Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'kcdsa' = '%PROGRAM_FILES%\Kings\KCDSA\KCDSAUI.exe -boo'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\kcdudf] 'start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\KCDCDRH] 'start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\KCDService] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\mskcd] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\kcdev] 'start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\gzndc] 'start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\KingsDEP] 'start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\gzport] 'start' = '00000000'
Вредоносные функции:
Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Kings\KCDSA\tsmclt.exe' = '%PROGRAM_FILES%\Kings\KCDSA\tsmclt.exe:*:Enabled:IPM Listener'
Создает и запускает на исполнение:
- '%WINDIR%\Kingsutil\kcdregsvc.exe' -is KCD /e
- '%PROGRAM_FILES%\Kings\KCDSA\tsmclt.exe' -inst
- '%PROGRAM_FILES%\Kings\KCDSA\mskcd.exe' -is
- '%TEMP%\GZKCD\KCDUninstall.exe' %PROGRAM_FILES%\Kings\KCDSA
- '%TEMP%\GZKCD\nsis_sup.exe' -i kcdudf
Изменения в файловой системе:
Создает следующие файлы:
- %PROGRAM_FILES%\Kings\KCDSA\kcdctrl.dl_
- %WINDIR%\Kingsutil\kcdhost.ex_
- %WINDIR%\Kingsutil\KCDRegSvc.ex_
- %PROGRAM_FILES%\Kings\KCDSA\kcdlogclt.ex_
- %PROGRAM_FILES%\Kings\KCDSA\KCDSAStatus.ex_
- %PROGRAM_FILES%\Kings\KCDSA\gzHDDC.dl_
- %PROGRAM_FILES%\Kings\KCDSA\kcdport.dl_
- %PROGRAM_FILES%\Kings\KCDSA\KCDSALog.dl_
- %PROGRAM_FILES%\Kings\KCDSA\kcdsvc.ex_
- %PROGRAM_FILES%\Kings\KCDSA\mskcd.ex_
- <DRIVERS>\gzport.sy_
- %PROGRAM_FILES%\Kings\KCDSA\KCDKsf.dl_
- %PROGRAM_FILES%\Kings\KCDSA\KCDMsg.dl_
- %PROGRAM_FILES%\Kings\KCDSA\kcdsacfg.in_
- %WINDIR%\Kingsutil\zproca.ini
- %PROGRAM_FILES%\Kings\KCDSA\kcdsaclt.ex_
- %PROGRAM_FILES%\Kings\KCDSA\kcdsaUI.ex_
- %WINDIR%\Kingsutil\ksuchost.ex_
- %WINDIR%\Kingsutil\zprochild.ex_
- %WINDIR%\Kingsutil\zproca.in_
- %PROGRAM_FILES%\Kings\KCDSA\images\background.bm_
- %PROGRAM_FILES%\Kings\KCDSA\gzeam.dl_
- %PROGRAM_FILES%\Kings\KCDSA\gzTransImg.dl_
- %PROGRAM_FILES%\Kings\KCDSA\kcdupclt.ex_
- %PROGRAM_FILES%\Kings\KCDSA\images\btn_update.bm_
- %PROGRAM_FILES%\Kings\KCDSA\images\btn_update_over.bm_
- %PROGRAM_FILES%\Kings\KCDSA\fwctrl.dl_
- %PROGRAM_FILES%\Kings\KCDSA\gzGetTime.dl_
- %ALLUSERSPROFILE%\Start Menu\Programs\Guard-Zone V3.0 Core Client\Guard-Z Client.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\Guard-Zone V3.0 Core Client\Guard-Z Client Update.lnk
- %PROGRAM_FILES%\Kings\KCDSA\tsmclt.ex_
- %PROGRAM_FILES%\Kings\KCDSA\tsmc.ts_
- %PROGRAM_FILES%\Kings\KCDSA\DecryptionShell.dl_
- <SYSTEM32>\kcd.ini
- %PROGRAM_FILES%\Kings\KCDSA\cinf\net.env
- %PROGRAM_FILES%\Kings\KCDSA\logs\ltsmclt.log
- %PROGRAM_FILES%\Kings\KCDSA\logs\ltsmcltresult.log
- %PROGRAM_FILES%\Kings\KCDSA\tsmc.tsm
- %PROGRAM_FILES%\Kings\KCDSA\Storage.KSF
- %PROGRAM_FILES%\Kings\KCDSA\logs\lkcdregsvc.log
- %PROGRAM_FILES%\Kings\KCDSA\kcdproctrl.dl_
- <DRIVERS>\kcdudf.sy_
- %PROGRAM_FILES%\Kings\KCDSA\gzcomposlist.ks_
- <DRIVERS>\kcdev.sy_
- <DRIVERS>\KCDCDRH.sy_
- %PROGRAM_FILES%\Kings\KCDSA\KingsCDDriver.dl_
- %PROGRAM_FILES%\Kings\KCDSA\kcdudf.dl_
- %PROGRAM_FILES%\Kings\KCDSA\kcdev.dl_
- <SYSTEM32>\gzuireq.ex_
- %PROGRAM_FILES%\Kings\KCDSA\gzwr_dll.dl_
- %PROGRAM_FILES%\Kings\KCDSA\kcdsacfg.ini
- <DRIVERS>\gzndc.sy_
- %PROGRAM_FILES%\Kings\KCDSA\gzndc.dl_
- <SYSTEM32>\mshostgz.nv_
- %TEMP%\GZKCD\KCDSALog.dl_
- %TEMP%\GZKCD\kcdsvc.ex_
- %TEMP%\GZKCD\mskcd.ex_
- %TEMP%\GZKCD\kcdport.dl_
- %TEMP%\GZKCD\gzport.sy_
- %TEMP%\GZKCD\KCDRegSvc.ex_
- %TEMP%\GZKCD\KCDCDRH.sy_
- %TEMP%\GZKCD\gzcomposlist.ks_
- %TEMP%\GZKCD\kcdev.sy_
- %TEMP%\GZKCD\gzndc.dl_
- %TEMP%\GZKCD\KingsCDDriver.dl_
- %TEMP%\GZKCD\kcdudf.dl_
- %TEMP%\GZKCD\kcdudf.sy_
- %TEMP%\GZKCD\KCDMsg.dl_
- %TEMP%\nsw3.tmp\System.dll
- %TEMP%\GZKCD\svchost.ex_
- %TEMP%\GZKCD\ksuchost.ex_
- %TEMP%\nsw2.tmp
- %TEMP%\GZKCD\GetWindow.dll
- <SYSTEM32>\GetWindow.dll
- %TEMP%\GZKCD\zprochild.ex_
- %TEMP%\GZKCD\kcdctrl.dl_
- %TEMP%\GZKCD\kcdhost.ex_
- %TEMP%\GZKCD\KCDKsf.dl_
- %TEMP%\GZKCD\zproca.in_
- %TEMP%\GZKCD\kcdsacfg.in_
- %TEMP%\GZKCD\tsmc.ts_
- %TEMP%\GZKCD\tsmclt.ex_
- %TEMP%\GZKCD\DecryptionShell.dl_
- %TEMP%\GZKCD\gzHDDC.dl_
- %TEMP%\GZKCD\btn_update_over.bm_
- %TEMP%\GZKCD\KCDSAStatus.ex_
- %TEMP%\GZKCD\kcdproctrl.dl_
- %TEMP%\GZKCD\gzGetTime.dl_
- %HOMEPATH%\Desktop\Guard-Zone V3.0 Core Client.lnk
- %WINDIR%\Kingsutil\svchost.ex_
- %PROGRAM_FILES%\Kings\KCDSA\Security.KSF
- %TEMP%\GZKCD\gzwr_dll.dl_
- %TEMP%\GZKCD\nsis_sup.exe
- %PROGRAM_FILES%\Kings\KCDSA\KCDUninstall.exe
- %TEMP%\GZKCD\btn_update.bm_
- %TEMP%\GZKCD\fwctrl.dl_
- %TEMP%\GZKCD\gzeam.dl_
- %TEMP%\GZKCD\KCDUninstall.exe
- %TEMP%\GZKCD\gzndc.sy_
- %TEMP%\GZKCD\kcdev.dl_
- %TEMP%\GZKCD\kcdupclt.ex_
- %TEMP%\GZKCD\gzTransImg.dl_
- %TEMP%\GZKCD\kcdlogclt.ex_
- %TEMP%\GZKCD\kcdsaUI.ex_
- %TEMP%\GZKCD\background.bm_
- %TEMP%\GZKCD\kcdsaclt.ex_
- %TEMP%\GZKCD\mshostgz.nv_
- %TEMP%\GZKCD\gzuireq.ex_
Удаляет следующие файлы:
- %TEMP%\GZKCD\kcdsaUI.ex_
- %TEMP%\GZKCD\KCDSAStatus.ex_
- %TEMP%\GZKCD\KCDSALog.dl_
- %TEMP%\GZKCD\kcdudf.sy_
- %TEMP%\GZKCD\kcdudf.dl_
- %TEMP%\GZKCD\kcdsvc.ex_
- %TEMP%\GZKCD\kcdproctrl.dl_
- %TEMP%\GZKCD\kcdport.dl_
- %TEMP%\GZKCD\KCDMsg.dl_
- %TEMP%\GZKCD\kcdsaclt.ex_
- %TEMP%\GZKCD\kcdsacfg.in_
- %TEMP%\GZKCD\KCDRegSvc.ex_
- %TEMP%\GZKCD\KCDUninstall.exe
- %TEMP%\GZKCD\tsmclt.ex_
- %TEMP%\GZKCD\tsmc.ts_
- %TEMP%\GZKCD\svchost.ex_
- %TEMP%\nsw3.tmp\System.dll
- %TEMP%\GZKCD\zprochild.ex_
- %TEMP%\GZKCD\zproca.in_
- %TEMP%\GZKCD\ksuchost.ex_
- %TEMP%\GZKCD\KingsCDDriver.dl_
- %TEMP%\GZKCD\kcdupclt.ex_
- %TEMP%\GZKCD\nsis_sup.exe
- %TEMP%\GZKCD\mskcd.ex_
- %TEMP%\GZKCD\mshostgz.nv_
- %TEMP%\GZKCD\gzcomposlist.ks_
- %TEMP%\GZKCD\GetWindow.dll
- %TEMP%\GZKCD\fwctrl.dl_
- %TEMP%\GZKCD\gzHDDC.dl_
- %TEMP%\GZKCD\gzGetTime.dl_
- %TEMP%\GZKCD\gzeam.dl_
- %TEMP%\GZKCD\background.bm_
- %PROGRAM_FILES%\Kings\KCDSA\KCDUninstall.exe
- <SYSTEM32>\GetWindow.dll
- %TEMP%\GZKCD\DecryptionShell.dl_
- %TEMP%\GZKCD\btn_update_over.bm_
- %TEMP%\GZKCD\btn_update.bm_
- %TEMP%\GZKCD\gzndc.dl_
- %TEMP%\GZKCD\kcdev.sy_
- %TEMP%\GZKCD\kcdev.dl_
- %TEMP%\GZKCD\kcdctrl.dl_
- %TEMP%\GZKCD\kcdlogclt.ex_
- %TEMP%\GZKCD\KCDKsf.dl_
- %TEMP%\GZKCD\kcdhost.ex_
- %TEMP%\GZKCD\gzTransImg.dl_
- %TEMP%\GZKCD\gzport.sy_
- %TEMP%\GZKCD\gzndc.sy_
- %TEMP%\GZKCD\KCDCDRH.sy_
- %TEMP%\GZKCD\gzwr_dll.dl_
- %TEMP%\GZKCD\gzuireq.ex_
Перемещает следующие файлы:
- %PROGRAM_FILES%\Kings\KCDSA\kcdudf.dl_ в %PROGRAM_FILES%\Kings\KCDSA\kcdudf.dll
- %PROGRAM_FILES%\Kings\KCDSA\KingsCDDriver.dl_ в %PROGRAM_FILES%\Kings\KCDSA\KingsCDDriver.dll
- <DRIVERS>\kcdudf.sy_ в <DRIVERS>\kcdudf.sys
- <DRIVERS>\kcdev.sy_ в <DRIVERS>\kcdev.sys
- %PROGRAM_FILES%\Kings\KCDSA\gzcomposlist.ks_ в %PROGRAM_FILES%\Kings\KCDSA\gzcomposlist.ksf
- <DRIVERS>\KCDCDRH.sy_ в <DRIVERS>\KCDCDRH.sys
- %PROGRAM_FILES%\Kings\KCDSA\KCDMsg.dl_ в %PROGRAM_FILES%\Kings\KCDSA\KCDMsg.dll
- %PROGRAM_FILES%\Kings\KCDSA\KCDKsf.dl_ в %PROGRAM_FILES%\Kings\KCDSA\KCDKsf.dll
- %PROGRAM_FILES%\Kings\KCDSA\KCDSALog.dl_ в %PROGRAM_FILES%\Kings\KCDSA\KCDSALog.dll
- %PROGRAM_FILES%\Kings\KCDSA\mskcd.ex_ в %PROGRAM_FILES%\Kings\KCDSA\mskcd.exe
- %PROGRAM_FILES%\Kings\KCDSA\kcdsvc.ex_ в %PROGRAM_FILES%\Kings\KCDSA\kcdsvc.exe
- %PROGRAM_FILES%\Kings\KCDSA\tsmclt.ex_ в %PROGRAM_FILES%\Kings\KCDSA\tsmclt.exe
- %PROGRAM_FILES%\Kings\KCDSA\kcdproctrl.dl_ в %PROGRAM_FILES%\Kings\KCDSA\kcdproctrl.dll
- %PROGRAM_FILES%\Kings\KCDSA\tsmc.ts_ в %PROGRAM_FILES%\Kings\KCDSA\tsmc.tsm
- %PROGRAM_FILES%\Kings\KCDSA\gzGetTime.dl_ в %PROGRAM_FILES%\Kings\KCDSA\gzGetTime.dll
- %PROGRAM_FILES%\Kings\KCDSA\DecryptionShell.dl_ в %PROGRAM_FILES%\Kings\KCDSA\DecryptionShell.dll
- %PROGRAM_FILES%\Kings\KCDSA\gzwr_dll.dl_ в %PROGRAM_FILES%\Kings\KCDSA\gzwr_dll.dll
- <DRIVERS>\gzndc.sy_ в <DRIVERS>\gzndc.sys
- %PROGRAM_FILES%\Kings\KCDSA\kcdev.dl_ в %PROGRAM_FILES%\Kings\KCDSA\kcdev.dll
- %PROGRAM_FILES%\Kings\KCDSA\gzndc.dl_ в %PROGRAM_FILES%\Kings\KCDSA\gzndc.dll
- <SYSTEM32>\gzuireq.ex_ в <SYSTEM32>\gzuireq.exe
- <SYSTEM32>\mshostgz.nv_ в <SYSTEM32>\mshostgz.nvu
- %PROGRAM_FILES%\Kings\KCDSA\images\btn_update.bm_ в %PROGRAM_FILES%\Kings\KCDSA\images\btn_update.bmp
- %PROGRAM_FILES%\Kings\KCDSA\images\background.bm_ в %PROGRAM_FILES%\Kings\KCDSA\images\background.bmp
- %PROGRAM_FILES%\Kings\KCDSA\images\btn_update_over.bm_ в %PROGRAM_FILES%\Kings\KCDSA\images\btn_update_over.bmp
- %PROGRAM_FILES%\Kings\KCDSA\gzeam.dl_ в %PROGRAM_FILES%\Kings\KCDSA\gzeam.dll
- %PROGRAM_FILES%\Kings\KCDSA\fwctrl.dl_ в %PROGRAM_FILES%\Kings\KCDSA\fwctrl.dll
- %PROGRAM_FILES%\Kings\KCDSA\kcdsaUI.ex_ в %PROGRAM_FILES%\Kings\KCDSA\kcdsaUI.exe
- %WINDIR%\Kingsutil\ksuchost.ex_ в %WINDIR%\Kingsutil\ksuchost.exe
- %WINDIR%\Kingsutil\svchost.ex_ в %WINDIR%\Kingsutil\svchost.exe
- %WINDIR%\Kingsutil\zprochild.ex_ в %WINDIR%\Kingsutil\zprochild.exe
- %PROGRAM_FILES%\Kings\KCDSA\kcdsaclt.ex_ в %PROGRAM_FILES%\Kings\KCDSA\kcdsaclt.exe
- %WINDIR%\Kingsutil\zproca.in_ в %WINDIR%\Kingsutil\zproca.ini
- %WINDIR%\Kingsutil\kcdhost.ex_ в %WINDIR%\Kingsutil\kcdhost.exe
- %PROGRAM_FILES%\Kings\KCDSA\kcdctrl.dl_ в %PROGRAM_FILES%\Kings\KCDSA\kcdctrl.dll
- %WINDIR%\Kingsutil\KCDRegSvc.ex_ в %WINDIR%\Kingsutil\kcdregsvc.exe
- <DRIVERS>\gzport.sy_ в <DRIVERS>\gzport.sys
- %PROGRAM_FILES%\Kings\KCDSA\kcdport.dl_ в %PROGRAM_FILES%\Kings\KCDSA\kcdport.dll
- %PROGRAM_FILES%\Kings\KCDSA\gzHDDC.dl_ в %PROGRAM_FILES%\Kings\KCDSA\gzHDDC.dll
- %PROGRAM_FILES%\Kings\KCDSA\kcdupclt.ex_ в %PROGRAM_FILES%\Kings\KCDSA\kcdupclt.exe
- %PROGRAM_FILES%\Kings\KCDSA\gzTransImg.dl_ в %PROGRAM_FILES%\Kings\KCDSA\gzTransImg.dll
- %PROGRAM_FILES%\Kings\KCDSA\kcdsacfg.in_ в %PROGRAM_FILES%\Kings\KCDSA\kcdsacfg.ini
- %PROGRAM_FILES%\Kings\KCDSA\KCDSAStatus.ex_ в %PROGRAM_FILES%\Kings\KCDSA\KCDSAStatus.exe
- %PROGRAM_FILES%\Kings\KCDSA\kcdlogclt.ex_ в %PROGRAM_FILES%\Kings\KCDSA\kcdlogclt.exe
Сетевая активность:
Подключается к:
- '15#.#00.2.165':80
- '15#.#00.2.165':43011
TCP:
Запросы HTTP POST:
- 15#.#00.2.165/guardzone/contents/auth/IPMAuth.do
Другое:
Ищет следующие окна:
- ClassName: '_kcdlogclt_' WindowName: '_kcdlogclt_'
- ClassName: '_tsmclt' WindowName: '_tsmclt'
- ClassName: '#32770' WindowName: 'KCDSAStatus Viewer'
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: '_kcdhost' WindowName: 'kcdhost_'
- ClassName: '#32770' WindowName: 'Guard-Z UserInterface'
- ClassName: '#32770' WindowName: 'Guard-Z Client Updater'
- ClassName: '_zprodady_' WindowName: '_zprodady'
- ClassName: 'ZProcessCatcherHelper' WindowName: 'KINGS-ZPROCESSCATCHERHELPER'
- ClassName: 'ZProcessCatcher' WindowName: 'KINGS-ZPROCESSCATCHER'
- ClassName: '#32770' WindowName: 'Guard-Z Client'
- ClassName: 'KCDSvc' WindowName: 'KCDSvc'
- ClassName: '_zpromomy_' WindowName: '_zpromomy'
