Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\RASDEV] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\RASDEV] 'ImagePath' = '%ALLUSERSPROFILE%\Application Data\RASDEV.DAT'
- <SYSTEM32>\cmd.exe
- %TEMP%\7ZipSfx.000\temp.txt
- %TEMP%\7ZipSfx.000\Setup64.exe
- %TEMP%\7ZipSfx.000\fat32.sys
- %TEMP%\7ZipSfx.000\vdsn.dll
- %TEMP%\7ZipSfx.000\SacurityTool.exe
- %TEMP%\7ZipSfx.000\dlbs.dll
- %TEMP%\7ZipSfx.000\windnsapi.dll
- %TEMP%\7ZipSfx.000\FAT32.dll
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\baidu[1]
- %ALLUSERSPROFILE%\Application Data\Company
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\getstatus[1].asp
- %TEMP%\FAT32.dll
- %TEMP%\RASDEV.DAT
- %TEMP%\RASNSAPI.RA
- %TEMP%\RASDLBS.RA
- %TEMP%\RASVDSN.RA
- %TEMP%\RASDEV.DAT в %ALLUSERSPROFILE%\Application Data\RASDEV.DAT
- '12#.#25.114.144':80
- '36#.cn':80
- http://www.ba##u.com/ via 12#.#25.114.144
- http://www.36#.cn/status/getstatus.asp via 36#.cn
- DNS ASK www.ba##u.com
- DNS ASK www.36#.cn
- '%TEMP%\7ZipSfx.000\SacurityTool.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\7ZSfx000.cmd" "