Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'CashBack' = '%PROGRAM_FILES%\CashBack\bin\cashback.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'NaviSearch' = '%PROGRAM_FILES%\NaviSearch\bin\nls.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'BullsEye Network' = '%PROGRAM_FILES%\BullsEye Network\bin\bargains.exe'
Вредоносные функции:
Создает и запускает на исполнение:
- %WINDIR%\exdl.exe 3~No
- %WINDIR%\exdl.exe 2~No
- %PROGRAM_FILES%\CashBack\bin\cashback.exe
- <SYSTEM32>\exdl2.exe 2~0
- %PROGRAM_FILES%\NaviSearch\bin\nls.exe
- %WINDIR%\nls8041_MEDIAWHIZ5.exe
- %WINDIR%\adp8043_MEDIAWHIZ5.exe
- %PROGRAM_FILES%\BullsEye Network\bin\bargains.exe
- %WINDIR%\exdl.exe 1~No
- %WINDIR%\cb8040_MEDIAWHIZ5.exe
Запускает на исполнение:
- <SYSTEM32>\regsvr32.exe /s <SYSTEM32>\nvms.dll
- <SYSTEM32>\regsvr32.exe /s <SYSTEM32>\mscb.dll
- %WINDIR%\explorer.exe "http://www.na###earch.net/redir/fc_install_redir.html"
- <SYSTEM32>\regsvr32.exe /s <SYSTEM32>\msbe.dll
Изменения в файловой системе:
Создает следующие файлы:
- %PROGRAM_FILES%\CashBack\icon.gif
- %PROGRAM_FILES%\CashBack\logo.gif
- %PROGRAM_FILES%\CashBack\bb_welcome1.swf
- %PROGRAM_FILES%\CashBack\blank.gif
- %PROGRAM_FILES%\CashBack\bin\flash.exe
- C:\temp\bb_click_wider.swf
- %PROGRAM_FILES%\CashBack\bin\cashback.exe
- %PROGRAM_FILES%\CashBack\bin\cb.exe
- %PROGRAM_FILES%\CashBack\flash.exe
- %PROGRAM_FILES%\CashBack\template.html
- %PROGRAM_FILES%\CashBack\cashback.exe
- %PROGRAM_FILES%\CashBack\cb.exe
- %PROGRAM_FILES%\CashBack\bb_auto_wider.swf
- %PROGRAM_FILES%\CashBack\bb_welcome.html
- %PROGRAM_FILES%\CashBack\template2.html
- %PROGRAM_FILES%\CashBack\bb_click_wider.swf
- C:\temp\bb_auto_wider.swf
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\webservice[1].main
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\webservice[1].main
- %PROGRAM_FILES%\NaviSearch\t1348542578.dec
- <SYSTEM32>\exdl2.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\webservice[2].main
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\webservice[2].main
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\webservice[1].main
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\webservice[1].main
- C:\temp\blank.gif
- C:\temp\icon.gif
- C:\temp\bb_welcome.html
- C:\temp\bb_welcome1.swf
- %PROGRAM_FILES%\CashBack\Uninstall.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\fc_install_redir[1].html
- C:\temp\logo.gif
- <SYSTEM32>\mscb.dll
- %PROGRAM_FILES%\CashBack\mscb.dll
- <SYSTEM32>\exclean.exe
- %WINDIR%\adp8043_MEDIAWHIZ5.exe
- <SYSTEM32>\bbchk.exe
- %WINDIR%\exclean.exe
- %PROGRAM_FILES%\BullsEye Network\adv.exe
- %PROGRAM_FILES%\BullsEye Network\adx.exe
- %TEMP%\nsx4.tmp
- %PROGRAM_FILES%\BullsEye Network\bargains.exe
- %WINDIR%\exul.exe
- %WINDIR%\bbchk.exe
- %TEMP%\nsi2.tmp
- %WINDIR%\exdl.exe
- <SYSTEM32>\exul.exe
- <SYSTEM32>\javexulm.vxd
- <SYSTEM32>\exdl.exe
- <SYSTEM32>\mqexdlm.srg
- %PROGRAM_FILES%\BullsEye Network\msbe.dll
- %PROGRAM_FILES%\NaviSearch\bin\nls.exe
- %PROGRAM_FILES%\NaviSearch\ad.dat
- %PROGRAM_FILES%\NaviSearch\nls.exe
- %PROGRAM_FILES%\NaviSearch\ad-nls.dat
- %WINDIR%\cb8040_MEDIAWHIZ5.exe
- %TEMP%\nsm8.tmp
- <SYSTEM32>\nvms.dll
- %PROGRAM_FILES%\NaviSearch\Uninstall.exe
- %PROGRAM_FILES%\BullsEye Network\bin\adx.exe
- <SYSTEM32>\msbe.dll
- %PROGRAM_FILES%\BullsEye Network\bin\bargains.exe
- %PROGRAM_FILES%\BullsEye Network\bin\adv.exe
- %TEMP%\nsy6.tmp
- %PROGRAM_FILES%\NaviSearch\nvms.dll
- %PROGRAM_FILES%\BullsEye Network\Uninstall.exe
- %WINDIR%\nls8041_MEDIAWHIZ5.exe
Удаляет следующие файлы:
- %PROGRAM_FILES%\CashBack\flash.exe
- %WINDIR%\cb8040_MEDIAWHIZ5.exe
- %PROGRAM_FILES%\CashBack\cashback.exe
- %PROGRAM_FILES%\CashBack\cb.exe
- %WINDIR%\exdl.exe
- %WINDIR%\exclean.exe
- %PROGRAM_FILES%\NaviSearch\t1348542578.dec
- %WINDIR%\exul.exe
- %WINDIR%\bbchk.exe
- %PROGRAM_FILES%\CashBack\mscb.dll
- %PROGRAM_FILES%\BullsEye Network\adv.exe
- %PROGRAM_FILES%\BullsEye Network\adx.exe
- %PROGRAM_FILES%\BullsEye Network\msbe.dll
- %PROGRAM_FILES%\BullsEye Network\bargains.exe
- %WINDIR%\adp8043_MEDIAWHIZ5.exe
- %PROGRAM_FILES%\NaviSearch\ad-nls.dat
- %WINDIR%\nls8041_MEDIAWHIZ5.exe
- %PROGRAM_FILES%\NaviSearch\nvms.dll
- %PROGRAM_FILES%\NaviSearch\nls.exe
Перемещает следующие файлы:
- %WINDIR%\exul.exe в <SYSTEM32>\javexulm.vxd
- %WINDIR%\exdl.exe в <SYSTEM32>\mqexdlm.srg
Сетевая активность:
Подключается к:
- 'se#####.bargain-buddy.net':80
- 'www.na###earch.net':80
- 'localhost':1036
TCP:
Запросы HTTP GET:
- se#####.bargain-buddy.net/scripts/adpopper/webservice.main?ve##############################################
- se#####.bargain-buddy.net/scripts/adpopper/webservice.main?ve###################################################
- se#####.bargain-buddy.net/scripts/adpopper/webservice.main?ve#####################################################################
- www.na###earch.net/redir/fc_install_redir.html
- se#####.bargain-buddy.net/scripts/adpopper/webservice.main?ve##################################
- se#####.bargain-buddy.net/scripts/adpopper/webservice.main?ve##################################################
UDP:
- DNS ASK se#####.bargain-buddy.net
- DNS ASK www.na###earch.net
Другое:
Ищет следующие окна:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'cashback_wnd_class' WindowName: 'cashback module'
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'nls_wnd_class' WindowName: 'nls module'
- ClassName: 'adp_wnd_class' WindowName: 'adp module'
- ClassName: 'adp_wnd_class' WindowName: 'adp'
- ClassName: '' WindowName: 'adp module'
- ClassName: '' WindowName: ''
