Техническая информация
Для обеспечения автозапуска и распространения
Создает или изменяет следующие файлы
- %APPDATA%\microsoft\windows\start menu\programs\startup\desktop.ini
Устанавливает следующие настройки сервисов
- [<HKLM>\System\CurrentControlSet\Services\byВЈВєMoYan] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\byВЈВєMoYan] 'ImagePath' = '%ProgramFiles(x86)%\NetMeeting\MoYan.exe -auto'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\QAssist] 'Start' = '00000001'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\QAssist] 'ImagePath' = 'system32\DRIVERS\QAssist.sys'
Создает следующие сервисы
- 'byВЈВєMoYan' %ProgramFiles(x86)%\NetMeeting\MoYan.exe -auto
Вредоносные функции
Регистрирует фильтр файловой системы
- [<HKLM>\SYSTEM\CurrentControlSet\Services\QAssist] 'Group' = 'FSFilter Activity Monitor'
Изменения в файловой системе
Создает следующие файлы
- C:\¸¨öú²å¼þ.vmp.exe
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\~ictures.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\music\playlists\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\links\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\saved games\desktop.ini
- %APPDATA%\microsoft\windows\libraries\~usic.tmp
- %LOCALAPPDATA%\microsoft\windows sidebar\gadgets\desktop.ini
- %APPDATA%\microsoft\windows\libraries\~ideos.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\~ideos.tmp
- %APPDATA%\microsoft\windows\libraries\~ocuments.tmp
- %APPDATA%\microsoft\windows\libraries\~ictures.tmp
- %HOMEPATH%\music\playlists\desktop.ini
- <DRIVERS>\qassist.sys
- nul
- %WINDIR%\temp\udd82c6.tmp
- %WINDIR%\temp\udd8bcb.tmp
- %WINDIR%\temp\udd93b8.tmp
- %WINDIR%\temp\udd9b96.tmp
- %WINDIR%\syswow64\config\systemprofile\downloads\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\pictures.library-ms
- %WINDIR%\syswow64\config\systemprofile\pictures\slide shows\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\recent\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\~ocuments.tmp
- %WINDIR%\syswow64\config\systemprofile\searches\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\music\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\music.library-ms
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\~usic.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\burn\burn\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\videos\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows sidebar\gadgets\desktop.ini
- %WINDIR%\temp\udda373.tmp
- %HOMEPATH%\pictures\slide shows\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\videos.library-ms
- %WINDIR%\syswow64\config\systemprofile\desktop\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\contacts\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\favorites\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\documents\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\documents.library-ms
- %ProgramFiles(x86)%\netmeeting\moyan.exe
- %WINDIR%\syswow64\config\systemprofile\pictures\desktop.ini
- %WINDIR%\temp\uddab51.tmp
Присваивает атрибут 'скрытый' для следующих файлов
- %ProgramFiles(x86)%\netmeeting\moyan.exe
- %WINDIR%\syswow64\config\systemprofile\saved games\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\links\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\music\playlists\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\downloads\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\pictures\slide shows\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\recent\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\documents\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\desktop.ini
- %HOMEPATH%\pictures\slide shows\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\favorites\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\contacts\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\desktop\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\pictures\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\videos\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\burn\burn\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\music\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\searches\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\desktop.ini
- %HOMEPATH%\music\playlists\desktop.ini
Удаляет следующие файлы
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\music.library-ms~rf111776.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows sidebar\gadgets\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\videos.library-ms~rf1117b4.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\documents.library-ms~rf111831.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\pictures.library-ms~rf11186f.tmp
- %LOCALAPPDATA%\microsoft\windows sidebar\gadgets\desktop.ini
- C:\¸¨öú²å¼þ.vmp.exe
- %WINDIR%\temp\udd82c6.tmp
- %WINDIR%\temp\udd8bcb.tmp
- %WINDIR%\temp\udd93b8.tmp
- %WINDIR%\temp\udd9b96.tmp
- %WINDIR%\temp\udda373.tmp
- %WINDIR%\temp\uddab51.tmp
Перемещает следующие файлы
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\music.library-ms в %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\music.library-ms~rf111776.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\videos.library-ms в %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\videos.library-ms~rf1117b4.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\documents.library-ms в %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\documents.library-ms~rf111831.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\pictures.library-ms в %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\pictures.library-ms~rf11186f.tmp
- %APPDATA%\microsoft\windows\libraries\music.library-ms в %APPDATA%\microsoft\windows\libraries\music.library-ms~rf114ae4.tmp
- %APPDATA%\microsoft\windows\libraries\videos.library-ms в %APPDATA%\microsoft\windows\libraries\videos.library-ms~rf114b52.tmp
- %APPDATA%\microsoft\windows\libraries\documents.library-ms в %APPDATA%\microsoft\windows\libraries\documents.library-ms~rf114e2f.tmp
- %APPDATA%\microsoft\windows\libraries\pictures.library-ms в %APPDATA%\microsoft\windows\libraries\pictures.library-ms~rf114f09.tmp
Подменяет следующие файлы
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\music.library-ms
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows sidebar\gadgets\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\videos.library-ms
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\documents.library-ms
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\libraries\pictures.library-ms
- %APPDATA%\Microsoft\Windows\Libraries\Music.library-ms
- %LOCALAPPDATA%\microsoft\windows sidebar\gadgets\desktop.ini
- %APPDATA%\Microsoft\Windows\Libraries\Videos.library-ms
- %APPDATA%\Microsoft\Windows\Libraries\Documents.library-ms
- %APPDATA%\Microsoft\Windows\Libraries\Pictures.library-ms
Сетевая активность
Подключается к
- 'qf#####.e2.luyouxia.net':21916
TCP
Запросы HTTP GET
- http://oc##.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAh%2BGPuPqpJ%2B6HYKDYmC9RI%3D
- http://cr#.##gicert-cn.com/DigiCertGlobalRootCA.crl
- http://oc##.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHv1Dj%2BciPJEWH5JNtwL5Y07mRqwQUxBF%2BiECGwkG%2FZfMa4bRTQKOr7H0CEAwtSTyr9trhFPATtO4r7Y0%3D
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
UDP
- DNS ASK sh###.weiyun.com
- DNS ASK oc##.dcocsp.cn
- DNS ASK cr#.##gicert-cn.com
- DNS ASK microsoft.com
- DNS ASK qf#####.e2.luyouxia.net
Другое
Создает и запускает на исполнение
- 'C:\¸¨öú²å¼þ.vmp.exe'
- '%ProgramFiles(x86)%\netmeeting\moyan.exe' -auto
- '%ProgramFiles(x86)%\netmeeting\moyan.exe' -acsi
- '%WINDIR%\syswow64\cmd.exe' /c ping -n 2 127.0.0.1 > nul && del C:\VMP~1.EXE > nul' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /c ping -n 2 127.0.0.1 > nul && del C:\VMP~1.EXE > nul
- '%WINDIR%\syswow64\ping.exe' -n 2 127.0.0.1
