Техническая информация
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = '<SYSTEM32>\wscript.exe %ALLUSERSPROFILE%\jbot\00000008.js'
- %TEMP%\installscript.js
- %TEMP%\startinstall.js
- %TEMP%\inst1.exe
- %ALLUSERSPROFILE%\jbot\00000008.js
- http://ar#a.us/up/jconf.xml
- DNS ASK ar#a.us
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'InstItClass' WindowName: ''
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\startinstall.js"
- '%TEMP%\inst1.exe'
- '%WINDIR%\syswow64\wscript.exe' installscript.js' (со скрытым окном)
- '%WINDIR%\syswow64\wscript.exe' installscript.js