Technical Information
- '%APPDATA%\Elyk\imym.exe'
- '<SYSTEM32>\svchost.exe' --HiddenServiceDir "%APPDATA%\tor\hidden_service" --HiddenServicePort "55080 127.0.0.1:55080"
- '<SYSTEM32>\svchost.exe' "ext" "<Full path to virus>"
- '<SYSTEM32>\svchost.exe' ext "<Full path to virus>"
- <SYSTEM32>\svchost.exe
- %APPDATA%\tor\hidden_service\hostname.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\checkip.dyndns[1]
- %APPDATA%\tor\hidden_service\private_key.tmp
- %APPDATA%\Elyk\imym.exe
- %APPDATA%\tor\state.tmp
- from %APPDATA%\tor\hidden_service\hostname.tmp to %APPDATA%\tor\hidden_service\hostname
- from %APPDATA%\tor\hidden_service\private_key.tmp to %APPDATA%\tor\hidden_service\private_key
- from %APPDATA%\tor\state.tmp to %APPDATA%\tor\state
- http://ch####p.dyndns.org/
- DNS ASK