Техническая информация
- [<HKLM>\SOFTWARE\Classes\MSProgramGroup\Shell\Open\Command] '' = '<SYSTEM32>\grpconv.exe %1'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'GrpConv' = 'grpconv -o'
- [<HKLM>\SYSTEM\ControlSet001\Services\Windows_lsaess] 'Start' = '00000002'
- %WINDIR%\inf\lsass.exe
- <SYSTEM32>\runonce.exe -r
- <SYSTEM32>\grpconv.exe -o
- <SYSTEM32>\cmd.exe /c %TEMP%\kill.bat "<Полный путь к вирусу>"
- <SYSTEM32>\cmd.exe /c %WINDIR%\inf\j.bat
- <SYSTEM32>\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 %WINDIR%\inf\j.inf
- %WINDIR%\inf\j.inf
- %WINDIR%\inf\lsass.exe
- %WINDIR%\inf\j.bat
- %WINDIR%\inf\j.PNF
- %TEMP%\kill.bat
- %TEMP%\E_N4\dp1.fne
- %TEMP%\E_N4\krnln.fnr
- %TEMP%\E_N4\internet.fne
- <Текущая директория>\2
- %TEMP%\E_N4\shell.fne
- 'www.eo##o.com':80
- '37##.ggii.net':80
- www.eo##o.com/cert/jg.txt
- 37##.ggii.net/ip.txt
- DNS ASK www.eo##o.com
- DNS ASK 37##.ggii.net