Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Sidebar' = '%APPDATA%\Roaming\svchost.exe'
- [<HKLM>\SYSTEM\ControlSet001\services\svchost] 'Start' = '00000002'
- скрытых файлов
- '<SYSTEM32>\rundll32.exe' dfdts.dll,DfdGetDefaultPolicyAndSMART
- '<SYSTEM32>\Dwm.exe'
- <SYSTEM32>\taskhost.exe
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\Dwm.exe
- <LS_APPDATA>\Microsoft\DefaultDomain_Path_mbaej3apwt1npbz2kg1crrmveh41ci03\1.0.0.0\67ju3mv4.newcfg
- %TEMP%\nssA0F1.tmp\patch.dll
- %APPDATA%\Roaming\svchost.exe
- %TEMP%\nsc95E9.tmp
- %TEMP%\nssA0F1.tmp\kArkaEHtRT
- %TEMP%\nssA0F1.tmp\GXhVSKgNeAT.dll
- <Полный путь к вирусу>
- %APPDATA%\Roaming\svchost.exe
- %TEMP%\nssA0F1.tmp\kArkaEHtRT
- %TEMP%\nssA0F1.tmp\GXhVSKgNeAT.dll
- <LS_APPDATA>\Microsoft\DefaultDomain_Path_mbaej3apwt1npbz2kg1crrmveh41ci03\1.0.0.0\67ju3mv4.newcfg в <LS_APPDATA>\Microsoft\DefaultDomain_Path_mbaej3apwt1npbz2kg1crrmveh41ci03\1.0.0.0\user.config
- 'so###itro.info':80
- '74.##5.232.51':80
- 74.##5.232.51/
- so###itro.info/coiner//run.php
- DNS ASK so###itro.info
- DNS ASK www.google.com