Technical Information
- <SYSTEM32>\userinit.exe with %TEMP%\tmp77373732727.tmp
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:ldrsoft'
- from <SYSTEM32>\userinit.exe to <SYSTEM32>\userinitxx.exe
- from <Full path to virus> to %TEMP%\tmp77373732727.tmp
- 'hs###der.com':80
- hs###der.com/load2/img.php?v=###########################################################################
- DNS ASK hs###der.com