Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'spools' = '<SYSTEM32>\crss.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\spools] 'ImagePath' = '<SYSTEM32>\spools.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\spools] 'Start' = '00000002'
- '<SYSTEM32>\crss.exe'
- '<SYSTEM32>\spools.exe'
- '<SYSTEM32>\spools.exe' -start
- '<SYSTEM32>\notepad.exe' %TEMP%\<Имя файла>.TXT
- '<SYSTEM32>\spools.exe' -i
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\U98D4X8H\query007[1].asp
- %WINDIR%\Temp\1488479370.tmp
- %TEMP%\1488479384.tmp
- %TEMP%\1488479387.tmp
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\2VAZY7AN\query007[1].asp
- C:\Documents and Settings\LocalService\Local Settings\<INETFILES>\Content.IE5\CJCTQ25G\query007[1].asp
- <SYSTEM32>\spools.exe
- %TEMP%\<Имя файла>.TXT
- <SYSTEM32>\crss.exe
- %TEMP%\1488479369.tmp
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\query007[1].asp
- %TEMP%\1488479387.tmp
- %TEMP%\1488479384.tmp
- %TEMP%\1488479369.tmp
- 'vn##.#abusiki.cn':1254
- 'vn##.#abusiki.cn':80
- 'ii##.adzv.cn':80
- 'localhost':1038
- 'localhost':1254
- 'localhost':1040
- http://ii##.adzv.cn/query007.asp?tm##########################################################
- http://vn##.#abusiki.cn/query007.asp?tm##########################################################
- DNS ASK ii##.adzv.cn
- DNS ASK vn##.#abusiki.cn
- ClassName: 'Shell_TrayWnd' WindowName: ''