Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'UIHost' = 'logonui.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Полный путь к вирусу>' = '<Полный путь к вирусу>:*:Enabled:sys'
- '<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
- '<SYSTEM32>\reg.exe' delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
- '<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram <Полный путь к вирусу> sys enable
- '<SYSTEM32>\wscript.exe' -b %TEMP%\1.tmp
- AVSYNMGR.EXE
- bdagent.exe
- AVPM.EXE
- AVP32.EXE
- AVPCC.EXE
- drweb.exe
- Drweb32w.exe
- ClamWin.exe
- bdss.exe
- bdsubmit.exe
- AVP.EXE
- ash.exe
- ashAvast.exe
- aion.exe
- 360tray.exe
- ageofconan.exe
- AVGCTRL.EXE
- AVP.COM
- AVGCC32.EXE
- ashAvSrv.exe
- avgcc.exe
- %HOMEPATH%\explorer.dll
- <SYSTEM32>\explorer.dll
- %TEMP%\1.tmp
- %HOMEPATH%\ms_tcp.dll
- <SYSTEM32>\ms_tcp.dll
- %TEMP%\1.tmp
- ClassName: 'Indicator' WindowName: '(null)'