Техническая информация
Вредоносные функции
Устанавливает процедуры перхвата сообщений
о нажатии клавиш клавиатуры:
- Библиотека-обработчик для всех процессов: <Текущая директория>\cfgdll.dll
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\ad-mymacro9.xml
- %WINDIR%\devilking\ºúé«a.bmp
- %WINDIR%\devilking\³à é«a.bmp
- %WINDIR%\devilking\³èé«a.bmp
- %WINDIR%\devilking\°×é«a.bmp
- %WINDIR%\devilking\3ВјВ¶c.bmp
- %WINDIR%\devilking\3ВјВ¶b.bmp
- %WINDIR%\devilking\»æé«a.bmp
- %WINDIR%\devilking\3ВјВ¶a.bmp
- %WINDIR%\devilking\4ВјВ¶b.bmp
- %WINDIR%\devilking\4ВјВ¶a.bmp
- %WINDIR%\devilking\µà ×úa.bmp
- %WINDIR%\devilking\ГіГІГ Вa.bmp
- %WINDIR%\devilking\ГЇГўГ Вb.bmp
- %WINDIR%\devilking\ГЇГўГ Вa.bmp
- %WINDIR%\devilking\4ВјВ¶c.bmp
- %WINDIR%\devilking\»òé«a.bmp
- %WINDIR%\devilking\à ¶é«a.bmp
- %WINDIR%\devilking\âìé«a.bmp
- %WINDIR%\devilking\ðþâþa.bmp
- %WINDIR%\devilking\ðþâþ.bmp
- %WINDIR%\devilking\npc.bmp
- %WINDIR%\devilking\Г—ГЇГЇВј.bmp
- %WINDIR%\devilking\îò¿õ.bmp
- %WINDIR%\devilking\В№ГјВјГІ.bmp
- %WINDIR%\devilking\Г±Г¶Гõµðc.bmp
- %WINDIR%\devilking\da168.bmp
- %WINDIR%\devilking\ВґГіb.bmp
- %WINDIR%\devilking\µ¤b.bmp
- %WINDIR%\devilking\Г±В§ГВЅb.bmp
- %WINDIR%\devilking\èîîñ×ö¿â.txt
- %WINDIR%\devilking\îäîä×´ôª.bmp
- %WINDIR%\devilking\×ïé«a.bmp
- %WINDIR%\devilking\çà é«a.bmp
- %WINDIR%\devilking\è·¶¨.bmp
- %WINDIR%\devilking\ìì¹ù.bmp
- %WINDIR%\devilking\áéæø²»×ã.bmp
- %WINDIR%\devilking\da156.bmp
- %WINDIR%\devilking\óäáéa.bmp
- %WINDIR%\devilking\ò°¹Гb.bmp
- %WINDIR%\devilking\âòò©×ö¿â.txt
- %WINDIR%\devilking\×øæï²»¹».bmp
- %WINDIR%\devilking\µà ×ú.bmp
- %WINDIR%\devilking\ò½×øæïa.bmp
- %WINDIR%\devilking\´ò¹öµäa.bmp
- %WINDIR%\devilking\ò½á鱦.bmp
- %WINDIR%\devilking\Г±В§ГВЅa.bmp
- %WINDIR%\devilking\·ëìú½³b.bmp
- %WINDIR%\devilking\·ëìú½³a.bmp
- %WINDIR%\devilking\Г±ВЄ1.bmp
- %WINDIR%\devilking\Г±ВЄ3.bmp
- %WINDIR%\devilking\Г±ВЄ2.bmp
- %WINDIR%\devilking\ò½×øæï.bmp
- %WINDIR%\devilking\î×ò½.bmp
- %WINDIR%\devilking\ê²ã´ò²²»×ö.bmp
- %WINDIR%\devilking\î×ò½a.bmp
- %WINDIR%\devilking\ВіВІГ±ВЁ.bmp
- %WINDIR%\devilking\æõ.bmp
- %WINDIR%\devilking\В±Вї.bmp
- %WINDIR%\devilking\ГЈГґ.bmp
- %WINDIR%\devilking\ВјВ±.bmp
- %WINDIR%\devilking\»ðê¯×öa.bmp
- %WINDIR%\devilking\»ðê¯×ö.bmp
- %WINDIR%\devilking\µäa.bmp
- %WINDIR%\devilking\Г—Вґ.bmp
- %WINDIR%\devilking\æç.bmp
- %WINDIR%\devilking\Ȑ.bmp
- %WINDIR%\devilking\îä.bmp
- %WINDIR%\devilking\õæôª×ö¿â.txt
- %WINDIR%\devilking\á鱦ã».bmp
- %WINDIR%\devilking\В№ГёВ±Гµb.bmp
- %WINDIR%\devilking\alarm.mp3
- %WINDIR%\devilking\èîîñ꧰ü.bmp
- %WINDIR%\devilking\ðþâþb.bmp
- %WINDIR%\devilking\2ВјВ¶a.bmp
- %WINDIR%\devilking\В·Г»25.bmp
- %WINDIR%\devilking\В·Г»24.bmp
- %WINDIR%\devilking\В·Г»23.bmp
- %WINDIR%\devilking\В·Г»22.bmp
- %WINDIR%\devilking\В·Г»21.bmp
- %WINDIR%\devilking\В·Г»20.bmp
- %WINDIR%\devilking\В·Г»27.bmp
- %WINDIR%\devilking\В·Г»26.bmp
- %WINDIR%\devilking\В·Г»16.bmp
- %WINDIR%\devilking\В·Г»15.bmp
- %WINDIR%\devilking\В·Г»14.bmp
- %WINDIR%\devilking\В·Г»13.bmp
- %WINDIR%\devilking\В·Г»12.bmp
- %WINDIR%\devilking\В·Г»11.bmp
- %WINDIR%\devilking\В·Г»19.bmp
- %WINDIR%\devilking\°×é«.bmp
- %WINDIR%\devilking\В·Г»28.bmp
- %WINDIR%\devilking\В·Г»18.bmp
- %WINDIR%\devilking\»·û×ö¿â.txt
- %WINDIR%\devilking\В·Г».bmp
- %WINDIR%\devilking\öø»В.bmp
- %WINDIR%\devilking\ГГЄВіГ©.bmp
- %WINDIR%\devilking\В·Г»39.bmp
- %WINDIR%\devilking\В·Г»38.bmp
- %WINDIR%\devilking\В·Г»37.bmp
- %WINDIR%\devilking\В·Г»36.bmp
- %WINDIR%\devilking\В·Г»35.bmp
- %WINDIR%\devilking\В·Г»34.bmp
- %WINDIR%\devilking\В·Г»33.bmp
- %WINDIR%\devilking\В·Г»32.bmp
- %WINDIR%\devilking\В·Г»31.bmp
- %WINDIR%\devilking\В·Г»30.bmp
- %WINDIR%\devilking\В·Г»10.bmp
- %WINDIR%\devilking\В·Г»17.bmp
- %WINDIR%\devilking\²¶×½a.bmp
- %WINDIR%\devilking\haoi.dll
- %WINDIR%\devilking\В·Г»7.bmp
- %WINDIR%\devilking\2ВјВ¶b.bmp
- %WINDIR%\devilking\ºúé«c.bmp
- %WINDIR%\devilking\³à é«c.bmp
- %WINDIR%\devilking\³èé«c.bmp
- %WINDIR%\devilking\°×é«c.bmp
- %WINDIR%\devilking\2ВјВ¶c.bmp
- %WINDIR%\devilking\âìé«c.bmp
- %WINDIR%\devilking\»òé«c.bmp
- %WINDIR%\devilking\à ¶é«c.bmp
- %WINDIR%\devilking\В№ГёВ±Гµ1.bmp
- %WINDIR%\devilking\1ВјВ¶c.bmp
- %WINDIR%\devilking\1ВјВ¶b.bmp
- %WINDIR%\devilking\1ВјВ¶a.bmp
- %WINDIR%\devilking\-.bmp
- %WINDIR%\devilking\В№ГёВ±Гµ2.bmp
- %WINDIR%\devilking\çà é«c.bmp
- %WINDIR%\devilking\В·Г»6.bmp
- %WINDIR%\devilking\В·Г»8.bmp
- %WINDIR%\devilking\»æé«c.bmp
- %WINDIR%\devilking\В·Г»5.bmp
- %WINDIR%\devilking\В·Г»4.bmp
- %WINDIR%\devilking\В·Г»3.bmp
- %WINDIR%\devilking\В·Г»2.bmp
- %WINDIR%\devilking\В·Г»1.bmp
- %WINDIR%\devilking\·ûîä.ini
- %WINDIR%\devilking\³¤°²ê¹õß.bmp
- %WINDIR%\devilking\µä.bmp
- %WINDIR%\devilking\ГґВЄ.bmp
- %WINDIR%\devilking\В·ВЎ.bmp
- %WINDIR%\devilking\В№ВєГўГІ.bmp
- %WINDIR%\devilking\¸ß¼¶æì×ó.bmp
- %WINDIR%\devilking\da176.bmp
- %WINDIR%\devilking\×ïé«c.bmp
- %WINDIR%\devilking\В·Г»9.bmp
- %WINDIR%\devilking\µ¤çà éúb.bmp
- %WINDIR%\devilking\µ¤çà éúa.bmp
- %WINDIR%\devilking\Г±Г¶Гõµðb.bmp
- %WINDIR%\devilking\º£µ×èý.bmp
- %WINDIR%\devilking\±ùðüµ¨.bmp
- %WINDIR%\devilking\ò©µê.bmp
- %WINDIR%\devilking\áúæß.bmp
- %WINDIR%\devilking\¹»êýáë.bmp
- %WINDIR%\devilking\°ùêþáéГГЁ.bmp
- %WINDIR%\devilking\·½´çé½.bmp
- %WINDIR%\devilking\ò°¹Г.bmp
- %WINDIR%\devilking\óäáé.bmp
- %WINDIR%\devilking\±êö¾.bmp
- %WINDIR%\devilking\µà ê¿.bmp
- %WINDIR%\devilking\²¶×½.bmp
- %WINDIR%\devilking\´óìæ±ß¾³.bmp
- %WINDIR%\devilking\µøóüò».bmp
- %WINDIR%\devilking\´ó»¹µ¤.bmp
- %WINDIR%\devilking\µ¤¹ðГГЁ.bmp
- %WINDIR%\devilking\µøóüãô¹¬.bmp
- %WINDIR%\devilking\Г—ГЇГЄВЇГіВў.bmp
- %WINDIR%\devilking\ò©²ä.bmp
- %WINDIR%\devilking\ðå깶þ.bmp
- %WINDIR%\devilking\ðåê¹.bmp
- %WINDIR%\devilking\ïëâòµã.bmp
- %WINDIR%\devilking\áçñò½ç.bmp
- %WINDIR%\devilking\áéòГììïã.bmp
- %WINDIR%\devilking\ВїВЄГЄВјВ·Г ГіГ№.bmp
- %WINDIR%\devilking\½ð´´ò©.bmp
- %WINDIR%\devilking\ºúóñ¼ìðø¸à .bmp
- %WINDIR%\devilking\»¹áéë®.bmp
- %WINDIR%\devilking\В№Г×åê¹õß.bmp
- %WINDIR%\devilking\¹ééñé¢.bmp
- %WINDIR%\devilking\·çë®»ìôªµ¤.bmp
- %WINDIR%\devilking\¶¨éñïã.bmp
- %WINDIR%\devilking\èë×åê¹õß.bmp
- %WINDIR%\devilking\Г«ГГІВ©.bmp
- %WINDIR%\devilking\âö»øë¾.bmp
- %WINDIR%\devilking\¸ß¼¶ë«èëГВҐГґВє.bmp
- %APPDATA%\qmacro\shield\shield.ini
- %APPDATA%\qmacro\shield\sd004.dat
- %APPDATA%\qmacro\shield\sd003.dat
- %APPDATA%\qmacro\shield\sd002.dat
- %APPDATA%\qmacro\shield\sd001.dat
- %APPDATA%\qmacro\shield\sd000.dat
- %TEMP%\ad-mymacro9.xml.tmp
- %TEMP%\24245ae.tmp
- %TEMP%\mac198c.tmp.qtmp
- %TEMP%\mac198b.tmp
- %APPDATA%\mymacro\qdisp.dll
- <Текущая директория>\shieldmodule.dat
- <Текущая директория>\cfgdll.dll
- %TEMP%\adcon\mm\tmpad.xml
- %TEMP%\plugin.zip
- %WINDIR%\devilking\´æ¿î.bmp
- %WINDIR%\devilking\¸ß¼¶ëñë÷.bmp
- %WINDIR%\devilking\¿ìëГîòè¥.bmp
- %WINDIR%\devilking\·üôëçù.bmp
- %WINDIR%\devilking\ГўГГЈГ¦.bmp
- %WINDIR%\devilking\ëïîò¿õ.bmp
- %WINDIR%\devilking\ö°òµèîîñ.bmp
- %WINDIR%\devilking\èîîñà ¸.bmp
- %WINDIR%\devilking\õæôª.bmp
- %WINDIR%\devilking\ГґВєГ—Гі.bmp
- %WINDIR%\devilking\В№ГёВ±Гµ.bmp
- %WINDIR%\devilking\ôó»õµê.bmp
- %WINDIR%\devilking\ꦹ±.bmp
- %WINDIR%\devilking\×öºãáë.bmp
- %WINDIR%\devilking\ГІВј.bmp
- %WINDIR%\devilking\öøðâ×öâ·±ê.bmp
- %WINDIR%\devilking\³¤°².bmp
- %WINDIR%\devilking\ГВҐГґВє.bmp
- %WINDIR%\devilking\à 뿪.bmp
- %WINDIR%\devilking\ô¬ììî¸.bmp
- %WINDIR%\devilking\°áà ´¹ú.bmp
- %WINDIR%\devilking\±±¾ãâ«öþ.bmp
- %WINDIR%\devilking\³¤°²çå.bmp
- %WINDIR%\devilking\µãµ½õæôª.bmp
- %WINDIR%\devilking\ГўГҐГ±ГґВіГ§.bmp
- %WINDIR%\devilking\ГўГҐГ±Гґ.bmp
- %WINDIR%\devilking\´ó³¤°².bmp
- %WINDIR%\devilking\ВґГіГўГҐГ±Гґ.bmp
- %WINDIR%\devilking\´óµøГВј.bmp
- %WINDIR%\devilking\ôªµäa.bmp
- %WINDIR%\devilking\³¤êù´å.bmp
- %WINDIR%\devilking\ôªµä.bmp
- %WINDIR%\devilking\ì칬.bmp
- %WINDIR%\devilking\ìá¸ß.bmp
- %WINDIR%\devilking\îòòª×¡µê.bmp
- %WINDIR%\devilking\¾æµêà ï°å.bmp
- %WINDIR%\devilking\×ïé«b.bmp
- %WINDIR%\devilking\Г—ГёВ±ГЄ.bmp
- %WINDIR%\devilking\В№ГёВ±Гµa.bmp
- %WINDIR%\devilking\Г±Г¶Гõµða.bmp
- %WINDIR%\devilking\çà é«b.bmp
- %WINDIR%\devilking\à ¶é«b.bmp
- %WINDIR%\devilking\ВґГіГЇГЈГіГ±e.bmp
- %WINDIR%\devilking\ВґГіГЇГЈГіГ±d.bmp
- %WINDIR%\devilking\ВґГіГЇГЈГіГ±c.bmp
- %WINDIR%\devilking\ВґГіГЇГЈГіГ±b.bmp
- %WINDIR%\devilking\ВґГіГЇГЈГіГ±a.bmp
- %WINDIR%\devilking\ê¤ììô¥b.bmp
- %WINDIR%\devilking\ê¤ììô¥a.bmp
- %WINDIR%\devilking\¼öóðç®b.bmp
- %WINDIR%\devilking\¼öóðç®a.bmp
- %WINDIR%\devilking\ºî´óà ×a.bmp
- %WINDIR%\devilking\´þîþãßa.bmp
- %WINDIR%\devilking\ìú½³îý.bmp
- %WINDIR%\devilking\ºî´þ.bmp
- %WINDIR%\devilking\¶ô»°.bmp
- %WINDIR%\devilking\´ò¹öµä.bmp
- %WINDIR%\devilking\âìé«b.bmp
- %WINDIR%\devilking\»òé«b.bmp
- %WINDIR%\devilking\ВґГіВґГіГГµ.bmp
- %WINDIR%\devilking\ìóåü.bmp
- %WINDIR%\devilking\Г—ГёВ±ГЄ.txt
- %WINDIR%\devilking\ГЄГ№.bmp
- %WINDIR%\devilking\ГЇГЈ.bmp
- %WINDIR%\devilking\ВЅГўГЇГЈ.bmp
- %WINDIR%\devilking\regdll.dll
- %WINDIR%\devilking\dm.dll
- %WINDIR%\devilking\ê¨×ó¶´.bmp
- %WINDIR%\devilking\Г—ВґГґВЄa.bmp
- %WINDIR%\devilking\Г ВҐГўГёВѕВµ.bmp
- %WINDIR%\devilking\èîîñ°ü.bmp
- %WINDIR%\devilking\翵á.bmp
- %WINDIR%\devilking\¸«÷°ï.bmp
- %WINDIR%\devilking\½ðöçµî.bmp
- %WINDIR%\devilking\à îêà ãñ.bmp
- %WINDIR%\devilking\ВґГҐГГў.bmp
- %WINDIR%\devilking\В·Г»29.bmp
- %WINDIR%\devilking\Г—ВґГґВЄb.bmp
- %WINDIR%\devilking\³à é«.bmp
- %WINDIR%\devilking\îä²é²»´Г.bmp
- %WINDIR%\devilking\»æé«b.bmp
- %WINDIR%\devilking\ºúé«b.bmp
- %WINDIR%\devilking\³à é«b.bmp
- %WINDIR%\devilking\³èé«b.bmp
- %WINDIR%\devilking\°×é«b.bmp
- %WINDIR%\devilking\ò°¹Гa.bmp
- %WINDIR%\devilking\ВЅГЇГЎВїВЅГЇГЎВї.bmp
- %WINDIR%\devilking\×ïé«.bmp
- %WINDIR%\devilking\çà é«.bmp
- %WINDIR%\devilking\âìé«.bmp
- %WINDIR%\devilking\à ¶é«.bmp
- %WINDIR%\devilking\»òé«.bmp
- %WINDIR%\devilking\»æé«.bmp
- %WINDIR%\devilking\ºúé«.bmp
- %WINDIR%\devilking\³èé«.bmp
- %WINDIR%\devilking\ê«îä×ö¿â.txt
Удаляет следующие файлы
- %TEMP%\adcon\mm\tmpad.xml
- %TEMP%\plugin.zip
- <Текущая директория>\shieldmodule.dat
Перемещает следующие файлы
- %TEMP%\ad-mymacro9.xml.tmp в %TEMP%\ad-mymacro9.xml
Сетевая активность
TCP
Запросы HTTP GET
- http://so##.anjian.com/V2014V2/Config/ad-mymacro.xml
- http://do##.#rbrothers.com/qmacro/up_mymacro/liveupdate8.dat
- http://hi.###rothers.com/xjl/mmcount.aspx?mm#####################################################################################################################################################...
- http://hm.##idu.com/hm.js?82##############################
- http://hm.##idu.com/hm.gif?cc################################################################################################################################################
- http://hm.##idu.com/hm.gif?cc###########################################################################################################################################################
UDP
- DNS ASK so##.anjian.com
- DNS ASK do##.#rbrothers.com
- DNS ASK hi.###rothers.com
- DNS ASK hm.##idu.com
Другое
Ищет следующие окна
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
