Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{A3D3571-4C21-4F97-ECC9-B8731F7C8}] 'StubPath' = '%TEMP%\activex.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WinNTO' = '<Полный путь к вирусу>'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WinNTO' = 'C:\Users\Olivier\AppData\Roaming\WinNTO.exe'
- Редактора реестра (RegEdit)
- Компонент восстановления системы (SR)
- %TEMP%\459setup.exe
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\CSC1.tmp"
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe /noconfig /fullpaths @"%TEMP%\y_1hzfgu.cmdline"
- %TEMP%\y_1hzfgu.dll
- %TEMP%\RES2.tmp
- %HOMEPATH%\Local Settings\TempXYZ Stealer Logs - USER-4BB09A9C02@9-30-2011 12-17-12 PM.txt
- %TEMP%\activex.exe
- %TEMP%\CSC1.tmp
- %TEMP%\y_1hzfgu.cmdline
- %TEMP%\y_1hzfgu.0.cs
- %TEMP%\459setup.exe
- %TEMP%\y_1hzfgu.out
- %TEMP%\y_1hzfgu.cmdline
- %TEMP%\y_1hzfgu.out
- %TEMP%\activex.exe
- %TEMP%\459setup.exe
- %TEMP%\CSC1.tmp
- %TEMP%\RES2.tmp
- %TEMP%\y_1hzfgu.dll
- %TEMP%\y_1hzfgu.0.cs
- 'ft#.#rivehq.com':21
- DNS ASK ft#.#rivehq.com
- '<IP-адрес в локальной сети>':1036
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''