惡意程式碼是藏在一個htm檔:
以下是執行之後的行為:
[Dll Injection]
C:\Program Files\Common Files\wincreat.dll (注入某些執行程序如 Explorer.exe 等)
[Added Files]
C:\Documents and Settings\Administrator\Local Settings\Temp\feipeng.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\help[1].htm
C:\Program Files\Common Files\wincreat.dll
C:\WINDOWS\system32\winCreate.exe
[Added BHO]
{D14CE39F-EED3-489A-948C-FCD588F831E7}-C:\Program Files\Common Files\wincreat.dll