Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\r_server] 'Start' = '00000002'
- <LS_APPDATA>\svchost.exe /service
- <LS_APPDATA>\svchost.exe /port:10000 /pass:1a2b3c4d5e6f /save /silence
- <LS_APPDATA>\svchost.exe /install /silence
- <SYSTEM32>\xcopy.exe <LS_APPDATA>\radmin.reg %WINDIR% /y/q
- %WINDIR%\regedit.exe /s radmin.reg
- <SYSTEM32>\net1.exe start r_server
- <SYSTEM32>\xcopy.exe <LS_APPDATA>\admdll.dll %WINDIR% /y/q
- <SYSTEM32>\cmd.exe /c ""%WINDIR%\Temp\a00969.bat" <Полный путь к вирусу>"
- <SYSTEM32>\xcopy.exe <LS_APPDATA>\svchost.exe %WINDIR% /y/q
- <SYSTEM32>\xcopy.exe <LS_APPDATA>\raddrv.dll %WINDIR% /y/q
- %WINDIR%\raddrv.dll
- %WINDIR%\svchost.exe
- %WINDIR%\AdmDll.dll
- %WINDIR%\radmin.reg
- <LS_APPDATA>\raddrv.dll
- <LS_APPDATA>\AdmDll.dll
- <LS_APPDATA>\radmin.reg
- %WINDIR%\Temp\a00969.bat
- <LS_APPDATA>\svchost.exe
- %WINDIR%\Temp\a00969.bat
- <LS_APPDATA>\radmin.reg
- <LS_APPDATA>\svchost.exe
- <LS_APPDATA>\raddrv.dll
- %WINDIR%\Temp\a00969.bat
- <LS_APPDATA>\AdmDll.dll
- ClassName: 'RegEdit_RegEdit' WindowName: ''