Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WTST' = '<SYSTEM32>\wapisvtr.exe'
- [<HKLM>\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1A00C40B-DA85-4aa3-A67F-582D9347EECD}] 'Exec' = '<SYSTEM32>\IEDriver\TD.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WhenUSave' = '%PROGRAM_FILES%\Save\Save.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WhenUSearch' = '%PROGRAM_FILES%\WhenUSearch\Search.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ClockSync' = '%PROGRAM_FILES%\ClockSync\Sync.exe /q'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IEDriver' = '<SYSTEM32>\IEDriver\IEDriver.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AutoLoaderAproposClient' = '"c:\sys_ai_client_loader.exe" /HideUninstall /PC="AM.WILD" /ShowLegalNote=nonbranded'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'updater' = '%CommonProgramFiles%\updater\wupdater.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Dsi' = '<SYSTEM32>\dp-k13w13.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Tcub' = '%APPDATA%\aumb.exe'
Вредоносные функции:
Создает и запускает на исполнение:
- %APPDATA%\aumb.exe
- %PROGRAM_FILES%\eXact\exactUpdate.exe -s exacttoolbar -w %PROGRAM_FILES%\exact\
- %PROGRAM_FILES%\IncrediFind\BHO\Tipb.exe 70E383DC-781B-4156-A1F6-398AE81FB9BAstart
- <SYSTEM32>\IEDriver\IEDRIVER.EXE SW_SHOWMINIMIZED
- %TEMP%\GLJ5.tmp %PROGRAM_FILES%\eXact\eXactToolbar.dll
- %PROGRAM_FILES%\Save\Save.exe
- <SYSTEM32>\wapisvtr.exe /no_ads
- <SYSTEM32>\IEDriver\ieupdate.exe
- %PROGRAM_FILES%\IncrediFind\BHO\Tipb.exe 70E383DC-781B-4156-A1F6-398AE81FB9BAended
- %PROGRAM_FILES%\ClockSync\Sync.exe
- %PROGRAM_FILES%\WhenUSearch\Search.exe
- <SYSTEM32>\dp-k13w13.exe SW_SHOWMINIMIZED
- C:\incredifind.exe
- C:\setup233.exe
- C:\install_george.exe
- C:\SaveInstCsSm.exe /tSTAT1203 /d"Statblaster" /f"%PROGRAM_FILES%\WildArcade\BlasterBlocks\uninst.exe" /x
- C:\sys_ai_client_loader.exe /HideUninstall /PC="AM.WILD" /ShowLegalNote=nonbranded
- C:\exactSetup.exe
- %CommonProgramFiles%\updater\wupdater.exe
- %PROGRAM_FILES%\IncrediFind\BHO\Tipb.exe dateandtime
- %TEMP%\rs.exe
- %TEMP%\GLB2.tmp 4736 c:\EXACTS~1.EXE
- %TEMP%\updaterInstall_111.exe
Запускает на исполнение:
- <SYSTEM32>\cacls.exe %PROGRAM_FILES%\eXact /T /E /C /G Everyone:F
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\svchost.exe
Изменения в файловой системе:
Создает следующие файлы:
- %PROGRAM_FILES%\WhenUSearch\Content~\images\down_state.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\dollar_icon2.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\instructions_border_right.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\instructions_border_corner.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\dollar_icon.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\corner_top_left.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\corner_bottom_left.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\coupon_star.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\coupon_cart.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\instructions_gotosite.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\instructions_corner_bottom_.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\link.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\instructions_close_down.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\instructions_bottom_bg.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\instructions_border_top.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\instructions_close.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\instructions_bottom_left.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\index.htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\tracker[1].cfm
- %PROGRAM_FILES%\WhenUSearch\Content~\more.html
- %PROGRAM_FILES%\WhenUSearch\Content~\instructions.html
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\mgmt[1].htm
- %PROGRAM_FILES%\WhenUSearch\search.db
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\Preferred
- %PROGRAM_FILES%\Save\save.db
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %PROGRAM_FILES%\WhenUSearch\Content~\images\button_specials.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\button_search_on.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\button_specials_on.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\button_specials_down.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\button_search_off.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\button_go.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\right.html
- %PROGRAM_FILES%\WhenUSearch\Content~\images\button_search_down.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\button_go_down.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\right_left.png
- %PROGRAM_FILES%\WhenUSearch\Content~\images\right_left.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\right_more_up.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\right_more_left.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\right_instructions_red.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\right_bg.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\more_close_down.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\right_instructions_on.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\right_instructions.gif
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\tracker[1].cfm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\toolbarinstalled[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\mgmt[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\ver2[1].php4
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\notify[1].php
- %PROGRAM_FILES%\WhenUSearch\Content~\images\spacer.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\search_star.gif
- <DRIVERS>\etc\hosts.bho
- %PROGRAM_FILES%\eXact\msg_log.txt
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo_whenusearch.png
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo_whenusearch.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo_whenusearch2_down.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo_whenusearch2.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo_searchbar_on.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo_now.png
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo_now.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo_searchbar_down.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo_searchbar.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\more_bottom_main.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\more_bottom_left_bg.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\more_close.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\more_bottom_main_bg.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\more_bottom_left.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo_whenusearch_down.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo_whenusearch2_on.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\more_bottom_bg.gif
- %PROGRAM_FILES%\WhenUSearch\Content~\images\logo_whenusearch_on.gif
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\35cd4993-8aca-444f-938a-f3e287f71a53
- %CommonProgramFiles%\updater\data1.dat
- %CommonProgramFiles%\updater\sui.exe
- %TEMP%\GLK8.tmp
- %CommonProgramFiles%\updater\data2.dat
- %TEMP%\GLJ5.tmp
- <SYSTEM32>\IEDriver\IEDriver.bin
- <SYSTEM32>\IEDriver\vi.tty
- %CommonProgramFiles%\updater\wupdater.exe
- %CommonProgramFiles%\updater\delupdat.exe
- %PROGRAM_FILES%\eXact\~GLH0002.TMP
- %PROGRAM_FILES%\IncrediFind\BHO\Tipb.exe
- %PROGRAM_FILES%\eXact\~GLH0004.TMP
- %PROGRAM_FILES%\eXact\~GLH0003.TMP
- %PROGRAM_FILES%\eXact\~GLH0001.TMP
- %TEMP%\GLGA.tmp
- %APPDATA%\aumb.exe
- %PROGRAM_FILES%\IncrediFind\BHO\IncFindBHO.dll
- %PROGRAM_FILES%\eXact\~GLH0000.TMP
- %TEMP%\WUSaveDf.cab
- C:\sys_ai_client_loader.exe
- %TEMP%\WUSave.cab
- %TEMP%\WUSave.inf
- C:\exactSetup.exe
- C:\SaveInstCsSm.exe
- C:\install_george.exe
- C:\setup233.exe
- C:\incredifind.exe
- <SYSTEM32>\IEDriver\ieupdate.exe
- %TEMP%\rs.exe
- <SYSTEM32>\IEDriver\vii.tty
- %TEMP%\GLC4.tmp
- <SYSTEM32>\IEDriver\sx.htm
- %TEMP%\updaterInstall_111.exe
- %TEMP%\GLB2.tmp
- <SYSTEM32>\IEDriver\IEDRIVER.EXE
- <SYSTEM32>\dp-k13w13.exe
- %PROGRAM_FILES%\ClockSync\SET16.tmp
- %PROGRAM_FILES%\ClockSync\SET15.tmp
- %PROGRAM_FILES%\WhenUSearch\SET17.tmp
- %PROGRAM_FILES%\ClockSync\dnldstub.cfg
- %PROGRAM_FILES%\ClockSync\SET14.tmp
- %PROGRAM_FILES%\Save\SET12.tmp
- %PROGRAM_FILES%\Save\SET11.tmp
- %PROGRAM_FILES%\ClockSync\SET13.tmp
- %HOMEPATH%\Start Menu\Programs\PurityScan\PurityScan.lnk
- %PROGRAM_FILES%\WhenUSearch\SET1F.tmp
- %HOMEPATH%\Start Menu\Programs\WhenUSearch\WhenUSearch Toolbar.lnk
- %PROGRAM_FILES%\WhenUSearch\SET20.tmp
- %PROGRAM_FILES%\WhenUSearch\SET1C.tmp
- %PROGRAM_FILES%\WhenUSearch\SET19.tmp
- %PROGRAM_FILES%\WhenUSearch\SET18.tmp
- %PROGRAM_FILES%\WhenUSearch\SET1B.tmp
- %PROGRAM_FILES%\WhenUSearch\SET1A.tmp
- %PROGRAM_FILES%\eXact\INSTALL.LOG
- %TEMP%\auf0.exe
- %PROGRAM_FILES%\Save\SETB.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\notify[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\AproposClientInstaller[1].exe
- <SYSTEM32>\IEDriver\uninstall.exe
- %PROGRAM_FILES%\IncrediFind\BHO\date.txt
- %TEMP%\IncrediFindBHOLog.tmp
- <SYSTEM32>\IEDriver\td.exe
- %PROGRAM_FILES%\eXact\buttons.xml
- %PROGRAM_FILES%\Save\SETF.tmp
- %PROGRAM_FILES%\eXact\exactupdateguid.txt
- %PROGRAM_FILES%\Save\SET10.tmp
- %PROGRAM_FILES%\Save\SETE.tmp
- <SYSTEM32>\wapisvtr.exe
- %PROGRAM_FILES%\Save\SETC.tmp
- %PROGRAM_FILES%\Save\SETD.tmp
- %PROGRAM_FILES%\PurityScan\PuritySCAN.exe
Удаляет следующие файлы:
- %TEMP%\GLJ5.tmp
- %TEMP%\GLC4.tmp
- %TEMP%\GLB2.tmp
- %PROGRAM_FILES%\WhenUSearch\SET19.tmp
- %PROGRAM_FILES%\WhenUSearch\SET1B.tmp
- %TEMP%\GLK8.tmp
- %PROGRAM_FILES%\WhenUSearch\SET1F.tmp
- %PROGRAM_FILES%\IncrediFind\BHO\Tipb.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\mgmt[1].htm
- <SYSTEM32>\IEDriver\vii.tty
- %TEMP%\WUSaveDf.cab
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\mgmt[1].htm
- %PROGRAM_FILES%\WhenUSearch\search.cab
- %TEMP%\rs.exe
- %PROGRAM_FILES%\Save\SETB.tmp
- %PROGRAM_FILES%\Save\SETD.tmp
- %TEMP%\updaterInstall_111.exe
- %TEMP%\auf0.exe
- %TEMP%\GLGA.tmp
- %PROGRAM_FILES%\Save\SETF.tmp
- %PROGRAM_FILES%\ClockSync\SET13.tmp
- %PROGRAM_FILES%\ClockSync\SET15.tmp
- %PROGRAM_FILES%\WhenUSearch\SET17.tmp
- %PROGRAM_FILES%\Save\SET11.tmp
- %TEMP%\WUSave.cab
- %TEMP%\WUSave.inf
Сетевая активность:
Подключается к:
- 'localhost':1053
- 'localhost':1054
- 'www.ex####earchbar.com':80
- 'localhost':1052
- 'localhost':1055
- 'we#.#henu.com':80
- 'co#####.delfinproject.com':80
- 'ak###.whenu.com':80
- 'ap#.#henu.com':80
- 'www.cl###spring.net':80
- 'localhost':1040
- 'le####.psdtools.com':80
- 'localhost':1035
- 'do######.adintelligence.net':80
- 'fp.###ckspring.net':80
- 'up####.#hunderdownloads.com':80
- 'tr######.thunderdownloads.com':80
- 'localhost':1043
- 'localhost':1044
TCP:
Запросы HTTP GET:
- ak###.whenu.com/SearchDB?up#####
- www.cl###spring.net/pop4/ver2.php4?v=##############################
- ak###.whenu.com/OffersDataGZ?up#####
- we#.#henu.com/heartbeat?pr######################################################################################################################################################################
- ap#.#henu.com/SBInstall?id#####################################################################################################################################################
- tr######.thunderdownloads.com/tracker.cfm?ac##################################################################
- le####.psdtools.com/install/notify.php?pi####################################################################
- do######.adintelligence.net/apropos/client/AM.WILD/1/AproposClientInstaller.exe
- tr######.thunderdownloads.com/tracker.cfm?ac###############################################################
- www.ex####earchbar.com/toolbarinstalled.htm
- www.cl###spring.net/install/notify.php?pi###########################################################################
Запросы HTTP POST:
- up####.#hunderdownloads.com/service/mgmt.svr
UDP:
- DNS ASK ap#.#henu.com
- DNS ASK ak###.whenu.com
- DNS ASK ch#####.exactsearchbar.com
- DNS ASK www.ad##ve.com
- DNS ASK co#####.delfinproject.com
- DNS ASK mm.####inproject.com
- DNS ASK we#.#henu.com
- DNS ASK pi####.clickspring.net
- DNS ASK fp.###ckspring.net
- DNS ASK le####.psdtools.com
- DNS ASK do######.adintelligence.net
- DNS ASK up####.#hunderdownloads.com
- DNS ASK www.ex####earchbar.com
- DNS ASK www.cl###spring.net
- DNS ASK tr######.thunderdownloads.com
Другое:
Ищет следующие окна:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'WhenU_DownloadStub_1_0' WindowName: 'SYNC.EXE'
- ClassName: 'exactUserMessaging' WindowName: 'exactUserMessaging'
- ClassName: 'SysListView32' WindowName: ''
- ClassName: 'WhenUSearch' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'WhenUOffers' WindowName: ''
- ClassName: 'WhenUOffers' WindowName: 'WhenUSaveV1'
- ClassName: '' WindowName: ''
- ClassName: 'PG Stub' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
