Technical Information
- '<SYSTEM32>\svchost.exe' ext "<Full path to virus>"
- <SYSTEM32>\svchost.exe
- %APPDATA%\Roaming\tor\hidden_service\hostname.tmp
- %APPDATA%\Roaming\tor\hidden_service\private_key.tmp
- %APPDATA%\Roaming\tor\state.tmp
- from %APPDATA%\Roaming\tor\hidden_service\hostname.tmp to %APPDATA%\Roaming\tor\hidden_service\hostname
- from %APPDATA%\Roaming\tor\hidden_service\private_key.tmp to %APPDATA%\Roaming\tor\hidden_service\private_key
- from %APPDATA%\Roaming\tor\state.tmp to %APPDATA%\Roaming\tor\state
- '20#.#3.223.34':80
- 'localhost':49167
- DNS ASK ch####p.dyndns.org