Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\nProtect Network Packet Monitoring] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Security Web] 'Start' = '00000002'
- <SYSTEM32>\msvcr71.dll with <SYSTEM32>\msvcr71.dll
- '%WINDIR%\npmsvc.exe'
- '<SYSTEM32>\NetAgent.exe'
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '<SYSTEM32>\cmd.exe' /c del <Full path to virus> > nul
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 80 NATEONPatcher
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="NATEONPatcher" dir=in action=allow protocol=tcp localport=80
- %WINDIR%\npmsvc.dss
- %WINDIR%\npmsvc.exe
- <SYSTEM32>\web.dss
- <SYSTEM32>\NetAgent.exe
- %WINDIR%\npmsvc.dss
- %WINDIR%\npmsvc.exe
- <SYSTEM32>\web.dss
- <SYSTEM32>\NetAgent.exe
- <SYSTEM32>\msvcr71.dll
- 'be####beye2000.com':80
- http://be####beye2000.com/auth21000_r.html
- DNS ASK be####beye2000.com
- ClassName: '' WindowName: ''