Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:csrss'
- '%TEMP%\ERNXHwVwoT.exe'
- '%TEMP%\ERNXHwVwoT.exe' (downloaded from the Internet)
- %TEMP%\ERNXHwVwoT.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\y[1]
- 'bu##tu.in':80
- 'localhost':1036
- bu##tu.in/k/y
- DNS ASK bu##tu.in