To complicate detection of its presence in the operating system,
forces the system hide from view:
hidden files
Creates and executes the following:
'%PROGRAM_FILES%\a.exe'
'%PROGRAM_FILES%\a.exe' (downloaded from the Internet)
Forces autoplay for removable media.
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
%WINDIR%\noteped.exe
%PROGRAM_FILES%\exp1orer.exe
%PROGRAM_FILES%\a.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\Sx_server[1].exe
<SYSTEM32>\exp1orer.exe
C:\autorun.inf
C:\exp1orer.exe
%WINDIR%\exp1orer.exe
C:\system.vbs
Sets the 'hidden' attribute to the following files:
%PROGRAM_FILES%\a.exe
<Drive name for removable media>:\system.vbs
<SYSTEM32>\exp1orer.exe
%PROGRAM_FILES%\exp1orer.exe
%WINDIR%\exp1orer.exe
C:\autorun.inf
C:\exp1orer.exe
C:\system.vbs
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\exp1orer.exe
Network activity:
Connects to:
'h1####8667.3322.org':8081
'www.ku##vb.com':80
TCP:
HTTP GET requests:
www.ku##vb.com/Sx_server.exe
UDP:
DNS ASK h1####8667.3322.org
DNS ASK www.ku##vb.com
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more