Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccregvfy.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsetmgr.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccenter.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdwizreg.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boxmod.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\extdb.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frameworkservice.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frwstub.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avltmain.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avtask.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avengine.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe] 'Debugger' = 'ntsd -d'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet002\Services\COMSysApp] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet003\Services\COMSysApp] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\COMSysApp] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\6to4] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\WmiSvc] 'Start' = '00000002'
Вредоносные функции:
Создает и запускает на исполнение:
- %TEMP%\tem81.exe
Запускает на исполнение:
- %WINDIR%\regedit.exe -s "%TEMP%\0reg.reg"
- <SYSTEM32>\rundll32.exe "%CommonProgramFiles%\Microsoft Shared\0.dll",polmxhat
- <SYSTEM32>\rundll32.exe "%TEMP%\0reg.dll",polmxhat
- <SYSTEM32>\cmd.exe /c ""%TEMP%\TempDel.bat" "
- %PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE http://www.dy##04.com/msn/mm.htm
Ищет следующие окна с целью
обнаружения утилит для анализа:
- ClassName: 'OLLYDBG' WindowName: ''
Изменения в файловой системе:
Создает следующие файлы:
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OMHFGZ01\mm[1].txt
- C:\Documents and Settings\NetworkService\Favorites\Desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8X6R8PEB\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\J8K37OHF\desktop.ini
- %TEMP%\0reg.reg
- %CommonProgramFiles%\Microsoft Shared\0.dll
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OMHFGZ01\mm[1].htm
- %TEMP%\0reg.dll
- %CommonProgramFiles%\Microsoft Shared\0.exe
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LPZVKSRP\desktop.ini
- <SYSTEM32>\6to4.dll
- %TEMP%\0.dll
- %TEMP%\tem81.exe
- %TEMP%\fja1.tmp
- <SYSTEM32>\dllcache\6to4.dll
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OMHFGZ01\desktop.ini
- %TEMP%\TempDel.bat
- <DRIVERS>\WmiSvc.sys
Присваивает атрибут 'скрытый' для следующих файлов:
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\J8K37OHF\desktop.ini
- C:\Documents and Settings\NetworkService\Favorites\Desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8X6R8PEB\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OMHFGZ01\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LPZVKSRP\desktop.ini
Удаляет следующие файлы:
- %TEMP%\0reg.reg
- %TEMP%\0.dll
- %TEMP%\tem81.exe
- %TEMP%\0reg.dll
Сетевая активность:
Подключается к:
- 'localhost':1040
- '85####060.3322.org':80
- 'localhost':1038
- 'www.dy##04.com':80
TCP:
Запросы HTTP GET:
- www.dy##04.com/msn/mm.htm
- www.dy##04.com/msn/mm.txt
UDP:
- DNS ASK 85####060.3322.org
- DNS ASK www.dy##04.com
- '<IP-адрес в локальной сети>':1037
Другое:
Ищет следующие окна:
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'MS_WINHELP' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
