Technical Information
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'FAv32' = '%WINDIR%\%WINDIR%\mscwud.exe'
- %WINDIR%\mscwud.exe
- %WINDIR%\localbuf.exe
- C:\sharedocs\removal tools.exe
- 'mi####ng.plus.vn':80
- http://mi####ng.plus.vn//netbot/port.php
- DNS ASK ha##y9x.net
- DNS ASK mi####ng.plus.vn
- ClassName: 'ConsoleWindowClass' WindowName: ''
- ClassName: 'ConsoleWindowClass' WindowName: '%^&*SCWORM!@#$'
- ClassName: 'ConsoleWindowClass' WindowName: '%^&*SCUB!@#$'
- ClassName: '' WindowName: ''
- '%WINDIR%\mscwud.exe'
- '%WINDIR%\localbuf.exe'
- '%WINDIR%\mscwud.exe' ' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "FAv32" /t "REG_SZ" /d "%WINDIR%\%WINDIR%\mscwud.exe" /f' (with hidden window)
- '%WINDIR%\syswow64\net.exe' share Data=C:\ShareDocs' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "FAv32" /t "REG_SZ" /d "%WINDIR%\%WINDIR%\mscwud.exe" /f
- '%WINDIR%\syswow64\net.exe' share Data=C:\ShareDocs
- '%WINDIR%\syswow64\net1.exe' share Data=C:\ShareDocs