Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ctfmon launch' = '<Полный путь к вирусу>'
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v EnableConcurrentSessions /d 1 /t REG_DWORD /f
- <SYSTEM32>\net1.exe user Usuario_ zaq1 /add
- <SYSTEM32>\net1.exe localgroup "Administradores" Usuario_ /add
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllowMultipleTSSessions /d 1 /t REG_DWORD /f
- <SYSTEM32>\cmd.exe /c %WINDIR%\rdphds.bat
- <SYSTEM32>\cmd.exe /c %WINDIR%\crssp2.bat
- <SYSTEM32>\reg.exe ADD "HKLM\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core" /v EnableConcurrentSessions /d 1 /t REG_DWORD /f
- <SYSTEM32>\cmd.exe /c %WINDIR%\comhds_.bat
- ClassName: '' WindowName: 'Windows File Protection'
- %WINDIR%\comhds_.bat
- %WINDIR%\hiberfilsys.ini
- %WINDIR%\rdphds.bat
- %WINDIR%\tsgerpatch.reg
- %WINDIR%\crssp2.bat
- <SYSTEM32>\termsrv.dll в <SYSTEM32>\termsrv_orig.dll
- <SYSTEM32>\dllcache\termsrv.dll в <SYSTEM32>\dllcache\termsrv_orig.dll
- 'www.go###e.com.br':80
- 'ma#####r.ma.funpic.de':80
- www.go###e.com.br/
- ma#####r.ma.funpic.de/tmp/erro.php
- DNS ASK www.go###e.com.br
- DNS ASK ma#####r.ma.funpic.de
- ClassName: '' WindowName: 'Protecao de arquivo do Windows'