Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '<Virus name>.exe' = '<Full path to virus>'
- %TEMP%\kingsoftkonline\kavsetyups_66_0.exe /s
- %WINDIR%\king.exe
- %TEMP%\kingsoftkonline\kavsetyups_66_0.exe (downloaded from the Internet)
- %TEMP%\kingsoftkonline\kavsetyups_66_0.exe.tmp
- %WINDIR%\king.exe
- from %TEMP%\kingsoftkonline\kavsetyups_66_0.exe.tmp to %TEMP%\kingsoftkonline\kavsetyups_66_0.exe
- 'cd###.www.duba.net':80
- 'www.iw##eng.com':80
- 'bo.###a.net:8080':80
- www.iw##eng.com/tc.txt
- cd###.www.duba.net/duba/install/2011/ever/kavsetyups_66_0.exe
- bo.###a.net:8080/pagetracer2/duba/__utm.gif?01#####################################################################################################################
- www.iw##eng.com/ok.txt
- DNS ASK cd###.www.duba.net
- DNS ASK www.iw##eng.com
- DNS ASK bo.###a.net:8080
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'ENewFrame' WindowName: ''