Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\RpcEptLocator] 'Start' = '00000002'
- '%TEMP%\rsys.exe' "<Full path to virus>"
- '<SYSTEM32>\svchost.exe' -k netsvcs
- <Current directory>\vtmon.bin
- %WINDIR%\$NtServicePackUninstall02889$\docprop.cpx
- <SYSTEM32>\rpcrt3.dll
- %TEMP%\rsys.exe
- from %WINDIR%\$NtServicePackUninstall02889$\docprop.cpx to %WINDIR%\$NtServicePackUninstall02889$\SPUNINST\docprop.cpx