Remote Host Port Number
ate.lacoctelera.net 1034
Other details
* To mark the presence in the system, the following Mutex objects were created:
o Micro Upe
o oleacc-msaa-loaded
o _!SHMSFTHISTORY!_
* The following Host Names were requested from a host database:
o astro.ic.ac.uk
o ale.pakibili.com
o versatek.com
o journalofaccountancy.com
o transnationale.org
o mas.0730ip.com
o bejsis.com
o stayontime.info
o www.shearman.com
o insidehighered.com
o ate.lacoctelera.net
o websitetrafficspy.com
o qun.51.com
o summer-uni-sw.eesp.ch
o shopstyle.com
o xxx.stopklatka.pl
o unclefed.com
o mcsp.lvengine.com
o deirdremccloskey.org
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”
so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”
so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”
so that jusched.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
jusched.exe %ProgramFiles%jusched.exe 200 704 bytes
jusched.exe %Windir%jusched.exe 135 168 bytes
[filename of the sample #1] [file and pathname of the sample #1] 3 141 632 bytes
* The following system service was modified:
Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs