Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Greatgame' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe <SYSTEM32>\csmm.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Adobe Updates' = '%HOMEPATH%\Start Menu\Programs\Startup\server.exe'
- %HOMEPATH%\Start Menu\Programs\Startup\spammer.vbs
- %HOMEPATH%\Start Menu\Programs\Startup\start.vbs
- %HOMEPATH%\Start Menu\Programs\Startup\start.bat
- <Full path to virus>
- %HOMEPATH%\Start Menu\Programs\Startup\virus bind.bat
- Command Prompt (CMD)
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
- %TEMP%\completewipeout.exe
- %TEMP%\pccrash.exe
- %TEMP%\moviemakerspam.exe
- %TEMP%\byebye.exe
- <SYSTEM32>\config\Rundll32.exe
- %TEMP%\accountspammer.exe
- %TEMP%\delcandd.exe
- %TEMP%\crash.exe
- %TEMP%\c0nw0nkhidden.exe
- %TEMP%\blocker.exe
- %TEMP%\fdaf.exe
- %TEMP%\explorer.exe
- %TEMP%\flood.exe
- %TEMP%\compcrash.exe
- %TEMP%\desktopspam.exe
- %TEMP%\spammer.exe
- %TEMP%\xcxzcxzc.exe
- %TEMP%\Sender.exe
- %TEMP%\ultimate virus.exe
- %TEMP%\hinternet.exe
- %TEMP%\webpagespam.exe
- %TEMP%\internalwipe.exe
- <SYSTEM32>\csmm.exe
- %TEMP%\allfiledel.exe
- %TEMP%\taskkiller.exe
- %TEMP%\c0nw0nkinfection.exe
- %TEMP%\hshutdown.exe
- %TEMP%\virus bind.exe
- %TEMP%\shutdown.exe
- <SYSTEM32>\sxmm.dll regsetval sz "HKCU\control panel\desktop" "ScreenSaveActive" 0 win child class "Shell_TrayWnd" hide class "TrayClockWClass" stdbeep win close title "Calculator" clipboard clear service stop SharedAccess urlshortcut "http://te####t.blogfa.com" "~$folder.desktop$" "TeraBIT" service disabled SharedAccess win child class "Shell_TrayWnd" hide class "button" win hide class progman
- <SYSTEM32>\calc.exe
- <SYSTEM32>\net.exe stop mcshield
- <SYSTEM32>\attrib.exe +r +h C0nw0nk
- <SYSTEM32>\format.com A: /q /x /y
- <SYSTEM32>\cmd.exe /c """%TEMP%\1F.tmp\batchfile.bat"" "
- <SYSTEM32>\cmd.exe /c c:\nt.bat
- <SYSTEM32>\cmd.exe /c """%TEMP%\1B.tmp\batchfile.bat"" "
- <SYSTEM32>\net.exe stop Norton Antivirus Auto Protect Service
- <SYSTEM32>\cmd.exe /c """%TEMP%\selfdel0.bat"" "
- <SYSTEM32>\cmd.exe /c """%TEMP%\1D.tmp\batchfile.bat"" "
- <SYSTEM32>\reg.exe add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Greatgame /t REG_SZ
- <SYSTEM32>\net1.exe stop mcshield
- <SYSTEM32>\net1.exe stop Norton Antivirus Auto Protect Service
- <SYSTEM32>\format.com C: /q /x /y
- <SYSTEM32>\attrib.exe +r +h Greatgame.bat
- <SYSTEM32>\cmd.exe /c """%TEMP%\23.tmp\batchfile.bat"" "
- <SYSTEM32>\cmd.exe /c """%TEMP%\21.tmp\batchfile.bat"" "
- <SYSTEM32>\taskkill.exe /f /im notepad.exe
- <SYSTEM32>\taskkill.exe /f /im wordpad.exe
- <SYSTEM32>\format.com B: /q /x /y
- <SYSTEM32>\wscript.exe "%HOMEPATH%\Start Menu\Programs\Startup\spammer.vbs"
- <SYSTEM32>\reg.exe add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v startAPI /t reg_sz /d c:windowshartlell.bat /f
- <SYSTEM32>\net.exe stop "Windows Audio"
- <SYSTEM32>\cmd.exe /c """%TEMP%\D.tmp\batchfile.bat"" "
- <SYSTEM32>\net.exe stop "Protected Storage"
- <SYSTEM32>\net1.exe user %USERNAME% ""
- <SYSTEM32>\net1.exe user %USERNAME% arashjeyjey
- <SYSTEM32>\cmd.exe /c """%TEMP%\8.tmp\batchfile.bat"" "
- <SYSTEM32>\cmd.exe /c """%TEMP%\6.tmp\batchfile.bat"" "
- <SYSTEM32>\cmd.exe /c """%TEMP%\9.tmp\batchfile.bat"" "
- <SYSTEM32>\cmd.exe /c """%TEMP%\C.tmp\batchfile.bat"" "
- <SYSTEM32>\reg.exe add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
- <SYSTEM32>\reg.exe add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
- <SYSTEM32>\cmd.exe /c """%TEMP%\16.tmp\batchfile.bat"" "
- <SYSTEM32>\attrib.exe +h +r "%HOMEPATH%\start menu\programs\startup"
- <SYSTEM32>\cmd.exe /c """%TEMP%\17.tmp\batchfile.bat"" "
- <SYSTEM32>\cmd.exe /c """%TEMP%\19.tmp\batchfile.bat"" "
- <SYSTEM32>\shutdown.exe -s -t 00
- <SYSTEM32>\cmd.exe /c """%TEMP%\11.tmp\batchfile.bat"" "
- <SYSTEM32>\net1.exe stop "Windows Audio"
- <SYSTEM32>\net1.exe stop "Protected Storage"
- %PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE http://do####revenue.com/
- <SYSTEM32>\cmd.exe /c """%TEMP%\13.tmp\batchfile.bat"" "
- YahooMessenger.exe
- firefox.exe
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000002'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoViewOnDrive' = '03FFFFFF'
- <SYSTEM32>\net.exe
- <SYSTEM32>\attrib.exe
- "%TEMP%\22.tmp\b2e.exe"
- <SYSTEM32>\sxmm.dll
- %HOMEPATH%\Desktop\21459.25589
- %HOMEPATH%\Desktop\3349.23381
- %HOMEPATH%\Desktop\15046.11822
- %HOMEPATH%\Desktop\30473.8798
- %HOMEPATH%\Desktop\8664.32483
- %HOMEPATH%\Desktop\13607.3513
- %HOMEPATH%\Desktop\24788.8787
- %HOMEPATH%\Desktop\4658.28151
- %TEMP%\crash.exe
- %TEMP%\1A.tmp\b2e.exe
- %HOMEPATH%\Desktop\23963.8776
- %TEMP%\1B.tmp\batchfile.bat
- %HOMEPATH%\Desktop\18435.19072
- %HOMEPATH%\Desktop\23625.18897
- %HOMEPATH%\Desktop\29446.17086
- %HOMEPATH%\Desktop\21146.18654
- %HOMEPATH%\Desktop\2026.6705
- %HOMEPATH%\Desktop\12676.23575
- %HOMEPATH%\Desktop\17824.15218
- %HOMEPATH%\Desktop\17820.26959
- %HOMEPATH%\Desktop\13821.16693
- %HOMEPATH%\Desktop\29983.29141
- %HOMEPATH%\Desktop\30858.929
- %HOMEPATH%\Desktop\8269.15512
- %HOMEPATH%\Desktop\23756.30561
- %HOMEPATH%\Desktop\17541.22706
- %HOMEPATH%\Desktop\31119.6067
- %HOMEPATH%\Desktop\23569.11968
- %HOMEPATH%\Desktop\26639.30056
- %HOMEPATH%\Desktop\27997.30064
- %HOMEPATH%\Desktop\25352.2109
- %HOMEPATH%\Desktop\9526.29741
- %TEMP%\moviemakerspam.exe
- %HOMEPATH%\Desktop\30738.27253
- %HOMEPATH%\Desktop\15043.27171
- %HOMEPATH%\Desktop\22049.14672
- %HOMEPATH%\Desktop\25788.4677
- %HOMEPATH%\Desktop\30155.11673
- %HOMEPATH%\Desktop\31714.17951
- %HOMEPATH%\Desktop\6544.21485
- %HOMEPATH%\Desktop\29534.13972
- %HOMEPATH%\Desktop\2905.9558
- %HOMEPATH%\Desktop\9167.8296
- %HOMEPATH%\Desktop\1591.6081
- %HOMEPATH%\Desktop\11470.4383
- %HOMEPATH%\Desktop\7992.12582
- %TEMP%\selfdel0.bat
- C:\nt.bat
- %TEMP%\23.tmp\batchfile.bat
- %TEMP%\c0nw0nkhidden.exe
- %TEMP%\24.tmp\b2e.exe
- %TEMP%\explorer.exe
- %TEMP%\20.tmp\b2e.exe
- <Current directory>\windowshartlell.bat
- %TEMP%\desktopspam.exe
- %TEMP%\22.tmp\b2e.exe
- %TEMP%\21.tmp\batchfile.bat
- %TEMP%\29.tmp\batchfile.bat
- %TEMP%\fdaf.exe
- %TEMP%\2A.tmp\b2e.exe
- %TEMP%\2B.tmp\batchfile.bat
- %TEMP%\trapdoorspammer.exe
- %TEMP%\28.tmp\b2e.exe
- %WINDIR%\Greatgame
- %TEMP%\25.tmp\b2e.exe
- %TEMP%\26.tmp\batchfile.bat
- %TEMP%\27.tmp\batchfile.bat
- %TEMP%\blocker.exe
- %TEMP%\1F.tmp\batchfile.bat
- %HOMEPATH%\Desktop\25839.23892
- %HOMEPATH%\Desktop\15161.18861
- %HOMEPATH%\Desktop\6339.32355
- %TEMP%\flood.exe
- %HOMEPATH%\Desktop\21831.29222
- %HOMEPATH%\Desktop\27073.2140
- %HOMEPATH%\Desktop\14142.20676
- %HOMEPATH%\Desktop\26138.19848
- %HOMEPATH%\Desktop\25152.10749
- %TEMP%\1C.tmp\b2e.exe
- %HOMEPATH%\Desktop\27979.21820
- %HOMEPATH%\Desktop\18287.17627
- %HOMEPATH%\Desktop\19003.30347
- %TEMP%\1D.tmp\batchfile.bat
- %TEMP%\compcrash.exe
- %TEMP%\1E.tmp\b2e.exe
- %HOMEPATH%\Desktop\15153.28548
- %HOMEPATH%\Desktop\1594.32706
- %HOMEPATH%\Desktop\30728.13004
- %HOMEPATH%\Desktop\27747.21628
- %HOMEPATH%\Desktop\30026.17915
- %HOMEPATH%\Desktop\25352.16066
- %TEMP%\19.tmp\batchfile.bat
- %TEMP%\c0nw0nkinfection.exe
- %TEMP%\E.tmp\b2e.exe
- %TEMP%\F.tmp\b2e.exe
- <Current directory>\windowswimn32.bat
- %TEMP%\accountspammer.exe
- %TEMP%\D.tmp\batchfile.bat
- %TEMP%\B.tmp\b2e.exe
- %TEMP%\allfiledel.exe
- %TEMP%\taskkiller.exe
- %HOMEPATH%\Desktop\TeraBIT.url
- %TEMP%\C.tmp\batchfile.bat
- %TEMP%\14.tmp\b2e.exe
- %TEMP%\13.tmp\batchfile.bat
- %TEMP%\completewipeout.exe
- %HOMEPATH%\Desktop\7333.11403
- <Current directory>\DirPath
- %TEMP%\byebye.exe
- %TEMP%\10.tmp\b2e.exe
- <Current directory>\c)
- %TEMP%\delcandd.exe
- %TEMP%\12.tmp\b2e.exe
- %TEMP%\11.tmp\batchfile.bat
- %TEMP%\A.tmp\b2e.exe
- %TEMP%\spammer.exe
- %TEMP%\3.tmp\b2e.exe
- %TEMP%\4.tmp\b2e.exe
- %TEMP%\5.tmp\b2e.exe
- %TEMP%\xcxzcxzc.exe
- %TEMP%\2.tmp\b2e.exe
- %TEMP%\webpagespam.exe
- %TEMP%\hinternet.exe
- %TEMP%\1.tmp\b2e.exe
- %TEMP%\ultimate virus.exe
- %TEMP%\internalwipe.exe
- %TEMP%\7.tmp\b2e.exe
- %TEMP%\6.tmp\batchfile.bat
- %TEMP%\8.tmp\batchfile.bat
- %TEMP%\9.tmp\batchfile.bat
- %TEMP%\hshutdown.exe
- <SYSTEM32>\sxmm.dll
- <SYSTEM32>\csmm.exe
- %TEMP%\Sender.exe
- %TEMP%\virus bind.exe
- <SYSTEM32>\config\Rundll32.exe
- %TEMP%\shutdown.exe
- %HOMEPATH%\Desktop\31681.664
- %HOMEPATH%\Desktop\2023.18303
- %HOMEPATH%\Desktop\24014.24071
- %HOMEPATH%\Desktop\25132.15198
- %HOMEPATH%\Desktop\10974.6016
- %HOMEPATH%\Desktop\32040.6730
- %HOMEPATH%\Desktop\4792.23899
- %HOMEPATH%\Desktop\6893.1128
- %HOMEPATH%\Desktop\4233.27265
- %HOMEPATH%\Desktop\18183.15389
- %HOMEPATH%\Desktop\4094.29482
- %HOMEPATH%\Desktop\32036.11261
- %HOMEPATH%\Desktop\30380.30903
- %HOMEPATH%\Desktop\11996.12714
- %HOMEPATH%\Desktop\3745.7826
- %HOMEPATH%\Desktop\7222.22423
- %HOMEPATH%\Desktop\9970.7561
- %TEMP%\18.tmp\b2e.exe
- %HOMEPATH%\Desktop\6011.4757
- %HOMEPATH%\Desktop\28259.25177
- %HOMEPATH%\Desktop\29128.8705
- %HOMEPATH%\Desktop\14368.18913
- %HOMEPATH%\Desktop\15668.12487
- %HOMEPATH%\Desktop\738.7817
- %HOMEPATH%\Desktop\25750.19358
- %TEMP%\15.tmp\b2e.exe
- %HOMEPATH%\Desktop\23029.7782
- %HOMEPATH%\Desktop\26555.25848
- <Current directory>\batchfile.bat
- %HOMEPATH%\Desktop\20726.20128
- %HOMEPATH%\Desktop\856.37
- %HOMEPATH%\Desktop\21896.9789
- %HOMEPATH%\Desktop\25571.12961
- %HOMEPATH%\Desktop\9461.4321
- %HOMEPATH%\Desktop\5731.13833
- %HOMEPATH%\Desktop\16508.30496
- %TEMP%\17.tmp\batchfile.bat
- %HOMEPATH%\Desktop\14529.9941
- %HOMEPATH%\Desktop\1050.8420
- %HOMEPATH%\Desktop\21602.7978
- %HOMEPATH%\Desktop\16405.24576
- %TEMP%\16.tmp\batchfile.bat
- %HOMEPATH%\Desktop\15976.7027
- %HOMEPATH%\Desktop\19212.14917
- %TEMP%\pccrash.exe
- %HOMEPATH%\Desktop\27078.557
- %WINDIR%\Fonts\tunga.ttf
- %WINDIR%\Fonts\verdana.ttf
- %WINDIR%\Fonts\trebucit.ttf
- %WINDIR%\Fonts\trebucbd.ttf
- %WINDIR%\Fonts\trebucbi.ttf
- %WINDIR%\Fonts\vrinda.ttf
- %WINDIR%\Fonts\webdings.ttf
- %WINDIR%\Fonts\verdanaz.ttf
- %WINDIR%\Fonts\verdanab.ttf
- %WINDIR%\Fonts\verdanai.ttf
- %WINDIR%\Fonts\trebuc.ttf
- %WINDIR%\Fonts\symbol.ttf
- %WINDIR%\Fonts\tahoma.ttf
- %WINDIR%\Fonts\sylfaen.ttf
- %WINDIR%\Fonts\script.fon
- %WINDIR%\Fonts\shruti.ttf
- %WINDIR%\Fonts\timesbi.ttf
- %WINDIR%\Fonts\timesi.ttf
- %WINDIR%\Fonts\timesbd.ttf
- %WINDIR%\Fonts\tahomabd.ttf
- %WINDIR%\Fonts\times.ttf
- <SYSTEM32>\ssmypics.scr
- <SYSTEM32>\ssmyst.scr
- <SYSTEM32>\ssmarque.scr
- <SYSTEM32>\ssbezier.scr
- <SYSTEM32>\ssflwbox.scr
- %TEMP%\17.tmp\batchfile.bat
- %TEMP%\E.tmp\b2e.exe
- <SYSTEM32>\sstext3d.scr
- <SYSTEM32>\sspipes.scr
- <SYSTEM32>\ssstars.scr
- <SYSTEM32>\ss3dfo.scr
- %WINDIR%\Fonts\wst_fren.fon
- %WINDIR%\Fonts\wst_germ.fon
- %WINDIR%\Fonts\wst_engl.fon
- %WINDIR%\Fonts\wingding.ttf
- %WINDIR%\Fonts\wst_czec.fon
- <SYSTEM32>\logon.scr
- <SYSTEM32>\scrnsave.scr
- %WINDIR%\Fonts\wst_swed.fon
- %WINDIR%\Fonts\wst_ital.fon
- %WINDIR%\Fonts\wst_span.fon
- %WINDIR%\Fonts\roman.fon
- %WINDIR%\Fonts\framdit.ttf
- %WINDIR%\Fonts\gautami.ttf
- %WINDIR%\Fonts\framd.ttf
- %WINDIR%\Fonts\couri.ttf
- %WINDIR%\Fonts\estre.ttf
- %WINDIR%\Fonts\georgiaz.ttf
- %WINDIR%\Fonts\GlobalMonospace.CompositeFont
- %WINDIR%\Fonts\georgiai.ttf
- %WINDIR%\Fonts\georgia.ttf
- %WINDIR%\Fonts\georgiab.ttf
- %WINDIR%\Fonts\courbi.ttf
- %WINDIR%\Fonts\arialbi.ttf
- %WINDIR%\Fonts\ariali.ttf
- %WINDIR%\Fonts\arialbd.ttf
- <Current directory>\DirPath
- %WINDIR%\Fonts\arial.ttf
- %WINDIR%\Fonts\cour.ttf
- %WINDIR%\Fonts\courbd.ttf
- %WINDIR%\Fonts\comicbd.ttf
- %WINDIR%\Fonts\ariblk.ttf
- %WINDIR%\Fonts\comic.ttf
- %WINDIR%\Fonts\modern.fon
- %WINDIR%\Fonts\mvboli.ttf
- %WINDIR%\Fonts\micross.ttf
- %WINDIR%\Fonts\lucon.ttf
- %WINDIR%\Fonts\mangal.ttf
- %WINDIR%\Fonts\palai.ttf
- %WINDIR%\Fonts\raavi.ttf
- %WINDIR%\Fonts\palabi.ttf
- %WINDIR%\Fonts\pala.ttf
- %WINDIR%\Fonts\palab.ttf
- %WINDIR%\Fonts\lsansi.ttf
- %WINDIR%\Fonts\impact.ttf
- %WINDIR%\Fonts\kartika.ttf
- %WINDIR%\Fonts\GlobalUserInterface.CompositeFont
- %WINDIR%\Fonts\GlobalSansSerif.CompositeFont
- %WINDIR%\Fonts\GlobalSerif.CompositeFont
- %WINDIR%\Fonts\lsansd.ttf
- %WINDIR%\Fonts\lsansdi.ttf
- %WINDIR%\Fonts\lsans.ttf
- %WINDIR%\Fonts\l_10646.ttf
- %WINDIR%\Fonts\latha.ttf
- ClassName: '' WindowName: 'My Computer'
- ClassName: '' WindowName: 'Group Policy'
- ClassName: '' WindowName: 'Calculator'
- ClassName: '' WindowName: 'Windows Task Manager'
- ClassName: '' WindowName: 'Windows Media Player'
- ClassName: '' WindowName: ''
- ClassName: 'MS_WINHELP' WindowName: ''
- ClassName: '' WindowName: '3.5 Floppy (B:)'
- ClassName: '' WindowName: 'Yahoo! Messenger with Voice'
- ClassName: '' WindowName: '3.5 Floppy (A:)'
- ClassName: '' WindowName: 'System Configuration Utility'
- ClassName: 'CabinetWClass' WindowName: ''
- ClassName: 'WorkerW' WindowName: ''
- ClassName: 'BUTTON' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Edit' WindowName: ''
- ClassName: '' WindowName: 'Registry Editor'
- ClassName: 'ComboBox' WindowName: ''
- ClassName: 'ReBarWindow32' WindowName: ''
- ClassName: 'ComboBoxEx32' WindowName: ''