Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Microsoft svhost service' = '%TEMP%\svhost.exe'
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe /noconfig /fullpaths @"%TEMP%\-nifoqbh.cmdline"
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\CSC1.tmp"
- <SYSTEM32>\cmd.exe /c ""%TEMP%\task.bat" "
- <SYSTEM32>\ping.exe -n 3 127.0.0.1
- %TEMP%\RES2.tmp
- %TEMP%\CSC1.tmp
- <LS_APPDATA>\Microsoft\svhost.exe_Url_tahhsccvdmtjpdiezsgq51w13m4bkfbv\1.0.2.58\8plfs783.newcfg
- %TEMP%\-nifoqbh.dll
- %TEMP%\-nifoqbh.out
- %TEMP%\versions
- %TEMP%\task.bat
- %TEMP%\-nifoqbh.cmdline
- %TEMP%\-nifoqbh.0.cs
- %TEMP%\-nifoqbh.dll
- %TEMP%\-nifoqbh.out
- %TEMP%\-nifoqbh.cmdline
- %TEMP%\-nifoqbh.0.cs
- %TEMP%\task.bat
- %TEMP%\RES2.tmp
- %TEMP%\CSC1.tmp
- из <Полный путь к вирусу> в %TEMP%\svhost.exe
- 'localhost':45773
- 'localhost':1040
- 'sa###e99.biz':80
- 'po##.#raigslist.org':443
- sa###e99.biz/
- sa###e99.biz/BrownieComponents/Default.aspx
- DNS ASK po##.#raigslist.org
- DNS ASK www.google.com
- DNS ASK ya##o.com
- DNS ASK sa###e99.biz
- '<IP-адрес в локальной сети>':1035
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Indicator' WindowName: ''