Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'towoo.exe' = '%PROGRAM_FILES%\towoo\towoo.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'toowo.exe' = '%PROGRAM_FILES%\toowo\toowo.exe'
- %PROGRAM_FILES%\towoo\towoo.exe
- %PROGRAM_FILES%\toowo\toowo.exe
- %PROGRAM_FILES%\towoo\towoo.exe (downloaded from the Internet)
- %PROGRAM_FILES%\toowo\toowo.exe (downloaded from the Internet)
- <SYSTEM32>\cmd.exe /c <Current directory>\$2s3d.bat
- <SYSTEM32>\schtasks.exe /create /sc onlogon /tn "Windows ziptool" /tr "\"%PROGRAM_FILES%\towoo\towoo.exe"\" /rl highest
- <SYSTEM32>\schtasks.exe /create /sc onlogon /tn "Windows winwool" /tr "\"%PROGRAM_FILES%\toowo\toowo.exe"\" /rl highest
- %PROGRAM_FILES%\towoo\towoo.exe
- <Current directory>\$2s3d.bat
- %PROGRAM_FILES%\toowo\toowo.exe
- %PROGRAM_FILES%\toowo\ar.dat
- %PROGRAM_FILES%\towoo\ar.dat
- 'ju##ip.com':80
- '22#.#43.20.250':80
- 'cy###my.co.kr':80
- 22#.#43.20.250/upload2/towoo.exe
- cy###my.co.kr/check/check.php?m=##################
- ju##ip.com/t_ptr/awrite.php?pt##
- cy###my.co.kr/troute/earse_easy.php
- cy###my.co.kr/troute/trout_up.php
- 22#.#43.20.250/upload2/toowo.exe
- DNS ASK ju##ip.com
- DNS ASK cy###my.co.kr