Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dqwqtalr] 'Logon' = 'WLEventLogon'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dqwqtalr] 'DLLName' = '<Имя вируса>.dll'
- %WINDIR%\Tasks\At1.job
- [<HKLM>\SYSTEM\ControlSet001\Services\srservice] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\sr] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\sr] 'ImagePath' = 'system32\DRIVERS\sr.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\sr] 'ImagePath' = '<DRIVERS>\sr.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\wphhppqo] 'ImagePath' = '<SYSTEM32>\svchost.exe -k netsvcs'
- [<HKLM>\SYSTEM\ControlSet001\Services\wphhppqo] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\wphhppqo\Parameters] 'ServiceDll' = '<Полный путь к вирусу>'
- Компонент восстановления системы (SR)
- '<SYSTEM32>\at.exe' 17:11:00 /every:Sunday,Monday,Tuesday,Wednesday,Thursday,Friday,Saturday "<SYSTEM32>\rundll32.exe" "<Полный путь к вирусу>",DllMain -
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\winlogon.exe
- firefox.exe
- iexplore.exe
- DNS ASK tr####ecurity.com
- DNS ASK sa####-domain.info