Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe <SYSTEM32>\winsas.exe'
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\driver
- hidden files
- file extensions
- '<SYSTEM32>\k.exe'
- '<SYSTEM32>\winsas.exe'
- '<SYSTEM32>\k.exe' (downloaded from the Internet)
- '<SYSTEM32>\net1.exe' /pid=3484
- '<SYSTEM32>\net1.exe' /c taskkill /f /im NOD32.exe /t
- '<SYSTEM32>\regsvr32.exe' /c taskkill /f /im MCVSESCN.exe /t
- '<SYSTEM32>\taskkill.exe' /pid=2980
- '<SYSTEM32>\net1.exe' /pid=2760
- '<SYSTEM32>\taskkill.exe' /pid=3652
- '<SYSTEM32>\taskkill.exe' /f /im NOD32KUI.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCUPDATE.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCAGENT.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im dap.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NOD32KRN.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NOD32.exe /t
- '<SYSTEM32>\taskkill.exe' STOP MCSHIELD
- '<SYSTEM32>\taskkill.exe' /c taskkill /f /im NOD32KUI.exe /t
- '<SYSTEM32>\alg.exe' /f /im NAVW32.exe /t
- '<SYSTEM32>\taskkill.exe' /c taskkill /f /im MCAGENT.exe /t
- '<SYSTEM32>\taskkill.exe' /c taskkill /f /im NOD32KRN.exe /t
- '<SYSTEM32>\taskkill.exe' /c taskkill /f /im NOD32.exe /t
- '<SYSTEM32>\net1.exe' /pid=1480
- '<SYSTEM32>\net1.exe' /pid=3520
- '<SYSTEM32>\taskkill.exe' /pid=3240
- '<SYSTEM32>\taskkill.exe' /pid=3340
- '<SYSTEM32>\taskkill.exe' /c taskkill /f /im MCMNHDLR.exe /t
- '<SYSTEM32>\taskkill.exe' /pid=300
- '<SYSTEM32>\taskkill.exe' /c taskkill /f /im NAVLU32.exe /t
- '<SYSTEM32>\net1.exe' STOP AntiVirScheduler
- '<SYSTEM32>\net1.exe' STOP MCSHIELD
- '<SYSTEM32>\net.exe' STOP SharedAccess
- '<SYSTEM32>\net1.exe' STOP SharedAccess
- '<SYSTEM32>\net1.exe' STOP AntiVirservice
- '<SYSTEM32>\net1.exe' STOP NOD32 Kernel Service
- '<SYSTEM32>\net.exe' STOP AntiVirScheduler
- '<SYSTEM32>\net.exe' STOP MCSHIELD
- '<SYSTEM32>\regsvr32.exe' /s MSWINSCK.OCX
- '<SYSTEM32>\net.exe' STOP wuauserv
- '<SYSTEM32>\net.exe' STOP AntiVirservice
- '<SYSTEM32>\net.exe' STOP NOD32 Kernel Service
- '<SYSTEM32>\net1.exe' STOP wuauserv
- '<SYSTEM32>\taskkill.exe' /f /im NAVWNT.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NAVW32.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NAVLU32.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCMNHDLR.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCVSRTE.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCTOOL.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NAVAPSVC.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCVSFTSN.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im MCVSESCN.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NAVSTUB.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NAVDX.exe /t
- '<SYSTEM32>\taskkill.exe' /f /im NAVAPW32.exe /t
- <SYSTEM32>\taskkill.exe
- <SYSTEM32>\alg.exe
- <SYSTEM32>\regsvr32.exe
- <SYSTEM32>\net1.exe
- nod32.exe
- nod32.exe
- NAVAPW32.EXE
- C:\SaS-Worm-Remover
- C:\Serial-Magic82013
- C:\ACDSee-Patch2013
- C:\New-Joke-For-You
- %WINDIR%-CreackerPro
- C:\www-magic-download
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\k[1].txt
- <SYSTEM32>\k.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\p[1].php
- C:\i
- <SYSTEM32>\ifrmsas
- C:\autorun.inf
- <SYSTEM32>\winsas
- C:\driver
- <SYSTEM32>\MSWINSCK.OCX
- <SYSTEM32>\winsas.ico
- C:\Text
- C:\Document-File
- C:\GoldenEye-ScreenServer
- <SYSTEM32>\winsas.exe
- C:\YourEmail
- <Drive name for removable media>:\driver.exe
- <SYSTEM32>\winsas.exe
- <Drive name for removable media>:\autorun.inf
- C:\autorun.inf
- C:\driver.exe
- C:\ACDSee-Patch2013.exe
- %WINDIR%-CreackerPro.com
- C:\New-Joke-For-You.pif
- C:\SaS-Worm-Remover.com
- C:\i
- C:\www-magic-download.com
- C:\Serial-Magic82013.com
- %TEMP%\~DF213C.tmp
- <Drive name for removable media>:\driver
- C:\driver
- C:\YourEmail.pif
- C:\Document-File.pif
- C:\Text.pif
- C:\GoldenEye-ScreenServer.scr
- from C:\ACDSee-Patch2013 to C:\ACDSee-Patch2013.exe
- from %WINDIR%-CreackerPro to %WINDIR%-CreackerPro.com
- from C:\New-Joke-For-You to C:\New-Joke-For-You.pif
- from C:\www-magic-download to C:\www-magic-download.com
- from C:\Serial-Magic82013 to C:\Serial-Magic82013.com
- from C:\SaS-Worm-Remover to C:\SaS-Worm-Remover.com
- from C:\YourEmail to C:\YourEmail.pif
- from <SYSTEM32>\winsas to <SYSTEM32>\winsas.exe
- from C:\driver to C:\driver.exe
- from C:\Document-File to C:\Document-File.pif
- from C:\Text to C:\Text.pif
- from C:\GoldenEye-ScreenServer to C:\GoldenEye-ScreenServer.scr
- 'localhost':1066
- 'sa##2.co.cc':80
- '<Private IP address>':445
- '<Private IP address>':139
- sa##2.co.cc/k.txt
- sa##2.co.cc/i/_counter/p.php?h=############################################################
- DNS ASK sa##2.co.cc
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: '(null)' WindowName: '<SYSTEM32>'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: '(null)' WindowName: 'Registry Editor'
- ClassName: '(null)' WindowName: '(null)'
- ClassName: '(null)' WindowName: 'System Configuration Utility'
- ClassName: '(null)' WindowName: 'Windows Task Manager'