Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'shell' = 'Explorer.exe <Full path to virus>'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:system.exe'
- '20#.#6.232.182':80
- 're###sweet.com':80
- 20#.#6.232.182/
- re###sweet.com/www/logo.php
- DNS ASK windowsupdate.microsoft.com
- DNS ASK re###sweet.com
- DNS ASK 57.##.##.48.in-addr.arpa