Техническая информация
- [<HKLM>\SOFTWARE\Classes\MSProgramGroup\Shell\Open\Command] '' = '<SYSTEM32>\grpconv.exe %1'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'GrpConv' = 'grpconv -o'
- <SYSTEM32>\runonce.exe -r
- <SYSTEM32>\grpconv.exe -o
- <SYSTEM32>\cmd.exe /c _wpcap_.bat
- <SYSTEM32>\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 <Текущая директория>\_wpcap_.inf
- NtQuerySystemInformation, драйвер-обработчик: vook.sys
- NtQueryDirectoryFile, драйвер-обработчик: vook.sys
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\cn.news.yahoo[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\news.163[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\verify[1].asp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\news.sina.com[1]
- <Текущая директория>\_wpcap_.bat
- %WINDIR%\f.dll
- <Текущая директория>\_wpcap_.inf
- <SYSTEM32>\vook.sys
- <Текущая директория>\_wpcap_.inf
- <SYSTEM32>\vook.sys
- 'ne##.#ina.com.cn':80
- 've.###epolice.cn':80
- 'ne##.163.com':80
- '67.##5.160.76':80
- ne##.#ina.com.cn/
- ve.###epolice.cn/verify.asp?ve##############
- ne##.163.com/
- 67.##5.160.76/
- DNS ASK ne##.#ina.com.cn
- DNS ASK ve.###epolice.cn
- DNS ASK ne##.163.com
- DNS ASK cn.###s.yahoo.com