Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'SystweakASP' = '"%PROGRAM_FILES%\RegClean Pro\SystweakASP.exe" /verysilent'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'RDReminder' = '%PROGRAM_FILES%\RegClean Pro\RegCleanPro.exe -rem'
Создает или изменяет следующие файлы:
- %WINDIR%\Tasks\RegClean Pro_DEFAULT.job
- %WINDIR%\Tasks\RegClean Pro_UPDATES.job
Вредоносные функции:
Создает и запускает на исполнение:
- '%TEMP%\BackupSetup.exe' /S
- '%PROGRAM_FILES%\RegClean Pro\systweakasp.exe' /verysilent
- '%APPDATA%\Advanced System Protector\aspsetup.exe' /verysilent
- '%TEMP%\is-DUV4E.tmp\systweakasp.tmp' /SL5="$500DE,215147,153600,%PROGRAM_FILES%\RegClean Pro\systweakasp.exe" /verysilent
- '%TEMP%\RegClean8.exe' /verysilent
- '%TEMP%\is-5KDJU.tmp\RegClean8.tmp' /SL5="$30092,3850014,136704,%TEMP%\RegClean8.exe" /verysilent
- '%PROGRAM_FILES%\RegClean Pro\Cloud_Backup_Setup.exe' /S
- '%PROGRAM_FILES%\RegClean Pro\RegCleanPro.exe' babylon
- '%APPDATA%\Advanced System Protector\aspsetup.exe' (загружен из сети Интернет)
- '%TEMP%\BackupSetup.exe' (загружен из сети Интернет)
Запускает на исполнение:
- '<SYSTEM32>\regsvr32.exe' /s "<SYSTEM32>\jscript.dll"
Ищет следующие окна с целью
обнаружения утилит для анализа:
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: '(null)'
- ClassName: 'RegMonClass' WindowName: '(null)'
- ClassName: 'FileMonClass' WindowName: '(null)'
Изменения в файловой системе:
Создает следующие файлы:
- %ALLUSERSPROFILE%\Start Menu\Programs\RegClean Pro\Uninstall RegClean Pro.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\RegClean Pro\Register RegClean Pro.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\RegClean Pro\RegClean Pro.lnk
- %ALLUSERSPROFILE%\Desktop\RegClean Pro.lnk
- %TEMP%\is-C6VPS.tmp\roboot.exe
- %PROGRAM_FILES%\RegClean Pro\unins000.dat
- %PROGRAM_FILES%\RegClean Pro\unins000.msg
- %PROGRAM_FILES%\RegClean Pro\is-0GMBB.tmp
- %PROGRAM_FILES%\RegClean Pro\is-9S71P.tmp
- %PROGRAM_FILES%\RegClean Pro\is-5HHOT.tmp
- %PROGRAM_FILES%\RegClean Pro\is-CO3DF.tmp
- %PROGRAM_FILES%\RegClean Pro\is-GFHSD.tmp
- %PROGRAM_FILES%\RegClean Pro\is-VIAOJ.tmp
- %PROGRAM_FILES%\RegClean Pro\is-7SFJ9.tmp
- <SYSTEM32>\roboot.exe
- %APPDATA%\Systweak\RegClean Pro\Version 6.1\eng_rcp.dat
- %APPDATA%\Systweak\RegClean Pro\Version 6.1\log_06-27-2013.log
- %TEMP%\is-DUV4E.tmp\systweakasp.tmp
- %APPDATA%\Advanced System Protector\aspsetup.exe
- %TEMP%\is-3IUET.tmp\isxdl.dll
- %TEMP%\is-3IUET.tmp\_isetup\_shfoldr.dll
- %TEMP%\nsf2.tmp\NSISdl.dll
- %TEMP%\nse4.tmp\NSISdl.dll
- %TEMP%\aff.conf
- %TEMP%\BackupSetup.exe
- %APPDATA%\Systweak\RegClean Pro\Version 6.1\bl.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\installtracker[1].aspx
- %TEMP%\ping.txt
- %PROGRAM_FILES%\RegClean Pro\is-5C0J6.tmp
- %PROGRAM_FILES%\RegClean Pro\is-RS2SQ.tmp
- %PROGRAM_FILES%\RegClean Pro\is-RDLI1.tmp
- %PROGRAM_FILES%\RegClean Pro\is-H3D54.tmp
- %PROGRAM_FILES%\RegClean Pro\is-FTU61.tmp
- %PROGRAM_FILES%\RegClean Pro\is-CH6F8.tmp
- %PROGRAM_FILES%\RegClean Pro\is-2IPT4.tmp
- %PROGRAM_FILES%\RegClean Pro\is-D39KB.tmp
- %TEMP%\is-5KDJU.tmp\RegClean8.tmp
- %TEMP%\nsf2.tmp\Registry.dll
- %TEMP%\RegClean8.exe
- %TEMP%\is-C6VPS.tmp\_isetup\_shfoldr.dll
- %PROGRAM_FILES%\RegClean Pro\is-GOA0C.tmp
- %TEMP%\is-C6VPS.tmp\setup_en.bmp
- %TEMP%\is-C6VPS.tmp\pcbackup.bmp
- %PROGRAM_FILES%\RegClean Pro\is-SBL98.tmp
- %PROGRAM_FILES%\RegClean Pro\is-CQAI3.tmp
- %PROGRAM_FILES%\RegClean Pro\is-J0ACB.tmp
- %PROGRAM_FILES%\RegClean Pro\is-KCPVE.tmp
- %PROGRAM_FILES%\RegClean Pro\is-P3Q96.tmp
- %PROGRAM_FILES%\RegClean Pro\is-B1JRG.tmp
- %PROGRAM_FILES%\RegClean Pro\is-CV11K.tmp
- %PROGRAM_FILES%\RegClean Pro\is-RQQVS.tmp
- %PROGRAM_FILES%\RegClean Pro\is-MNJ2V.tmp
- %PROGRAM_FILES%\RegClean Pro\is-930BL.tmp
- %PROGRAM_FILES%\RegClean Pro\is-53N7E.tmp
- %PROGRAM_FILES%\RegClean Pro\is-71I2Q.tmp
- %PROGRAM_FILES%\RegClean Pro\is-42BDM.tmp
- %PROGRAM_FILES%\RegClean Pro\is-R7U8D.tmp
- %PROGRAM_FILES%\RegClean Pro\is-LLRQ6.tmp
Удаляет следующие файлы:
- %APPDATA%\Advanced System Protector\aspsetup.exe
- %TEMP%\nsf2.tmp\Registry.dll
- %TEMP%\nsf2.tmp\NSISdl.dll
- %TEMP%\is-DUV4E.tmp\systweakasp.tmp
- %TEMP%\is-3IUET.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-3IUET.tmp\isxdl.dll
- %TEMP%\is-C6VPS.tmp\setup_en.bmp
- %TEMP%\is-C6VPS.tmp\roboot.exe
- %TEMP%\is-C6VPS.tmp\pcbackup.bmp
- %TEMP%\nse4.tmp\NSISdl.dll
- %TEMP%\is-5KDJU.tmp\RegClean8.tmp
- %TEMP%\is-C6VPS.tmp\_isetup\_shfoldr.dll
Перемещает следующие файлы:
- %PROGRAM_FILES%\RegClean Pro\is-RQQVS.tmp в %PROGRAM_FILES%\RegClean Pro\Spanish_rcp.ini
- %PROGRAM_FILES%\RegClean Pro\is-CV11K.tmp в %PROGRAM_FILES%\RegClean Pro\Swedish_rcp.ini
- %PROGRAM_FILES%\RegClean Pro\is-B1JRG.tmp в %PROGRAM_FILES%\RegClean Pro\Finnish_rcp_fi.ini
- %PROGRAM_FILES%\RegClean Pro\is-P3Q96.tmp в %PROGRAM_FILES%\RegClean Pro\Portuguese_rcp.ini
- %PROGRAM_FILES%\RegClean Pro\is-KCPVE.tmp в %PROGRAM_FILES%\RegClean Pro\Italian_rcp.ini
- %PROGRAM_FILES%\RegClean Pro\is-J0ACB.tmp в %PROGRAM_FILES%\RegClean Pro\Japanese_rcp.ini
- %PROGRAM_FILES%\RegClean Pro\is-CQAI3.tmp в %PROGRAM_FILES%\RegClean Pro\Norwegian_rcp.ini
- %PROGRAM_FILES%\RegClean Pro\is-5C0J6.tmp в %PROGRAM_FILES%\RegClean Pro\portugese_rcp_pt.ini
- %PROGRAM_FILES%\RegClean Pro\is-7SFJ9.tmp в %PROGRAM_FILES%\RegClean Pro\korean_rcp_ko.ini
- %PROGRAM_FILES%\RegClean Pro\is-VIAOJ.tmp в %PROGRAM_FILES%\RegClean Pro\TraditionalCn_rcp_zh-tw.ini
- %PROGRAM_FILES%\RegClean Pro\is-GFHSD.tmp в %PROGRAM_FILES%\RegClean Pro\xmllite.dll
- %PROGRAM_FILES%\RegClean Pro\is-CO3DF.tmp в %PROGRAM_FILES%\RegClean Pro\polish_rcp_pl.ini
- %PROGRAM_FILES%\RegClean Pro\is-5HHOT.tmp в %PROGRAM_FILES%\RegClean Pro\russian_rcp_ru.ini
- %PROGRAM_FILES%\RegClean Pro\is-9S71P.tmp в %PROGRAM_FILES%\RegClean Pro\greek_rcp_el.ini
- %PROGRAM_FILES%\RegClean Pro\is-0GMBB.tmp в %PROGRAM_FILES%\RegClean Pro\turkish_rcp_tr.ini
- %PROGRAM_FILES%\RegClean Pro\is-42BDM.tmp в %PROGRAM_FILES%\RegClean Pro\German_rcp.ini
- %PROGRAM_FILES%\RegClean Pro\is-FTU61.tmp в %PROGRAM_FILES%\RegClean Pro\isxdl.dll
- %PROGRAM_FILES%\RegClean Pro\is-D39KB.tmp в %PROGRAM_FILES%\RegClean Pro\CleanSchedule.exe
- %PROGRAM_FILES%\RegClean Pro\is-2IPT4.tmp в %PROGRAM_FILES%\RegClean Pro\RCPUninstall.exe
- %PROGRAM_FILES%\RegClean Pro\is-RS2SQ.tmp в %PROGRAM_FILES%\RegClean Pro\RegCleanPro.dll
- %PROGRAM_FILES%\RegClean Pro\is-GOA0C.tmp в %PROGRAM_FILES%\RegClean Pro\unins000.exe
- %PROGRAM_FILES%\RegClean Pro\is-H3D54.tmp в %PROGRAM_FILES%\RegClean Pro\RegCleanPro.exe
- %PROGRAM_FILES%\RegClean Pro\is-RDLI1.tmp в %PROGRAM_FILES%\RegClean Pro\install_left_image.bmp
- %PROGRAM_FILES%\RegClean Pro\is-CH6F8.tmp в %PROGRAM_FILES%\RegClean Pro\systweakasp.exe
- %PROGRAM_FILES%\RegClean Pro\is-71I2Q.tmp в %PROGRAM_FILES%\RegClean Pro\Dutch_rcp.ini
- %PROGRAM_FILES%\RegClean Pro\is-LLRQ6.tmp в %PROGRAM_FILES%\RegClean Pro\eng_rcp.ini
- %PROGRAM_FILES%\RegClean Pro\is-R7U8D.tmp в %PROGRAM_FILES%\RegClean Pro\French_rcp.ini
- %PROGRAM_FILES%\RegClean Pro\is-MNJ2V.tmp в %PROGRAM_FILES%\RegClean Pro\Danish_rcp.ini
- %PROGRAM_FILES%\RegClean Pro\is-SBL98.tmp в %PROGRAM_FILES%\RegClean Pro\Cloud_Backup_Setup.exe
- %PROGRAM_FILES%\RegClean Pro\is-53N7E.tmp в %PROGRAM_FILES%\RegClean Pro\Cloud_Backup_Setup_Intl.exe
- %PROGRAM_FILES%\RegClean Pro\is-930BL.tmp в %PROGRAM_FILES%\RegClean Pro\Chinese_rcp.ini
Сетевая активность:
Подключается к:
- 'cl#####ont.systweak.com':80
- 'localhost':445
- '<IP-адрес в локальной сети>':80
- 'im.##stweak.com':80
- 'tr###.#ypcbackup.com':80
- 'in#####.outbrowse.com':80
- 'localhost':1040
TCP:
Запросы HTTP GET:
- im.##stweak.com/installtracker.aspx?tr#####################
- cl#####ont.systweak.com/aspsl/aspsetup_systweak_default.exe
- tr###.#ypcbackup.com/8695a4a3/systweakinstall/MyPCBackup_Setup.exe
- in#####.outbrowse.com/installTrack.php?pu##############################################################################
UDP:
- DNS ASK im.##stweak.com
- DNS ASK cl#####ont.systweak.com
- DNS ASK tr###.#ypcbackup.com
- DNS ASK in#####.outbrowse.com
Другое:
Ищет следующие окна:
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
