From c69f9d0e8a2e2727df8e21bd9f7bc18260ccfa10 Mon Sep 17 00:00:00 2001
From: LEON <YHVHvx@users.noreply.github.com>
Date: Wed, 22 Jun 2016 09:51:04 +0500
Subject: [PATCH] Update for injection method known
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hello! This is really old injection method wich was founded by Indy(Clerk) near  ~2009 y.
Proof: http://www.wasm.ru/forum/viewtopic.php?pid=553394#p553394
http://www.wasm.ru/forum/viewtopic.php?pid=511944#p511944
http://www.wasm.ru/forum/viewtopic.php?pid=514048#p514048
http://www.wasm.ru/forum/profile.php?id=15484 (!!!)

"Касательно трея - всё выполняется посредством посылки сообщений окну "Shell_TrayWnd", соответственно это апи Shell_NotifyIcon(), нужно посмотреть на экспорты Shell32.dll(есть в сурцах). Кстати это дыра в безопасности."

With best regards, Leon.
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 43b0d68..79e3146 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 * More Info: http://goo.gl/3CdZHw
 
 # Original PowerLoader
-* Known since ~2013
+* Known since ~2009 (from wasm.ru, virustech.org). Method author: Indy(Clerk).
 * Loader used in many different dropper families (Gapz / Redyms / Carberp / Vabushky ...)
 * First injection technique via Return Oriented Programming technique (ROP).
 * “explorer.exe” is injected using Shell_TrayWnd / NtQueueApcThread (32bit / 64bit)