Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'System.EnterpriseServices.Thunk' = '"%TEMP%\ngen.exe"'
- '%TEMP%\tmp1.tmp.exe' <Full path to virus>
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3.tmp" "%TEMP%\vbc2.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\sc5yhpzy.cmdline"
- %TEMP%\RES3.tmp
- %TEMP%\vbc2.tmp
- %TEMP%\ngen.exe
- %TEMP%\tmp1.tmp.exe
- %TEMP%\sc5yhpzy.0.vb
- <Current directory>\zCom.resources
- %TEMP%\sc5yhpzy.out
- %TEMP%\sc5yhpzy.cmdline
- %TEMP%\sc5yhpzy.0.vb
- %TEMP%\sc5yhpzy.cmdline
- <Current directory>\zCom.resources
- %TEMP%\RES3.tmp
- %TEMP%\vbc2.tmp
- %TEMP%\sc5yhpzy.out
- from %TEMP%\tmp1.tmp.exe to %TEMP%\ngen.exe
- 'localhost':127
- 'be##z.com':80
- 'wp#d':80
- be##z.com/IP.php
- wp#d/wpad.dat
- DNS ASK be##z.com
- DNS ASK wp#d