Техническая информация
Для обеспечения автозапуска и распространения:
Заражает следующие исполняемые файлы:
- %PROGRAM_FILES%\FireFox\xpcshell.exe
- %PROGRAM_FILES%\FireFox\xpidl.exe
- %PROGRAM_FILES%\FireFox\updater.exe
- %PROGRAM_FILES%\FireFox\xpcom.dll
- %PROGRAM_FILES%\FireFox\xpt_dump.exe
- %PROGRAM_FILES%\Notepad++\notepad++.exe
- %PROGRAM_FILES%\Notepad++\NppShell_06.dll
- %PROGRAM_FILES%\FireFox\xpt_link.exe
- %PROGRAM_FILES%\FireFox\xul.dll
- %PROGRAM_FILES%\FireFox\plc4.dll
- %PROGRAM_FILES%\FireFox\plds4.dll
- %PROGRAM_FILES%\FireFox\nssdbm3.dll
- %PROGRAM_FILES%\FireFox\nssutil3.dll
- %PROGRAM_FILES%\FireFox\plugin-container.exe
- %PROGRAM_FILES%\FireFox\softokn3.dll
- %PROGRAM_FILES%\FireFox\ssl3.dll
- %PROGRAM_FILES%\FireFox\shlibsign.exe
- %PROGRAM_FILES%\FireFox\smime3.dll
- %PROGRAM_FILES%\Notepad++\plugins\DSpellCheck.dll
- %PROGRAM_FILES%\Steam\bin\mss32.dll
- %PROGRAM_FILES%\Steam\libavcodec-55.dll
- %PROGRAM_FILES%\QIP 2012\Core\VistaVolume.dll
- %PROGRAM_FILES%\QIP 2012\Core\YLUSBTEL.dll
- %PROGRAM_FILES%\Steam\libavformat-55.dll
- %PROGRAM_FILES%\Steam\libswscale-2.dll
- %PROGRAM_FILES%\Steam\SDL2.dll
- %PROGRAM_FILES%\Steam\libavresample-1.dll
- %PROGRAM_FILES%\Steam\libavutil-53.dll
- %PROGRAM_FILES%\Notepad++\plugins\NppExport.dll
- %PROGRAM_FILES%\Notepad++\plugins\PluginManager.dll
- %PROGRAM_FILES%\Notepad++\plugins\mimeTools.dll
- %PROGRAM_FILES%\Notepad++\plugins\NppConverter.dll
- %PROGRAM_FILES%\Notepad++\SciLexer.dll
- %PROGRAM_FILES%\Notepad++\updater\libcurl.dll
- %PROGRAM_FILES%\QIP 2012\Core\MousePhone.dll
- %PROGRAM_FILES%\Notepad++\updater\gpup.exe
- %PROGRAM_FILES%\Notepad++\updater\GUP.exe
- %PROGRAM_FILES%\Far Manager\Plugins\EditCase\EditCase.dll
- %PROGRAM_FILES%\Far Manager\Plugins\EMenu\EMenu.dll
- %PROGRAM_FILES%\Far Manager\Plugins\Compare\Compare.dll
- %PROGRAM_FILES%\Far Manager\Plugins\DrawLine\DrawLine.dll
- %PROGRAM_FILES%\Far Manager\Plugins\FarCmds\FARCmds.dll
- %PROGRAM_FILES%\Far Manager\Plugins\LuaMacro\LuaMacro.dll
- %PROGRAM_FILES%\Far Manager\Plugins\NetBox\NetBox.dll
- %PROGRAM_FILES%\Far Manager\Plugins\FarColorer\bin\colorer.dll
- %PROGRAM_FILES%\Far Manager\Plugins\HlfViewer\HlfViewer.dll
- %PROGRAM_FILES%\Far Manager\FExcept\demangle32.dll
- %PROGRAM_FILES%\Far Manager\FExcept\ExcDump.dll
- %CommonProgramFiles%\microsoft shared\VC\msdia80.dll
- %PROGRAM_FILES%\Far Manager\Far.exe
- %PROGRAM_FILES%\Far Manager\FExcept\FExcept.dll
- %PROGRAM_FILES%\Far Manager\Plugins\ArcLite\arclite.dll
- %PROGRAM_FILES%\Far Manager\Plugins\Brackets\Brackets.dll
- %PROGRAM_FILES%\Far Manager\luafar3.dll
- %PROGRAM_FILES%\Far Manager\Plugins\ArcLite\7z.dll
- %PROGRAM_FILES%\Far Manager\Plugins\Network\Network.dll
- %PROGRAM_FILES%\FireFox\mozalloc.dll
- %PROGRAM_FILES%\FireFox\mozjs.dll
- %PROGRAM_FILES%\FireFox\js.exe
- %PROGRAM_FILES%\FireFox\mangle.exe
- %PROGRAM_FILES%\FireFox\mozsqlite3.dll
- %PROGRAM_FILES%\FireFox\nss3.dll
- %PROGRAM_FILES%\FireFox\nssckbi.dll
- %PROGRAM_FILES%\FireFox\nsinstall.exe
- %PROGRAM_FILES%\FireFox\nspr4.dll
- %PROGRAM_FILES%\Far Manager\Plugins\TmpPanel\TmpPanel.dll
- %PROGRAM_FILES%\FireFox\AccessibleMarshal.dll
- %PROGRAM_FILES%\Far Manager\Plugins\ProcList\Proclist.dll
- %PROGRAM_FILES%\Far Manager\Plugins\SameFolder\SameFolder.dll
- %PROGRAM_FILES%\FireFox\components\browsercomps.dll
- %PROGRAM_FILES%\FireFox\freebl3.dll
- %PROGRAM_FILES%\FireFox\IA2Marshal.dll
- %PROGRAM_FILES%\FireFox\crashreporter.exe
- %PROGRAM_FILES%\FireFox\firefox.exe
Вредоносные функции:
Создает и запускает на исполнение:
- '%TEMP%\svchost.exe'
- '%TEMP%\YsibJepj.exe'
Запускает на исполнение:
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\fvlfw-uq.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9B75.tmp" "%TEMP%\vbc9B54.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3CF1.tmp" "%TEMP%\vbc3CC1.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\v9kg6-nr.cmdline"
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 2 "%PROGRAM_FILES%\opera\launcher.exe"
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\conhost.exe
большое количество пользовательских процессов.
Изменения в файловой системе:
Создает следующие файлы:
- %TEMP%\Cw.resources
- %TEMP%\whatdafock.txt
- %TEMP%\On.resources
- %TEMP%\v9kg6-nr.exe
- %TEMP%\windowsupdate.ico
- %TEMP%\fvlfw-uq.0.vb
- %TEMP%\RES9B75.tmp
- C:\ProgramData\Package Cache\{01db25f3-1b76-4d97-88c8-1c90634d88fb}\vcredist_x86_backup.exe
- %TEMP%\vbc9B54.tmp
- %TEMP%\fvlfw-uq.cmdline
- %TEMP%\fvlfw-uq.out
- %TEMP%\RES3CF1.tmp
- %TEMP%\25B6Ns8.resources
- %TEMP%\MSNPSharp.dll
- %TEMP%\svchost.exe
- %TEMP%\Dm.resources
- %TEMP%\YsibJepj.exe
- %TEMP%\v9kg6-nr.0.vb
- %PROGRAM_FILES%\Opera\dmlconf.dat
- %TEMP%\vbc3CC1.tmp
- %TEMP%\v9kg6-nr.out
- %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\huxlfpqp.exe
- %TEMP%\v9kg6-nr.cmdline
Присваивает атрибут 'скрытый' для следующих файлов:
- %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\huxlfpqp.exe
Удаляет следующие файлы:
- %TEMP%\windowsupdate.ico
- %TEMP%\v9kg6-nr.cmdline
- %TEMP%\vbc9B54.tmp
- %TEMP%\RES9B75.tmp
- %TEMP%\v9kg6-nr.out
- %TEMP%\vbc3CC1.tmp
- %TEMP%\RES3CF1.tmp
- %TEMP%\v9kg6-nr.0.vb
- %TEMP%\v9kg6-nr.exe
Сетевая активность:
Подключается к:
- 'tv#####nyvwstrtve.com':447
- 'rt####jyuver.com':447
- 'wq######rstyhcerveantbe.com':447
- 'su###wdmn.com':447
- '74.##5.232.51':80
- '17#.#3.169.14':80
UDP:
- DNS ASK dn#.##ftncsi.com
- DNS ASK rt####jyuver.com
- DNS ASK wq######rstyhcerveantbe.com
- DNS ASK su###wdmn.com
- DNS ASK google.com
- DNS ASK tv#####nyvwstrtve.com
