Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe msmsgrs.exe'
- %WINDIR%\Tasks\Windows_Messenger_Service-{0223D705-87E0-42AB-9046-4139D8EEB169}.job
- [<HKLM>\SYSTEM\ControlSet001\Services\Schedule] 'Start' = '00000002'
- '<SYSTEM32>\c_m_d.exe' /c SCHTASKS.EXE /Create /SC ONSTART /TN Windows_Messenger_Service-{0223D705-87E0-42AB-9046-4139D8EEB169} /TR <SYSTEM32>\msmsgrs.exe /RU SYSTEM
- '<SYSTEM32>\c_m_d.exe' /c sc.exe start schedule
- '<SYSTEM32>\c_m_d.exe' /c sc.exe \\127.0.0.1 config schedule start= auto
- '<SYSTEM32>\schtasks.exe' /Create /SC ONSTART /TN Windows_Messenger_Service-{0223D705-87E0-42AB-9046-4139D8EEB169} /TR <SYSTEM32>\msmsgrs.exe /RU SYSTEM
- '<SYSTEM32>\sc.exe' start schedule
- '<SYSTEM32>\sc.exe' \\127.0.0.1 config schedule start= auto
- <SYSTEM32>\c_m_d.exe
- \Device\LanmanRedirector\127.0.0.1\pipe\svcctl
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\update[1].dat
- %TEMP%\eyymvfe
- %TEMP%\aut1.tmp
- %TEMP%\qbgnjpk
- %TEMP%\aut2.tmp
- %TEMP%\aut2.tmp
- %TEMP%\eyymvfe
- %TEMP%\aut1.tmp
- %TEMP%\qbgnjpk
- из <Полный путь к вирусу> в <SYSTEM32>\msmsgrs.exe
- '11#.#39.185.1':80
- 'localhost':445
- 11#.#39.185.1/themida/update.dat?ra#########