Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'A0B7' = '%ProgramFiles%\FireFox\UFJNRC.exe'
Вредоносные функции:
Запускает на исполнение:
- '<SYSTEM32>\dllhost.exe' "5;69&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]EGGK\5PMVҐ&
- '<SYSTEM32>\dllhost.exe' "5;5;&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]QGGO\\0DOG¤(
- '<SYSTEM32>\dllhost.exe' "5;77&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]ZGGKG\0EU[¤(
- '<SYSTEM32>\dllhost.exe' "5;9;&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]ZGG[U\0EDY¤(
- '<SYSTEM32>\dllhost.exe' "5;89&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]EGGK\\0DOG¤(
- '<SYSTEM32>\dllhost.exe' "<47'(D=^HUH\OFQYW&INF$VJ[ZJQIWbZYPY\RE\dARTONJGULQR&IHVB_NHKVTKXLJZbSHEEMZ5FSYҐ&
- '<SYSTEM32>\dllhost.exe' "5:;7&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]PGGG3JNCЈ'
- '<SYSTEM32>\dllhost.exe' "5:;;&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]WGGKS\0PF]¤(
- '<SYSTEM32>\dllhost.exe' "5:>=&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]WGGOR\0DOG¤(
- '<SYSTEM32>\dllhost.exe' "5:=;&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]VGG4SSUЎ%
- '<SYSTEM32>\dllhost.exe' "5;:=&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]OGGKH\0DOG¤(
- '<SYSTEM32>\dllhost.exe' "635;&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]JGGO[\0EU[¤(
- '<SYSTEM32>\dllhost.exe' "5<>9&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]YGGOX\0PF]¤(
- '<SYSTEM32>\dllhost.exe' "636=&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]GGGGW5FBWҐ&
- '<SYSTEM32>\dllhost.exe' "557?&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]ZGGGU\0EDY¤(
- '<SYSTEM32>\dllhost.exe' "6377&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]\GGGW\0DOG¤(
- '<SYSTEM32>\dllhost.exe' "5<5;&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]QGGO3JNCЈ'
- '<SYSTEM32>\dllhost.exe' "599?&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]GGGK3JNCЈ'
- '<SYSTEM32>\dllhost.exe' "5<97&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]QGGK3JNCЈ'
- '<SYSTEM32>\dllhost.exe' "5<=7&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]YGGGX\0PF]¤(
- '<SYSTEM32>\dllhost.exe' "5<<=&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]YGGG3JNCЈ'
- '<SYSTEM32>\cmd.exe' /C icacls "<SYSTEM32>" /grant %USERNAME%:F
- '<SYSTEM32>\cmd.exe' /C takeown /f "<SYSTEM32>"
- '<SYSTEM32>\cmd.exe' /C takeown /f "<SYSTEM32>\dllcache"
- '<SYSTEM32>\dllhost.exe' "597?&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]QGGGS\0PF]¤(
- '<SYSTEM32>\cmd.exe' /C icacls "<SYSTEM32>\dllcache" /grant %USERNAME%:F
- '<SYSTEM32>\dllhost.exe' "5:<9&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]JGGUQ\0EU[¤(
- '<SYSTEM32>\dllhost.exe' "5777&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]UGGKW\0DOG¤(
- '<SYSTEM32>\dllhost.exe' "58;;&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]\GGGW\0DOG¤(
- '<SYSTEM32>\cmd.exe' /C icacls "%WINDIR%" /grant %USERNAME%:F
- '<SYSTEM32>\cmd.exe' /C takeown /f "%WINDIR%"
- '<SYSTEM32>\dllhost.exe' "59:=&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]QGGU3JNCЈ'
- '<SYSTEM32>\dllhost.exe' "5:69&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]SGG4SSUЎ%
- '<SYSTEM32>\dllhost.exe' "5:5?&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]OGGGW\0DOG¤(
- '<SYSTEM32>\dllhost.exe' "5:77&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]SGG4SSUЎ%
- '<SYSTEM32>\dllhost.exe' "5:97&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]FGGGH5FBWҐ&
- '<SYSTEM32>\dllhost.exe' "5:57&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]SGGG[5FBWҐ&
- '<SYSTEM32>\dllhost.exe' "=75'(D=^HUH\OFQYW&INF$VJ[ZJQIWbZYPY\RE\dARTONJGULQR&IHVB_NHKVTKXLJZbUHEEYZ5QD[Ґ&
- '<SYSTEM32>\dllhost.exe' "=8;'(D=^HUH\OFQYW&INF$VJ[ZJQIWbZYPY\RE\dARTONJGULQR&IHVB_NHKVTKXLJZbIHE2TQZў#
- '<SYSTEM32>\dllhost.exe' "<99'(D=^HUH\OFQYW&INF$VJ[ZJQIWbZYPY\RE\dARTONJGULQR&IHVB_NHKVTKXLJZbWHEEXZ5EMEҐ&
- '<SYSTEM32>\dllhost.exe' "59<=&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]FGGGH\0DOG¤(
- '<SYSTEM32>\dllhost.exe' "59;7&#F<`JTJWNHSXY(APH#XLZULPKYa\TO[^QG^\CTSQPIBWKST%KCUDaMJMNVMWNLY]FGGGH5FBWҐ&
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\dllhost.exe
следующие пользовательские процессы:
- Drwebwcl.exe
- Drwebupw.exe
- drweb386.exe
- fsav32.exe
- mpftray.exe
- fsavgui.exe
- fsavaui.exe
- Drweb32w.exe
- AVGCC32.EXE
- ageofconan.exe
- 360tray.exe
- AVGCTRL.EXE
- ClamWin.exe
- bdsubmit.exe
- bdagent.exe
Изменения в файловой системе:
Создает следующие файлы:
- %APPDATA%\Identities\sec.nls
- %APPDATA%\Identities\tecenu.ocx
- %APPDATA%\Identities\recagu.drv
- %APPDATA%\Identities\becew.nls
- %APPDATA%\Identities\neciwu.clb
- %APPDATA%\Identities\tecimu.clb
- %APPDATA%\Identities\meca.clb
- %APPDATA%\Identities\cecacu.clb
- %APPDATA%\Identities\cecac.dat
- %APPDATA%\Identities\vecaru.clb
- %APPDATA%\Identities\pecav.dat
- %APPDATA%\Identities\pec.nls
- %APPDATA%\Identities\lecaru.clb
- %APPDATA%\Identities\vecisu.ocx
- %APPDATA%\Identities\vecasu.ocx
- %APPDATA%\Identities\veca.clb
- %APPDATA%\Identities\wecapu.dat
- %APPDATA%\Identities\decar.dat
- %APPDATA%\Identities\gecivu.drv
- %APPDATA%\Identities\nece.clb
- %APPDATA%\Identities\wecupu.dat
- %APPDATA%\Identities\becewu.clb
- %APPDATA%\Identities\wecebu.drv
- %APPDATA%\Identities\neci.clb
- %APPDATA%\Identities\dece.clb
- %APPDATA%\Identities\lececu.clb
- %APPDATA%\Identities\tecasu.ocx
- %ProgramFiles%\FireFox\cecuru.clb
- %ProgramFiles%\FireFox\UFJNRC.exe
- %APPDATA%\Identities\necanu.ocx
- %HOMEPATH%\My Documents\My Music\~$%USERNAME%_Assignment.log
- %HOMEPATH%\My Documents\82428.ishu
- %HOMEPATH%\My Documents\~$%USERNAME%_Presentation.xlsx
- %APPDATA%\Identities\yecaru.clb
- %APPDATA%\Identities\nv 2
- %APPDATA%\Identities\receru.clb
- %APPDATA%\con.79506
- %APPDATA%\Identities\gecolu.drv
- %APPDATA%\Identities\con.B183
- %APPDATA%\Identities\CV
- %ALLUSERSPROFILE%\Documents\My Pictures\98F26.ishu
- %ALLUSERSPROFILE%\Documents\My Pictures\~$%USERNAME%_Research.docx
- %ALLUSERSPROFILE%\Documents\My Music\90090.ishu
- %APPDATA%\Identities\hec.nls
- %ALLUSERSPROFILE%\Documents\My Videos\926A9.ishu
- %ALLUSERSPROFILE%\Documents\My Videos\~$%USERNAME%_Document.ppt
- %ALLUSERSPROFILE%\Documents\My Music\~$%USERNAME%_Research.xls
- %APPDATA%\Identities\neco.clb
- %HOMEPATH%\My Documents\My Pictures\~$%USERNAME%_Assignment.txt
- %HOMEPATH%\My Documents\My Music\98266.ishu
- %ALLUSERSPROFILE%\Documents\7A252.ishu
- %ALLUSERSPROFILE%\Documents\~$%USERNAME%_Index.accdb
- %HOMEPATH%\My Documents\My Pictures\A10FC.ishu
Другое:
Ищет следующие окна:
- ClassName: 'OperaWindowClass' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''
- ClassName: 'Chrome_RenderWidgetHostHWND' WindowName: ''
- ClassName: 'Internet Explorer_Server' WindowName: ''
- ClassName: 'TfrmBrowserMDIMain.Avant.UnicodeClass' WindowName: ''
- ClassName: 'SlimBrowser MainFrameW' WindowName: ''
- ClassName: 'iQFrame' WindowName: ''
- ClassName: 'Chrome_AutocompleteEditView' WindowName: ''
- ClassName: 'MozillaContentWindowClass' WindowName: ''
- ClassName: 'ConsoleWindowClass' WindowName: ''
- ClassName: 'ProgMan' WindowName: ''
- ClassName: 'MozillaUIWindowClass' WindowName: ''
- ClassName: 'Chrome_WidgetWin_1' WindowName: ''
- ClassName: 'Chrome_WidgetWin_0' WindowName: ''
- ClassName: 'MozillaWindowClass' WindowName: ''
