Trojan.AVKill.17199

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysInspector.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysRescue.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zyzoom_HijackThis.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KeyScrambler.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiLogger.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avupgsvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smsniff.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regshot.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Port_Killer.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '<Имя вируса>' = '<Полный путь к вирусу>'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '<Имя вируса>' = '%WINDIR%\%USERNAME%.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wireshark.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boda fire-wall.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TIGeR-Firewall.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUC30.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrzState2k.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DF5Serv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Armor2net.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashCmd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimpl.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVASTSS.scr] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimp2.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcmgr.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcfgex.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VisthUpd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashserv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswupdsv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashMaisv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashAvast.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgupd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixcfg.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgdumpx.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgfrw.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgscanx.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgiproxy.exe] 'Debugger' = 'ntsd -d'

Вредоносные функции:

Запускает на исполнение:

<SYSTEM32>\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v <Имя вируса> /t REG_SZ /d <Полный путь к вирусу>

Завершает или пытается завершить

следующие пользовательские процессы:

ekrn.exe
AVP.EXE
ashAvast.exe

Изменения в файловой системе:

Создает следующие файлы:

Присваивает атрибут 'скрытый' для следующих файлов:

<Полный путь к вирусу>

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней