Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sgsvc.exe] 'Debugger' = 'svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3LTray.exe] 'Debugger' = 'svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3LSvc.exe] 'Debugger' = 'svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AYUpdate.aye] 'Debugger' = 'svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AYAgent.aye] 'Debugger' = 'svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AYServiceNt.aye] 'Debugger' = 'svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALYac.aye] 'Debugger' = 'svchost.exe'
- %TEMP%\LiveUpdate360_769_.exe
- %TEMP%\SimChin8.png
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\hg[1].txt
- %TEMP%\LiveUpdate360_769_.exe
- %TEMP%\SimChin8.png
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\hg[1].txt
- из <Полный путь к вирусу> в <SYSTEM32>\kava.exe
- 'www.ki##j3.info':80
- 'localhost':1035
- www.ki##j3.info/hg.txt
- DNS ASK www.ki##j3.info
- ClassName: '#32770' WindowName: 'Windows ????????'