Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'SHELL' = 'explorer.exe, svdhalp.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'adsmini' = '%WINDIR%\runadsmini.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'adsacquy' = '%WINDIR%\adsclick.exe'
Вредоносные функции:
Создает и запускает на исполнение:
- %WINDIR%\runadsmini.exe
- C:\VINACFMULTI6.3\vinalink.exe
- C:\VINACFMULTI6.3\vinalink.xt
- C:\VINACFMULTI6.3\xtrap.xt
- C:\VINACFMULTI6.3\VNPRO.EXE
- C:\VINACFMULTI6.3\xfire.xt
- %WINDIR%\adsclick.exe
Запускает на исполнение:
- <SYSTEM32>\rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
Изменения в файловой системе:
Создает следующие файлы:
- %WINDIR%\syskey2i.drv
- <SYSTEM32>\svdhalp.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\MHV49[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\test[1].php
- %TEMP%\aut1.tmp
- %ALLUSERSPROFILE%\Desktop\VINACF LAUNCHER.lnk
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\MC2r0[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\v.hack-cf[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\v.hack-cf[2]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\v.hack-cf[3]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\modzvinacf.hack-cf[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\v.hack-cf[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\MHV49[1]
- %WINDIR%\runadsmini.exe
- C:\VINACFMULTI6.3\CFVN.XT
- C:\VINACFMULTI6.3\xfire.xt
- C:\VINACFMULTI6.3\vinalink.exe
- C:\VINACFMULTI6.3\AUTOUPDATE.EXE
- C:\VINACFMULTI6.3\VNPRO.EXE
- C:\VINACFMULTI6.3\MSINET.OCX
- C:\VINACFMULTI6.3\xtrap.xt
- %WINDIR%\miniads.exe
- %WINDIR%\miniads1.exe
- %WINDIR%\miniads2.exe
- C:\VINACFMULTI6.3\vinalink.xt
- %WINDIR%\adsclick.exe
Удаляет следующие файлы:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\v.hack-cf[2]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\v.hack-cf[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\v.hack-cf[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\v.hack-cf[3]
- %TEMP%\~DFDAD.tmp
- %TEMP%\aut1.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\MHV49[1]
Сетевая активность:
Подключается к:
- 'ad#.ly':80
- 'localhost':1042
- 'v.###k-cf.com':80
- 'mo#####acf.hack-cf.com':80
- 'localhost':1038
- 'fs#######fsdf.googlecode.com':80
- 'localhost':1040
- 'de##bot.org':80
TCP:
Запросы HTTP GET:
- mo#####acf.hack-cf.com/
- v.###k-cf.com/
- ad#.ly/MC2r0
- fs#######fsdf.googlecode.com/svn/trunk/test.php
- ad#.ly/MHV49
Запросы HTTP POST:
- de##bot.org/@Admincp/m_d.php
UDP:
- DNS ASK mo#####acf.hack-cf.com
- DNS ASK v.###k-cf.com
- DNS ASK ad#.ly
- DNS ASK fs#######fsdf.googlecode.com
- DNS ASK de##bot.org
Другое:
Ищет следующие окна:
- ClassName: 'ThunderRT6FormDC' WindowName: 'AAA'
- ClassName: 'Chrome_WidgetWin_1' WindowName: 'Xac nh?n ?i?u hu?ng'
- ClassName: '#32770' WindowName: 'Web Browser'
- ClassName: 'ThunderRT6PictureBoxDC' WindowName: ''
- ClassName: 'Internet Explorer_Server' WindowName: ''
- ClassName: 'Shell DocObject View' WindowName: ''
- ClassName: 'Shell Embedding' WindowName: ''
- ClassName: '#32770' WindowName: 'Windows Internet Explorer'
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: 'CrossFire'
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: '' WindowName: ''
