Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '[V3lke]' = '%WINDIR%\xunhuan.vbs'
- '' (downloaded from the Internet)
- '<SYSTEM32>\net.exe' stop sharedaccess
- %WINDIR%\xunhuan.vbs
- %ProgramFiles%\.zip
- %WINDIR%\Fobeka.bat
- %WINDIR%\V3liek\Sdmer.exe
- %WINDIR%\V3like.vbs
- %ProgramFiles%\.zip
- '98.##6.49.61':21
- 'ik##a.com':80
- '10#.#49.169.7':80
- http://www.ik##a.com/ip/index.asp via ik##a.com
- http://10#.#49.169.7/Sdmer.exe
- DNS ASK www.ik##a.com
- ClassName: '' WindowName: '<Current directory>'
- '%WINDIR%\V3liek\Sdmer.exe'
- '<SYSTEM32>\wscript.exe' "%WINDIR%\xunhuan.vbs"
- '<SYSTEM32>\wscript.exe' "%WINDIR%\V3like.vbs"
- '<SYSTEM32>\net1.exe' start sharedaccess
- '<SYSTEM32>\net1.exe' stop sharedaccess
- '<SYSTEM32>\cmd.exe' /c ""%WINDIR%\Fobeka.bat" "
- '<SYSTEM32>\net.exe' start sharedaccess