Trojan.DownLoader26.51560

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'run' = '%WINDIR%\boy.exe'
[<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\boy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'shell' = 'Explorer.exe %WINDIR%\boy.exe'

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\Application Layre Gateway Service] 'ImagePath' = 'cmd.exe /c start %WINDIR%\boy.exe'
[<HKLM>\SYSTEM\ControlSet001\Services\iis] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\iis] 'ImagePath' = '"%WINDIR%\IIS\srvany.exe" '

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\IIS\CPUInfo.exe
%WINDIR%\IIS\posh-0.dll
%WINDIR%\IIS\posh.dll
%WINDIR%\IIS\pcreposix-0.dll
%WINDIR%\IIS\pcrecpp-0.dll
%WINDIR%\IIS\pcre-0.dll
%WINDIR%\IIS\riar-2.dll
%WINDIR%\IIS\pcla-0.dll
%WINDIR%\IIS\libiconv-2.dll
%WINDIR%\IIS\libeay32.dll
%WINDIR%\IIS\libcurl.dll
%WINDIR%\IIS\iconv.dll
%WINDIR%\IIS\exma-1.dll
%WINDIR%\IIS\exma.dll
%WINDIR%\IIS\libxml2.dll
%WINDIR%\IIS\cnli-1.dll
%WINDIR%\IIS\ssleay32.dll
%WINDIR%\IIS\zlib1.dll
%WINDIR%\IIS\zibe.dll
%WINDIR%\IIS\xdvl-0.dll
%WINDIR%\IIS\ucl.dll
%WINDIR%\IIS\tucl-1.dll
%WINDIR%\IIS\tucl.dll
%WINDIR%\IIS\etebCore-2.x86.dll
%WINDIR%\IIS\riar.dll
%WINDIR%\IIS\trfo.dll
%WINDIR%\IIS\trch-1.dll
%WINDIR%\IIS\trch-0.dll
%WINDIR%\IIS\trch.dll
%WINDIR%\IIS\tibe-2.dll
%WINDIR%\IIS\tibe-1.dll
%WINDIR%\IIS\trfo-0.dll
%WINDIR%\IIS\tibe.dll
%WINDIR%\IIS\etebCore-2.x64.dll
%WINDIR%\IIS\eteb-2.dll
%WINDIR%\IIS\etchCore-0.x86.dll
%WINDIR%\IIS\chrome..exe
%WINDIR%\boy.exe
%WINDIR%\end.bat
%WINDIR%\IIS\srvany.exe
%WINDIR%\IIS\iis.reg
%WINDIR%\IIS\1.BAT
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\ip.3322[1]
%WINDIR%\IIS\qdx.bat
%WINDIR%\IIS\Esteemaudit-2.1.0.fb
%WINDIR%\IIS\chrome..fb
%WINDIR%\IIS\Cstr.exe
%WINDIR%\IIS\Cstr.fb
%WINDIR%\IIS\Cstr.xml
%WINDIR%\IIS\Esteemaudit-2.1.0.exe
%WINDIR%\IIS\chrome..xml
%WINDIR%\IIS\trfo-2.dll
%WINDIR%\IIS\Esteemaudittouch-2.1.0.exe
%WINDIR%\IIS\Eternalchampion-2.0.0.exe
%WINDIR%\IIS\Esteemaudittouch-2.1.0.xml
%WINDIR%\IIS\etchCore-0.x64.dll
%WINDIR%\IIS\etch-0.dll
%WINDIR%\IIS\esco-0.dll
%WINDIR%\IIS\dmgd-4.dll
%WINDIR%\IIS\dmgd-1.dll
%WINDIR%\IIS\Esteemaudittouch-2.1.0.fb
%WINDIR%\IIS\crli-0.dll
%WINDIR%\IIS\Esteemaudit-2.1.0.xml
%WINDIR%\IIS\cnli-0.dll
%WINDIR%\IIS\adfw-2.dll
%WINDIR%\IIS\adfw.dll
%WINDIR%\IIS\Eternalchampion-2.0.0.xml
%WINDIR%\IIS\Eternalchampion-2.0.0.fb
%WINDIR%\IIS\coli-0.dll
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\U98D4X8H\ips138[1].asp

Удаляет следующие файлы:

<Полный путь к файлу>
%WINDIR%\end.bat
%WINDIR%\IIS\qdx.bat
%WINDIR%\IIS\1.BAT

Сетевая активность:

Подключается к:

'gx.##shnice.org':8888
'ip.#322.net':80
'ip##8.com':80

TCP:

Запросы HTTP GET:

http://ip.#322.net/
http://www.ip##8.com/ips138.asp?ip#### via ip##8.com

UDP:

DNS ASK gx.##shnice.org
DNS ASK ip.#322.net
DNS ASK www.ip##8.com

Другое:

Ищет следующие окна:

ClassName: '' WindowName: 'CPUInfo.exe'
ClassName: '#32770' WindowName: 'chrome..exe - ????????????'
ClassName: '#32770' WindowName: 'chrome..exe - У¦УГіМРтґнОу'
ClassName: 'RegEdit_RegEdit' WindowName: ''

Создает и запускает на исполнение:

'%WINDIR%\IIS\CPUInfo.exe'

Запускает на исполнение:

'<SYSTEM32>\cmd.exe' /c del "<Полный путь к файлу>"
'<SYSTEM32>\cmd.exe' /c ""%WINDIR%\end.bat" "
'<SYSTEM32>\netsh.exe' ipsec static add policy name=ipsec_ply
'<SYSTEM32>\sc.exe' Create "Application Layre Gateway Service" type= own type= interact start= demand DisplayName= "Can not be deleted" binPath= "cmd.exe /c start "%WINDIR%\boy.exe"
'<SYSTEM32>\cmd.exe' /c ""%WINDIR%\IIS\1.BAT" "
'<SYSTEM32>\cmd.exe' /c ""%WINDIR%\IIS\qdx.bat" "
'%WINDIR%\regedit.exe' /s iis.reg
'<SYSTEM32>\schtasks.exe' /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "%WINDIR%\IIS\CPUInfo.exe" /SC ONSTART