Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'WindowsUpdate' = '%APPDATA%\Microsoft\Windows\svchost.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%APPDATA%\Microsoft\Windows\svchost.exe' = '%APPDATA%\Microsoft\Windows\svchost.exe:*:Enabled:Microsoft Windows Update'
- '%APPDATA%\Microsoft\Windows\svchost.exe' "<Полный путь к вирусу>"
- '<SYSTEM32>\net1.exe' netsh firewall set opmode disable
- '<SYSTEM32>\net1.exe' stop wscsvc
- '<SYSTEM32>\net1.exe' stop MpsSvc
- '<SYSTEM32>\net.exe' stop wscsvc
- '<SYSTEM32>\net.exe' stop MpsSvc
- '<SYSTEM32>\sc.exe' config mpssvc start=Disabled
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\uplink[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\uplink[1].htm
- %APPDATA%\Microsoft\Windows\svchost.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\uplink[1].htm
- %APPDATA%\Microsoft\Windows\svchost.exe
- 'of###rking.ru':80
- 'fi##ey.su':80
- 'mu###ipales.ru':80
- DNS ASK of###rking.ru
- DNS ASK fi##ey.su
- DNS ASK mu###ipales.ru
- ClassName: '(null)' WindowName: 'jPKisJtVl'
- ClassName: '(null)' WindowName: 'jz QllzgVeZHges'
- ClassName: '(null)' WindowName: 'OhJLfTzIbq'