Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows' = 'C:\Documents'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows' = 'C:\Documents'
- '%APPDATA%\csrss.exe' -r
- '%TEMP%\csrss.exe' -reg %TEMP%\Windows.exe -proc 2928 %TEMP%\Windows.exe
- '%TEMP%\Windows.exe'
- '<SYSTEM32>\schtasks.exe' /Create /TN "Update\Windows" /XML "%TEMP%\189472086.xml"
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen %APPDATA%\l_d5dfb9fdf1474470b6833398f0a14ecd.jpg
- %TEMP%\csrss.exe
- %TEMP%\189472086.xml
- %TEMP%\csrss.exe:ZONE.identifier
- %APPDATA%\csrss.exe:ZONE.identifier
- %APPDATA%\csrss.exe
- %HOMEPATH%\Recent\Application Data.lnk
- <Полный путь к вирусу>:ZONE.identifier
- %APPDATA%\l_d5dfb9fdf1474470b6833398f0a14ecd.jpg
- %HOMEPATH%\Recent\l_d5dfb9fdf1474470b6833398f0a14ecd.lnk
- %TEMP%\Windows.exe:ZONE.identifier
- %TEMP%\Windows.exe
- %APPDATA%\csrss.exe
- %TEMP%\csrss.exe
- %TEMP%\Windows.exe
- %TEMP%\189472086.xml
- 'ca###trohff.tk':80
- 'wp#d':80
- wp#d/wpad.dat
- ca###trohff.tk/AuMic//add.php
- DNS ASK ca###trohff.tk
- DNS ASK wp#d
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'ShImgVw:CPreviewWnd' WindowName: ''