Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe %WINDIR%\svchost.exe'
- hidden files
- <Full path to virus>
- %WINDIR%\svchost.exe
- <Current directory>\<Virus name>111.exe
- %WINDIR%\conime.exe
- from <Full path to virus> to <Current directory>\<Virus name>222.exe
- 'xx####453.vicp.net':6381
- DNS ASK xx####453.vicp.net
- ClassName: 'Shell_TrayWnd' WindowName: ''