Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ARWSRVC.EXE] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EconSer.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAYCSER.EXE] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmapp.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\macompatsvc.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfemactl.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\macmnsvc.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\masvc.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdredline.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpsus.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CyveraService.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tlaservice.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cyserver.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dsa.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ds_monitor.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ntrtscan.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmCCSF.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmListen.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SavService.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quhlpsvc.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAPISSVC.EXE] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EMLPROXY.EXE] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onlinent.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MBAMService.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\epag.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EPIntegrationService.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreServiceShell.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfemms.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EPProtectedService.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EPUpdateService.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\klnagent.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavfswh.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavfs.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavfsgt.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opssvc.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EPSecurityService.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Notifier.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
Вредоносные функции
Запускает на исполнение
- '<SYSTEM32>\net.exe' stop KAVFS
- '<SYSTEM32>\net.exe' stop kavfsslp
- '<SYSTEM32>\net.exe' stop klnagent
- '<SYSTEM32>\net.exe' stop KAVFSGT
- '<SYSTEM32>\net.exe' stop epag
- '<SYSTEM32>\net.exe' stop EPIntegrationService
- '<SYSTEM32>\net.exe' stop EPProtectedService
- '<SYSTEM32>\net.exe' stop EPRedline
- '<SYSTEM32>\net.exe' stop EPSecurityService
- '<SYSTEM32>\net.exe' stop EPUpdateService
Изменения в файловой системе
Самоперемещается
- из <Полный путь к файлу> в <SYSTEM32>\__849541961_621889491
Другое
Запускает на исполнение
- '<SYSTEM32>\net1.exe' stop KAVFS
- '<SYSTEM32>\net1.exe' stop EPSecurityService
- '<SYSTEM32>\net1.exe' stop EPRedline
- '<SYSTEM32>\net1.exe' stop EPUpdateService
- '<SYSTEM32>\net1.exe' stop kavfsslp
- '<SYSTEM32>\net1.exe' stop KAVFSGT
- '<SYSTEM32>\net1.exe' stop epag
- '<SYSTEM32>\net1.exe' stop EPProtectedService
- '<SYSTEM32>\net1.exe' stop EPIntegrationService
- '<SYSTEM32>\net1.exe' stop klnagent
