Техническая информация
- %PROGRAM_FILES%\winzip\SystenProcess
- <SYSTEM32>\net1.exe stop sharedaccess
- <SYSTEM32>\net.exe stop sharedaccess
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\baidu[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\baidu[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\2[1].asp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\20110801ie[1].asp
- %ALLUSERSPROFILE%\Application Data\now.txt
- %PROGRAM_FILES%\winzip\SystenProcess
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\4415403[1].js
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\cccc[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\2[1].asp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\baidu[1]
- из <Полный путь к вирусу> в %PROGRAM_FILES%\winzip\ctfmom.exe
- 'localhost':1042
- 'www.ba##u.com':80
- 'js.##ers.51.la':80
- 'localhost':1038
- 'www.ax##w.com':80
- www.ax##w.com/ht/20110801ie.asp?
- www.ax##w.com/hh/2.asp
- www.ba##u.com/
- www.ax##w.com/cccc.htm?20########
- js.##ers.51.la/4415403.js
- DNS ASK www.ba##u.com
- DNS ASK js.##ers.51.la
- DNS ASK www.ax##w.com
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'Notepad' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: '??'