Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'safeQQ' = '%CommonProgramFiles%\cosx.exe'
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\boxook.ys168[2]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\boxook.ys168[1]
Moves itself:
- from <Full path to virus> to %CommonProgramFiles%\cosx.exe
Network activity:
Connects to:
- 'bo####.ys168.com':80
TCP:
HTTP GET requests:
- bo####.ys168.com/
UDP:
- DNS ASK bo####.ys168.com
