Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WindowsServices' = '%APPDATA%\winup.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'WindowsServices' = '%APPDATA%\winup.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 'WindowsServices' = '%APPDATA%\winup.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WindowsServices' = '%APPDATA%\winup.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'WindowsServices' = '%APPDATA%\winup.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 'WindowsServices' = '%APPDATA%\winup.exe'
- %APPDATA%\winup.exe
- <SYSTEM32>\cmd.exe /c %TEMP%\UNI1.tmp.bat
- NtQuerySystemInformation, драйвер-обработчик: winup.sys
- NtQueryDirectoryFile, драйвер-обработчик: winup.sys
- %APPDATA%\winup.exe
- %TEMP%\UNI1.tmp.bat
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\index[1].php
- <DRIVERS>\winup.sys
- %APPDATA%\winup.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\index[1].php
- <DRIVERS>\winup.sys
- 'do###tic001.com':80
- do###tic001.com/index.php?ac###################################
- DNS ASK do###tic001.com
- '<IP-адрес в локальной сети>':1037
- ClassName: 'Indicator' WindowName: ''