Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\sr] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\srservice] 'Start' = '00000002'
- System Restore (SR)
- '%TEMP%\PEVZ.EXE' -tf "C:\Documents and Settings\LocalService\Desktop\zoekscript*.txt"
- '%TEMP%\PEVZ.EXE' -tf "C:\Documents and Settings\Default User\Desktop\zoekscript*.txt"
- '%TEMP%\PEVZ.EXE' -tf "%HOMEPATH%\Desktop\zoekscript*.txt"
- '%TEMP%\PEVZ.EXE' -tf "C:\Documents and Settings\NetworkService\Desktop\zoekscript*.txt"
- '%TEMP%\PEVZ.EXE' -tf "%ALLUSERSPROFILE%\Desktop\zoekscript*.txt"
- '%TEMP%\wget.exe' http://www.hi###kthis.nl/smeenk/sample/download5.bat
- '%TEMP%\1.tmp\PEVZ.EXE' PLIST
- '%TEMP%\PEVZ.EXE' -rtd "C:\Documents and Settings\*"
- '%TEMP%\PEVZ.EXE' MOVEEX "%TEMP%\zoek.com"
- '<SYSTEM32>\cscript.exe' //I //nologo drt.vbs
- '<SYSTEM32>\cscript.exe' //I //nologo test.vbs
- '<SYSTEM32>\cscript.exe' //I //nologo os.vbs
- '<SYSTEM32>\reg.exe' export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" elog.txt
- '<SYSTEM32>\mshta.exe' "%TEMP%\zoek.hta"
- '<SYSTEM32>\findstr.exe' /M /I /C:"Common Desktop"
- '<SYSTEM32>\findstr.exe' /M "="
- '<SYSTEM32>\find.exe' /i "x86"
- '<SYSTEM32>\findstr.exe' /M /I "mshta.exe"
- '<SYSTEM32>\findstr.exe' -RIV "C:\\WINDOWS\\system32\\svchost.exe C:\\WINDOWS\\system32\\cmd.exe \\PEVZ.exe" ProcessList.txt
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\zoek-install.bat" "
- '<SYSTEM32>\attrib.exe' -r -s -h "%TEMP%\1.tmp\*.*"
- '<SYSTEM32>\reg.exe' Query HKLM\Hardware\Description\System\CentralProcessor\0
- '<SYSTEM32>\findstr.exe' /M /I "4.0.0.4"
- '<SYSTEM32>\attrib.exe' -r -s -h "%TEMP%\1.tmp"
- %TEMP%\log3
- %TEMP%\shortcut.exe
- %TEMP%\hijackthis.exe
- %TEMP%\tmp.txt
- %TEMP%\log.txt
- %TEMP%\log2
- %TEMP%\7za.exe
- %TEMP%\zoek-delete.exe
- %TEMP%\zoekrun.hta
- %TEMP%\remove.exe
- %TEMP%\swxcacls.exe
- %TEMP%\sed.exe
- %TEMP%\NirCmd.exe
- %TEMP%\exportit.txt
- %TEMP%\elog1.txt
- %TEMP%\elog.txt
- %TEMP%\0.zoek
- %TEMP%\users.txt
- %TEMP%\audesktop.txt
- %TEMP%\drt.vbs
- %TEMP%\os.vbs
- %TEMP%\StringCheck.txt
- %TEMP%\checkOS.txt
- %TEMP%\tmp1.txt
- %TEMP%\test.vbs
- %TEMP%\ostmp.tmp
- %TEMP%\1.tmp\z8.scf
- %TEMP%\1.tmp\z7.scf
- %TEMP%\1.tmp\z6.scf
- %TEMP%\1.tmp\zb.scf
- %TEMP%\1.tmp\za.scf
- %TEMP%\1.tmp\z9.scf
- %TEMP%\1.tmp\z5.scf
- %TEMP%\1.tmp\z1.scf
- %TEMP%\1.tmp\z0.scf
- %TEMP%\1.tmp\zoek-install.bat
- %TEMP%\1.tmp\z4.scf
- %TEMP%\1.tmp\z3.scf
- %TEMP%\1.tmp\z2.scf
- %TEMP%\zoek.bat
- %TEMP%\zoek.hta
- %TEMP%\1.tmp\log.txt
- %TEMP%\wget.exe
- %TEMP%\PEVZ.EXE
- %TEMP%\swreg.exe
- %TEMP%\urlzoek
- %TEMP%\1.tmp\ze.scf
- %TEMP%\1.tmp\zd.scf
- %TEMP%\1.tmp\zc.scf
- %TEMP%\1.tmp\logje.txt
- %TEMP%\1.tmp\ProcessList.txt
- %TEMP%\1.tmp\PEVZ.EXE
- %TEMP%\StringCheck.txt
- %TEMP%\tmp.txt
- %TEMP%\os.vbs
- %TEMP%\checkOS.txt
- %TEMP%\1.tmp\PEVZ.EXE
- %TEMP%\1.tmp\log.txt
- %TEMP%\log3
- %TEMP%\log2
- %TEMP%\test.vbs
- %TEMP%\exportit.txt
- %TEMP%\elog1.txt
- %TEMP%\users.txt
- %TEMP%\audesktop.txt
- %TEMP%\drt.vbs
- %TEMP%\tmp1.txt
- %TEMP%\elog.txt
- %TEMP%\ostmp.tmp
- %TEMP%\1.tmp\z3.scf
- %TEMP%\1.tmp\z2.scf
- %TEMP%\1.tmp\z5.scf
- %TEMP%\1.tmp\z4.scf
- %TEMP%\1.tmp\logje.txt
- %TEMP%\1.tmp\ProcessList.txt
- %TEMP%\1.tmp\z1.scf
- %TEMP%\1.tmp\z0.scf
- %TEMP%\1.tmp\z6.scf
- %TEMP%\1.tmp\zc.scf
- %TEMP%\1.tmp\zb.scf
- %TEMP%\1.tmp\ze.scf
- %TEMP%\1.tmp\zd.scf
- %TEMP%\1.tmp\z8.scf
- %TEMP%\1.tmp\z7.scf
- %TEMP%\1.tmp\za.scf
- %TEMP%\1.tmp\z9.scf
- 'www.hi###kthis.nl':80
- www.hi###kthis.nl/smeenk/sample/download5.bat
- DNS ASK www.hi###kthis.nl
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'HTML Application Host Window Class' WindowName: '(null)'