Trojan.Encoder.25552

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'donut.exe' = '%TEMP%\MsJjsUY9tb0KwEmDN9bx7lxfW0chlAqw.exe'

Вредоносные функции:

Читает файлы, отвечающие за хранение паролей сторонними программами:

%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\signons.sqlite

Изменения в файловой системе:

Создает следующие файлы:

%TEMP%\MsJjsUY9tb0KwEmDN9bx7lxfW0chlAqw.exe
C:\Far2\Plugins\ExtSearch\doc\ENG_READ.TXT.donut
C:\Far2\Plugins\ExtSearch\doc\ENG_NEWS.TXT.donut
C:\Far2\Plugins\ExtSearch\doc\RUS_NEWS.TXT.donut
C:\Far2\Plugins\ExtSearch\sources\decrypt.txt
C:\Far2\Plugins\ExtSearch\sources\ExtClipBoard.cpp.donut
C:\Far2\Plugins\ExtSearch\sources\ExtSearch.hpp.donut
C:\Far2\Plugins\ExtSearch\sources\ExtRegExp.cpp.donut
C:\Far2\Plugins\Colorer\hrc\auto\types\auto.jar.donut
C:\Far2\Plugins\ExtSearch\sources\ExtChCase.cpp.donut
C:\Far2\Plugins\ExtSearch\sources\ExtMenu.cpp.donut
C:\Far2\Plugins\ExtSearch\sources\ExtSearchReg.cpp.donut
C:\Far2\Plugins\ExtSearch\sources\ExtSearchMix.cpp.donut
C:\Far2\Plugins\ExtSearch\sources\PLUGIN.HPP.donut
C:\Far2\Plugins\ExtSearch\sources\RegExp\decrypt.txt
C:\Far2\Plugins\ExtSearch\sources\RegExp\CLOCALE.CPP.donut
C:\Far2\Plugins\ExtSearch\sources\RegExp\CLOCALE.H.donut
C:\Far2\Plugins\ExtSearch\sources\RegExp\CREGEXP.CPP.donut
C:\Far2\Plugins\ExtSearch\doc\decrypt.txt
C:\Far2\Plugins\ExtSearch\sources\ExtSearch.cpp.donut
C:\Far2\Plugins\ExtSearch\doc\RUS_READ.TXT.donut
C:\Far2\Plugins\ExtSearch\doc\REGEXPS.TXT.donut
C:\Far2\Plugins\EMenu\EMenu.map.donut
C:\Far2\Plugins\EMenu\decrypt.txt
C:\Far2\Plugins\Brackets\decrypt.txt
C:\Far2\Plugins\Brackets\Brackets.map.donut
C:\Far2\Plugins\Colorer\decrypt.txt
C:\Far2\Plugins\Colorer\catalog.xml.donut
C:\Far2\Plugins\Colorer\hrc\decrypt.txt
C:\Far2\Plugins\Colorer\hrc\changes.txt.donut
C:\Far2\Plugins\Colorer\hrc\common.jar.donut
C:\Far2\Plugins\ExtSearch\sources\RegExp\CREGEXP.H.donut
C:\Far2\Plugins\Colorer\hrc\auto\types\decrypt.txt
C:\Far2\Plugins\arclite\arclite.map.donut
C:\Far2\Plugins\Colorer\hrd\decrypt.txt
C:\Far2\Plugins\Colorer\hrd\catalog-rgb.xml.donut
C:\Far2\Plugins\Colorer\hrd\catalog-console.xml.donut
C:\Far2\Plugins\Compare\decrypt.txt
C:\Far2\Plugins\Compare\Compare.map.donut
C:\Far2\Plugins\DrawLine\decrypt.txt
C:\Far2\Plugins\DrawLine\DrawLine.map.donut
C:\Far2\Plugins\EditCase\decrypt.txt
C:\Far2\Plugins\AutoWrap\decrypt.txt
C:\Far2\Plugins\EditCase\EditCase.map.donut
C:\Far2\Plugins\Colorer\hrd\catalog-text.xml.donut
C:\Far2\Plugins\AutoWrap\AutoWrap.map.donut
C:\Far2\Plugins\FarCmds\decrypt.txt
C:\Far2\Plugins\FTP\decrypt.txt
C:\Far2\PluginSDK\Headers.pas\FarColorW.pas.donut
C:\Far2\PluginSDK\Headers.pas\FarKeysW.pas.donut
C:\Far2\PluginSDK\Headers.pas\PluginW.pas.donut
<STUBS_DIR>\proc_browsers.txt.donut
<STUBS_DIR>\decrypt.txt
<STUBS_DIR>\proc_fake.txt.donut
<STUBS_DIR>\proc_banks.txt.donut
<STUBS_DIR>\proc_im.txt.donut
C:\Far2\PluginSDK\Headers.c\farkeys.hpp.donut
<STUBS_DIR>\proc_tools.txt.donut
<STUBS_DIR>\list_short.txt.donut
<STUBS_DIR>\proc_av.txt.donut
<STUBS_DIR>\list_full.txt.donut
<STUBS_DIR>\cbmain\decrypt.txt
<STUBS_DIR>\el_cli\decrypt.txt
<STUBS_DIR>\GVOnline\decrypt.txt
<STUBS_DIR>\kb_cli\decrypt.txt
<STUBS_DIR>\l2\decrypt.txt
C:\Far2\PluginSDK\Headers.c\farcolor.hpp.donut
C:\Far2\PluginSDK\Headers.pas\decrypt.txt
C:\Far2\PluginSDK\Headers.c\plugin.hpp.donut
C:\Far2\PluginSDK\Headers.c\decrypt.txt
%HOMEPATH%\Cookies\decrypt.txt
C:\Far2\Plugins\FTP\FarFtp.map.donut
C:\Far2\Plugins\FTP\FtpCmds_rus.txt.donut
C:\Far2\Plugins\FTP\Notes_rus.txt.donut
C:\Far2\Plugins\FTP\Notes.txt.donut
C:\Far2\Plugins\FTP\FtpCmds.txt.donut
C:\Far2\Plugins\FTP\lib\decrypt.txt
C:\Far2\Plugins\FTP\lib\ftpDirList.map.donut
C:\Far2\Plugins\FarCmds\FARCmds.map.donut
C:\Far2\Plugins\FileCase\FileCase.map.donut
C:\Far2\Plugins\FileCase\decrypt.txt
C:\Far2\Plugins\FTP\lib\ftpProgress.map.donut
C:\Far2\Plugins\MacroView\MacroView.map.donut
C:\Far2\Plugins\Network\decrypt.txt
C:\Far2\Plugins\Network\Network.map.donut
C:\Far2\Plugins\ProcList\decrypt.txt
C:\Far2\Plugins\ProcList\Proclist.map.donut
C:\Far2\Plugins\TmpPanel\decrypt.txt
C:\Far2\Plugins\TmpPanel\TmpPanel.map.donut
C:\Far2\Plugins\HlfViewer\decrypt.txt
C:\Far2\Plugins\HlfViewer\HlfViewer.map.donut
C:\Far2\Plugins\MacroView\decrypt.txt
C:\Far2\Plugins\arclite\decrypt.txt
C:\Far2\Plugins\Align\Align.map.donut
C:\Far2\Plugins\Align\decrypt.txt
%APPDATA%\Microsoft\Internet Explorer\brndlog.txt.donut
%APPDATA%\Mozilla\Firefox\decrypt.txt
%APPDATA%\Mozilla\Firefox\profiles.ini.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\compatibility.ini.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\decrypt.txt
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions.ini.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\sessionstore.js.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\pluginreg.dat.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\search.json.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\sessionstore.bak.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\bookmarks.html.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\cookies.sqlite.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\downloads.sqlite.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\chromeappsstore.sqlite.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\permissions.sqlite.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions.sqlite.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\formhistory.sqlite.donut
%APPDATA%\Microsoft\Address Book\%USERNAME%.wab.donut
%APPDATA%\Microsoft\Address Book\decrypt.txt
%APPDATA%\Microsoft\Internet Explorer\decrypt.txt
%HOMEPATH%\ntuser.ini.donut
%HOMEPATH%\decrypt.txt
C:\decrypt.txt
C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt.donut
C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\brndlog.bak.donut
C:\Documents and Settings\Default User\Cookies\decrypt.txt
C:\Documents and Settings\Default User\Cookies\index.dat.donut
C:\Documents and Settings\Default User\SendTo\decrypt.txt
C:\Documents and Settings\Default User\Templates\excel4.xls.donut
C:\Documents and Settings\Default User\Templates\excel.xls.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\webappsstore.sqlite.donut
C:\Documents and Settings\Default User\Templates\powerpnt.ppt.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\cert8.db.donut
C:\Documents and Settings\Default User\Templates\decrypt.txt
C:\Documents and Settings\Default User\Templates\sndrec.wav.donut
C:\Documents and Settings\Default User\Templates\winword2.doc.donut
C:\Documents and Settings\LocalService\decrypt.txt
C:\Documents and Settings\LocalService\ntuser.ini.donut
C:\Documents and Settings\LocalService\Cookies\decrypt.txt
C:\Documents and Settings\NetworkService\decrypt.txt
C:\Documents and Settings\NetworkService\ntuser.ini.donut
C:\Documents and Settings\Default User\Templates\quattro.wb2.donut
C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\decrypt.txt
C:\Documents and Settings\Default User\Templates\winword.doc.donut
%APPDATA%\Microsoft\Internet Explorer\brndlog.bak.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\content-prefs.sqlite.donut
C:\Far2\Addons\README.TXT.donut
C:\Far2\Addons\Shell\FARHere.inf.donut
C:\Far2\Documentation\eng\decrypt.txt
C:\Far2\Documentation\eng\Plugins.Install.txt.donut
C:\Far2\Documentation\eng\Arc.Support.txt.donut
C:\Far2\Documentation\eng\Plugins.Review.txt.donut
C:\Far2\Documentation\eng\Bug.Report.txt.donut
C:\Far2\Documentation\eng\Far.FAQ.txt.donut
C:\Far2\Addons\decrypt.txt
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\signons.sqlite.donut
C:\Far2\Addons\Shell\decrypt.txt
C:\Far2\Documentation\eng\TechInfo.txt.donut
C:\Far2\Documentation\rus\Arc.Support.txt.donut
C:\Far2\Documentation\rus\Bug.Report.txt.donut
C:\Far2\Documentation\rus\TechInfo.txt.donut
C:\Far2\Documentation\rus\Far.FAQ.txt.donut
C:\Far2\Plugins\7-Zip\decrypt.txt
C:\Far2\Plugins\7-Zip\7zToFar.ini.donut
C:\Far2\Plugins\7-Zip\far7z.txt.donut
C:\Far2\Documentation\rus\decrypt.txt
C:\Far2\Documentation\rus\Plugins.Review.txt.donut
C:\Far2\Documentation\rus\Plugins.Install.txt.donut
<STUBS_DIR>\proc_games.txt.donut
<STUBS_DIR>\lin\decrypt.txt
%HOMEPATH%\Templates\powerpnt.ppt.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\places.sqlite.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\prefs.js.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\key3.db.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\secmod.db.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\bookmarkbackups\decrypt.txt
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\bookmarkbackups\bookmarks-2011-11-10.json.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\chrome\decrypt.txt
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\chrome\userContent-example.css.donut
C:\Far2\decrypt.txt
C:\Far2\far.map.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\chrome\userChrome-example.css.donut
%HOMEPATH%\SendTo\decrypt.txt
%HOMEPATH%\Templates\decrypt.txt
%HOMEPATH%\Templates\sndrec.wav.donut
%HOMEPATH%\Templates\winword2.doc.donut
%HOMEPATH%\Templates\excel4.xls.donut
%HOMEPATH%\Templates\winword.doc.donut
%HOMEPATH%\Templates\quattro.wb2.donut
%HOMEPATH%\Templates\excel.xls.donut
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\search.sqlite.donut
%HOMEPATH%\Cookies\index.dat.donut
%TEMP%\wallpaper.bmp

Сетевая активность:

Подключается к:

'wp#d':80
'88.#9.48.80':80

TCP:

Запросы HTTP GET:

http://11#.#11.111.1/wpad.dat via wp#d

Запросы HTTP POST:

http://88.#9.48.80/donut/client.php

UDP:

DNS ASK wp#d

Другое:

Создает и запускает на исполнение:

'%TEMP%\MsJjsUY9tb0KwEmDN9bx7lxfW0chlAqw.exe'

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней