###ate2.com/newuser.php
- http://ms###ate2.net/newuser.php
- DNS ASK ms###ate2.com
- DNS ASK ms###ate2.net
- '%WINDIR%\syswow64\msupdate.exe' /service
- '%WINDIR%\syswow64\cmd.exe' /c for /L %i in (1,1,10000) do del /q "<Full path to file>"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c for /L %i in (1,1,10000) do del /q "<Full path to file>"