Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptmsh] 'Startup' = 'ServiceMain'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptmsh] 'DllName' = ''
- <SYSTEM32>\cmd.exe /c ""%WINDIR%\KRL.bat" %WINDIR%\IJY.dll"
- <SYSTEM32>\cmd.exe /c ""%WINDIR%\LDH.bat" <Полный путь к вирусу>"
- <SYSTEM32>\regsvr32.exe /s %WINDIR%\IJY.dll
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\winlogon.exe
- %WINDIR%\LDH.bat
- %WINDIR%\KRL.bat
- %WINDIR%\IJY.dll
- <SYSTEM32>\msh263.dll
- <SYSTEM32>\msh263.dll
- %WINDIR%\IJY.dll
- 'st####lll.vicp.cc':80
- 'hi##.vicp.cc':80
- 'hi##.#tarballl.cn':80
- 'sm###.gicp.net':80
- 'sm##.#tarballl.cn':80
- st####lll.vicp.cc/y.asp
- hi##.vicp.cc/y.asp
- hi##.#tarballl.cn/y.asp
- sm###.gicp.net/y.asp
- sm##.#tarballl.cn/y.asp
- DNS ASK st####lll.vicp.cc
- DNS ASK hi##.vicp.cc
- DNS ASK hi##.#tarballl.cn
- DNS ASK sm###.gicp.net
- DNS ASK sm##.#tarballl.cn