Trojan.MulDrop9.50749

Техническая информация

Для обеспечения автозапуска и распространения

Модифицирует следующие ключи реестра

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pos.exe] 'debugger' = 'fixmapi.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mqtgmsvc.exe] 'debugger' = 'fixmapi.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSNotify.exe] 'debugger' = 'fixmapi.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dsweb.exe] 'debugger' = 'drmsvc.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seth.exe] 'debugger' = 'drmsvc.exe'

Вредоносные функции

Запускает на исполнение

'<SYSTEM32>\taskkill.exe' /f /im renimin.exe /T
'<SYSTEM32>\taskkill.exe' /f /im renimin.exe
'<SYSTEM32>\taskkill.exe' /f /im grafil.exe
'<SYSTEM32>\taskkill.exe' /f /im grafchek.exe
'<SYSTEM32>\taskkill.exe' /f /im defrg.exe
'<SYSTEM32>\taskkill.exe' /f /im Storchk.exe
'<SYSTEM32>\taskkill.exe' /f /im Storchk.exe /T
'<SYSTEM32>\taskkill.exe' /f /im rstyle.exe /t
'<SYSTEM32>\taskkill.exe' /f /im upsabi.exe
'<SYSTEM32>\taskkill.exe' /f /im plugin-container.exe

Изменения в файловой системе

Создает следующие файлы

%WINDIR%\tcpsv\upt.bat
%WINDIR%\tcpsv\chker
%WINDIR%\tcpsv\goer.eta
%WINDIR%\kopalor.sql
%WINDIR%\filgrb8.ocx
%WINDIR%\dex.crt
%WINDIR%\spt.tpl

Другое

Ищет следующие окна

ClassName: 'EDIT' WindowName: ''
ClassName: '' WindowName: ''

Запускает на исполнение

'<SYSTEM32>\cmd.exe' /c ""%WINDIR%\tcpsv\upt.bat" "
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssms.exe" /f
'<SYSTEM32>\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seth.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ams.exe" /f
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdgmgr.exe" /f
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fturl.exe" /f
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\slscv.exe" /f
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amsql.exe" /f
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmsdll.exe" /f
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmisrv.exe" /f
'<SYSTEM32>\cmd.exe' /c rstyle.exe
'<SYSTEM32>\ping.exe' -n 2 127.0.0.1
'<SYSTEM32>\cmd.exe' /S /D /c" echo yes"
'<SYSTEM32>\ping.exe' -n 5 127.0.0.1
'<SYSTEM32>\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dsweb.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f
'<SYSTEM32>\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSNotify.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updater.exe" /f
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe" /f
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscnrfy.exe\PerfOptions" /v CpuPriorityClass /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mqtgmsvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
'<SYSTEM32>\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pos.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
'<SYSTEM32>\reg.exe' add "HKCU\Control Panel\International" /v sShortDate /t REG_SZ /d "dd.MM.yyyy" /f
'<SYSTEM32>\reg.exe' add "HKCU\Control Panel\International" /v sDate /t REG_SZ /d "." /f
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsm.exe" /f
'<SYSTEM32>\ping.exe' -n 1 127.0.0.1
'<SYSTEM32>\ping.exe' -n 3 127.0.0.1
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe" /f