Technical Information
- [<HKLM>\System\CurrentControlSet\Services\ClipSrv] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\ClipSrv] 'ImagePath' = '%WINDIR%\Usall.exe'
- %TEMP%\rroreiio.tmp
- %WINDIR%\usall.exe
- from %TEMP%\rroreiio.tmp to %WINDIR%\usall.exe
- http://bj######ay.mycyberway.com/1234.txt
- DNS ASK 78###.rhelper.com
- DNS ASK bj######ay.mycyberway.com
- '%WINDIR%\usall.exe'