Technical Information
- [<HKLM>\System\CurrentControlSet\Services\UPlugPlay] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\UPlugPlay] 'ImagePath' = '%WINDIR%\svchost.exe Dcomsvc'
- 'UPlugPlay' %WINDIR%\svchost.exe Dcomsvc
- %WINDIR%\svchost.exe
- http://bk#.###spiritfun2.net/cgi-bin/prometei.cgi?r=###################################
- http://bk#.###spiritfun2.net/cgi-bin/prometei.cgi?ad#############################################################################################################################################...
- DNS ASK bk#.###spiritfun2.net
- '%WINDIR%\svchost.exe' Dcomsvc
- '%WINDIR%\svchost.exe' /watchdog
- '<SYSTEM32>\cmd.exe' /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /f /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /f /t REG_DWORD /d 1