Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'iyxpcshell' = '%PROGRAM_FILES%\FireFox\iyxpcshell.exe'
- '%PROGRAM_FILES%\FireFox\zexpcshell.exe'
- '%PROGRAM_FILES%\NetMeeting\chcb32.exe'
- '%TEMP%\rhtjm4wuq20gvcgemu.exe'
- '%PROGRAM_FILES%\FireFox\iyxpcshell.exe'
- '<SYSTEM32>\cmd.exe' /c %TEMP%\crp5u152amn2q.bat
- '<SYSTEM32>\attrib.exe' -a -r -s -h "%TEMP%\rhtjm4wuq20gvcgemu.exe"
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '<SYSTEM32>\cmd.exe' /c <Текущая директория>\crp5u152amn2q.bat
- '<SYSTEM32>\attrib.exe' -a -r -s -h "<Полный путь к вирусу>"
- %TEMP%\crp5u152amn2q.bat
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %PROGRAM_FILES%\NetMeeting\chcb32.exe
- %PROGRAM_FILES%\FireFox\zexpcshell.exe
- %PROGRAM_FILES%\FireFox\iyxpcshell.exe
- %TEMP%\rhtjm4wuq20gvcgemu.exe
- %TEMP%\joxffy3d.txt
- <Текущая директория>\crp5u152amn2q.bat
- %TEMP%\~DF6A85.tmp
- %TEMP%\~DFF811.tmp
- %TEMP%\~DF4B91.tmp
- %TEMP%\~DF4C64.tmp
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini
- <SYSTEM32>\PerfStringBackup.TMP