Техническая информация
Для обеспечения автозапуска и распространения:
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\NgVpnMgr] 'Start' = '00000002'
Вредоносные функции:
Создает и запускает на исполнение:
- <SYSTEM32>\ngvpnmgr.exe
- %TEMP%\ckz_V8AW\ngsetup.exe -f=ngsetup.ini
Запускает на исполнение:
- <SYSTEM32>\msiexec.exe -Embedding 1B52BBA80E911705962476E97DFC0E85
- <SYSTEM32>\runonce.exe -r
- <SYSTEM32>\msiexec.exe /Y "%WINDIR%\ngwinx.dll"
- <SYSTEM32>\cmd.exe /c ""%TEMP%\ckz_V8AW\ng.bat" "
- <SYSTEM32>\msiexec.exe /V
Изменения в файловой системе:
Создает следующие файлы:
- %WINDIR%\ngmsgs.dll
- %WINDIR%\ngwinx.dll
- <SYSTEM32>\ngras.dll
- <SYSTEM32>\ngclient.dll
- %WINDIR%\inf\ngvpn.inf
- <SYSTEM32>\ngmonitor.exe
- <SYSTEM32>\nglocenu.dll
- %WINDIR%\Temp\Top.bmp
- <DRIVERS>\nglog.sys
- %WINDIR%\Installer\MSI1.tmp
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING2.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.DATA
- <DRIVERS>\ngvpn.sys
- <SYSTEM32>\ngdial.exe
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\RestorePointSize
- C:\Config.Msi\22f27.rbs
- %WINDIR%\inf\oem3.PNF
- <DRIVERS>\SET5.tmp
- %WINDIR%\ngmsi.dll
- %WINDIR%\inf\oem3.inf
- %ALLUSERSPROFILE%\Desktop\Aventail 8.8 Tunnel Client.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\Aventail\Aventail 8.8 Tunnel Client.lnk
- %ALLUSERSPROFILE%\Application Data\Aventail\nglog.lgf
- %ALLUSERSPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\aventail.pbk
- %PROGRAM_FILES%\Aventail Connect\ngvpn.cat
- %WINDIR%\ngutil.exe
- <DRIVERS>\ngfilter.sys
- <SYSTEM32>\ngvpnmgr.exe
- <SYSTEM32>\ngupdate.exe
- <SYSTEM32>\nghelp.chm
- %WINDIR%\ngevent.dll
- <SYSTEM32>\nglogon.dll
- <SYSTEM32>\ngcommon.dll
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\rp.log
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
- %TEMP%\ckz_V8AW\ngsetup.exe
- %ALLUSERSPROFILE%\Application Data\Aventail\ngsetup.log
- %TEMP%\ckz_V8AW\ngsetup.ini
- %TEMP%\ckz_V8AW\ng.bat
- %WINDIR%\Installer\22f24.msi
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
- %ALLUSERSPROFILE%\Application Data\Aventail\ngvpn.msi
- %ALLUSERSPROFILE%\Application Data\Aventail\ngsetup.ini
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\$WinMgmt.CFG
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\drivetable.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP15\drivetable.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING.VER
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING1.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.BTR
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\domain.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_.DEFAULT
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SECURITY
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2052111302-484763869-725345543-1003
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2052111302-484763869-725345543-1003
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SAM
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\ComDb.Dat
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SOFTWARE
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SYSTEM
Удаляет следующие файлы:
- %WINDIR%\Installer\22f24.msi
- %WINDIR%\Installer\22f26.ipi
- %ALLUSERSPROFILE%\Application Data\Aventail\ngvpn.msi
- C:\Config.Msi\22f27.rbs
- %ALLUSERSPROFILE%\Application Data\Aventail\ngvpn.inf
- %ALLUSERSPROFILE%\Application Data\Aventail\ngvpn.sys
- %WINDIR%\Installer\MSI1.tmp
Сетевая активность:
Подключается к:
- 'cr#.#hawte.com':80
- 'wp#d':80
TCP:
Запросы HTTP GET:
- cr#.#hawte.com/ThawteCodeSigningCA.crl
- cr#.#hawte.com/ThawtePremiumServerCA.crl
- wp#d/wpad.dat
UDP:
- DNS ASK cr#.#hawte.com
- DNS ASK wp#d
Другое:
Ищет следующие окна:
- ClassName: 'MsiDialogCloseClass' WindowName: 'Aventail Connect Setup Wizard'
- ClassName: 'Shell_TrayWnd' WindowName: ''
