Trojan.MulDrop3.877

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msconfig.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrogAgent.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\katmain.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kendymain.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSrv.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xx1.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'avpx' = '%PROGRAM_FILES%\Internet Explorer\ctfmon.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xx3.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xx2.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvprescan.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SnipeSword.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ahnsd.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcrmon.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstray.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acasp.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TBMon.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.kxp] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxtray.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'

Вредоносные функции:

Создает и запускает на исполнение:

%PROGRAM_FILES%\Internet Explorer\ctfmon.exe

Запускает на исполнение:

<SYSTEM32>\cmd.exe /c "%PROGRAM_FILES%\Internet Explorer\Kill.bat"
%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE http://www.11##h.com/www.asp?t=###########################

Изменения в файловой системе:

Создает следующие файлы:

C:\autorun.inf
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\kyun[1].txt
%PROGRAM_FILES%\Internet Explorer\Kill.bat
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\qx[1].txt
%TEMP%\wulala.exe
%PROGRAM_FILES%\Internet Explorer\ctfmon.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\tz[1].htm
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\www[1].asp

Присваивает атрибут 'скрытый' для следующих файлов:

C:\autorun.inf

Удаляет следующие файлы:

%PROGRAM_FILES%\Internet Explorer\ctfmon.exe
%TEMP%\wulala.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\www[1].asp

Сетевая активность:

Подключается к:

'www.11##h.com':80
'www.wm##0.cn':80
'qq##.vicp.net':80
'localhost':1037
'www.bb##123.cn':80
'localhost':1039

TCP:

Запросы HTTP GET:

www.wm##0.cn/kyun.txt
qq##.vicp.net/qx.txt
www.bb##123.cn/tz.htm
www.11##h.com/www.asp?t=###########################

UDP:

DNS ASK www.wm##0.cn
DNS ASK qq##.vicp.net
DNS ASK www.bb##123.cn
DNS ASK www.11##h.com

Другое:

Ищет следующие окна:

ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebcheckMonitor' WindowName: ''
ClassName: '' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней