W32/Pinkslipbot
W32/Pinkslipbot (or W32.Qakbot) is a virus that spreads through vulnerable network shares. W32/Pinkslipbot downloads corrupt files, steals confidential information, and opens a backdoor for other malware to enter the system. W32/Pinkslipbot contains rootkit functionality to allow it to hide from certain malware removers.
File System Modifications
- The following files were created in the system:
# File Name 1 %Appdata%\Microsoft\kxviad\kxvia.dll 2 %Appdata%\microsoft\kxviad\kxviad.exe 3 %Appdata%\Microsoft\kxviad\q1.19181 4 %Appdata%\Microsoft\kxviad\q1.20997 5 %Appdata%\Microsoft\kxviad\q1.22006
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]HKEY..\..\..\..{RegistryKeys}"[Application Name]" = ""%Appdata%\microsoft\kxviad\kxviad.exe" /c [Application path]"ctfmon" = "%Appdata%\microsoft\kxviad\kxviad.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
You forgot to mention that all files and registry entries are hidden until no injected processer are running.
You also forgot that the Pinkslipbot has a scheduled job which executes a java script.
The job is (hidden) located in %windir%\tasks and the script file in %windir%\temp.