Техническая информация
Для обеспечения автозапуска и распространения
Устанавливает следующие настройки сервисов
- [<HKLM>\System\CurrentControlSet\Services\TotalVNC_srv] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\TotalVNC_srv] 'ImagePath' = '"%ProgramFiles%\TotalVNC4\tvncserver.exe" -service'
- [<HKLM>\System\CurrentControlSet\Services\TotalVNC_tun] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\TotalVNC_tun] 'ImagePath' = '"%ProgramFiles%\TotalVNC4\tvncsmgr.exe"'
Создает следующие сервисы
- 'TotalVNC_srv' "%ProgramFiles%\TotalVNC4\tvncserver.exe" -service
- 'TotalVNC_tun' "%ProgramFiles%\TotalVNC4\tvncsmgr.exe"
- 'TotalVNC_tun' %ProgramFiles%\TotalVNC4\tvncsmgr.exe
Вредоносные функции
Запускает на исполнение
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="TotalVNC_PORTS_IN" dir=IN action=allow protocol=TCP localport=3379,3369,27,57,79,89,26 profile=any enable=yes
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="TotalVNC_PORTS_OUT" dir=OUT action=allow protocol=TCP localport=3379,3369,3389,27,57,79,89,26,443,80 profile=any enable=yes
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\aut495e.tmp
- %ProgramFiles%\totalvnc4\totalvnc4_gui_bg.jpg
- %TEMP%\auta127.tmp
- %ProgramFiles%\totalvnc4\totalvnc4_gui.png
- %TEMP%\auta116.tmp
- %ProgramFiles%\totalvnc4\tvnc4uninstall.exe
- %TEMP%\auta098.tmp
- %ProgramFiles%\totalvnc4\install_key.reg
- %TEMP%\auta059.tmp
- %ProgramFiles%\totalvnc4\tvncsas64.exe
- %TEMP%\aut9fdb.tmp
- %ProgramFiles%\totalvnc4\tvncsmgr.exe
- %TEMP%\aut9f7d.tmp
- %ProgramFiles%\totalvnc4\tvncscacl.exe
- %TEMP%\aut9f5c.tmp
- %ProgramFiles%\totalvnc4\nterr10.dll
- %ProgramFiles%\totalvnc4\tunelinksrv.exe
- %TEMP%\aut9f3c.tmp
- %TEMP%\auta147.tmp
- %ProgramFiles%\totalvnc4\tvncperm.exe
- %WINDIR%\syswow64\config\systemprofile\appdata\local\putty.rnd
- %ProgramFiles%\totalvnc4\idtest.log
- %ProgramFiles%\totalvnc4\port.log
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\totalvnc4\uninstall totalvnc.lnk
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\totalvnc4\totalvnc.lnk
- C:\users\public\desktop\totalvnc.lnk
- %ProgramFiles%\totalvnc4\day.log
- %ProgramFiles%\totalvnc4\uuid.log
- %ProgramFiles%\totalvnc4\tvncviewer.exe
- %ProgramFiles%\totalvnc4\tvncpass2.dll
- %ProgramFiles%\totalvnc4\tvncpass1.dll
- %TEMP%\auta234.tmp
- %TEMP%\auta214.tmp
- %ProgramFiles%\totalvnc4\lang.ini
- %ProgramFiles%\totalvnc4\totalvnc4_gui.visualelementsmanifest.xml
- %TEMP%\auta1f4.tmp
- %TEMP%\aut9ede.tmp
- %ProgramFiles%\totalvnc4\tunelinkgui.exe
- %TEMP%\aut9e60.tmp
- %TEMP%\aut9456.tmp
- %ProgramFiles%\totalvnc4\totalvnc.ini
- %TEMP%\aut9446.tmp
- %ProgramFiles%\totalvnc4\tvncpgen.exe
- %TEMP%\aut9435.tmp
- %ProgramFiles%\totalvnc4\sas.dll
- %TEMP%\aut934a.tmp
- %ProgramFiles%\totalvnc4\sessiontime.log
- %ProgramFiles%\totalvnc4\clientname.authistory
- %ProgramFiles%\totalvnc4\version.log
- %ProgramFiles%\totalvnc4\tuneport.exe
- %TEMP%\aut8bf9.tmp
- %WINDIR%\permtesttvnc
- %HOMEPATH%\totalvnc4temp\tvncsetup.exe
- %TEMP%\aut9467.tmp
- %ProgramFiles%\totalvnc4\ddengine.dll
- %ProgramFiles%\totalvnc4\options.vnc
- %TEMP%\aut94c6.tmp
- %ProgramFiles%\totalvnc4\totalvnc4_screenlook.exe
- %ProgramFiles%\totalvnc4\vnchooks.dll
- %TEMP%\aut9dc3.tmp
- %ProgramFiles%\totalvnc4\totalvnc4_screenlook_bg.jpg
- %TEMP%\aut996e.tmp
- %ProgramFiles%\totalvnc4\totalvnc4_gui.exe
- %TEMP%\aut98d1.tmp
- %ProgramFiles%\totalvnc4\tvncservice.exe
- %ProgramFiles%\totalvnc4\uuid.dll
- %ProgramFiles%\totalvnc4\portgui.log
- %TEMP%\aut97b6.tmp
- %ProgramFiles%\totalvnc4\tvncserver.exe
- %TEMP%\aut9555.tmp
- %ProgramFiles%\totalvnc4\tvnchelp.chm
- %TEMP%\aut9516.tmp
- %ProgramFiles%\totalvnc4\schook.dll
- %TEMP%\aut94d6.tmp
- %TEMP%\aut9863.tmp
- %ProgramFiles%\totalvnc4\checkconstate.log
Удаляет следующие файлы
- %TEMP%\aut495e.tmp
- %TEMP%\aut9ede.tmp
- %TEMP%\aut9f3c.tmp
- %TEMP%\aut9f5c.tmp
- %TEMP%\aut9f7d.tmp
- %TEMP%\aut9fdb.tmp
- %TEMP%\auta059.tmp
- %TEMP%\auta116.tmp
- %ProgramFiles%\totalvnc4\install_key.reg
- %TEMP%\auta127.tmp
- %TEMP%\auta147.tmp
- %TEMP%\auta1f4.tmp
- %TEMP%\auta214.tmp
- %TEMP%\auta234.tmp
- %ProgramFiles%\totalvnc4\uuid.log
- %TEMP%\aut9e60.tmp
- %TEMP%\auta098.tmp
- %TEMP%\aut9dc3.tmp
- %TEMP%\aut9456.tmp
- %TEMP%\aut8bf9.tmp
- %ProgramFiles%\totalvnc4\version.log
- %ProgramFiles%\totalvnc4\sessiontime.log
- %TEMP%\aut934a.tmp
- %TEMP%\aut9435.tmp
- %TEMP%\aut9446.tmp
- %TEMP%\aut9467.tmp
- %TEMP%\aut98d1.tmp
- %TEMP%\aut94c6.tmp
- %TEMP%\aut94d6.tmp
- %TEMP%\aut9516.tmp
- %TEMP%\aut9555.tmp
- %TEMP%\aut97b6.tmp
- %TEMP%\aut9863.tmp
- %TEMP%\aut996e.tmp
- %ProgramFiles%\totalvnc4\idtest.log
Сетевая активность
TCP
- 'ma####.totalvnc.com':443
- 'ma#####1.totalvnc.com':443
- 'cl#####01.totalvnc.com':26
UDP
- DNS ASK ma####.totalvnc.com
- DNS ASK ma#####1.totalvnc.com
- DNS ASK cl#####01.totalvnc.com
Другое
Ищет следующие окна
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'Pageant' WindowName: 'Pageant'
Создает и запускает на исполнение
- '%HOMEPATH%\totalvnc4temp\tvncsetup.exe'
- '%ProgramFiles%\totalvnc4\tvncsmgr.exe'
- '%ProgramFiles%\totalvnc4\tvncserver.exe' -service_run
- '%ProgramFiles%\totalvnc4\tvncsmgr.exe' set TotalVNC_tun Description "TotalVNC Remote Desktop Service Tunnel"
- '%ProgramFiles%\totalvnc4\tuneport.exe' --connect-timeout 120 -m 120 -d "checkstate" -X POST --retry 3 -s -k http://lo###host:27/sessionwatcher.php -o checkconstate.log
- '%ProgramFiles%\totalvnc4\tvncscacl.exe' TotalVNC_srv /E /G Everyone:F /Q
- '%ProgramFiles%\totalvnc4\tvncscacl.exe' TotalVNC_tun /E /G Wszyscy:F /Q
- '%ProgramFiles%\totalvnc4\tvncscacl.exe' TotalVNC_tun /E /G Everyone:F /Q
- '%ProgramFiles%\totalvnc4\tvncscacl.exe' TotalVNC_srv /E /G S-1-1-0:F /Q
- '%ProgramFiles%\totalvnc4\tvncscacl.exe' TotalVNC_tun /E /G S-1-1-0:F /Q
- '%ProgramFiles%\totalvnc4\tvncserver.exe' -service
- '%ProgramFiles%\totalvnc4\tvncscacl.exe' TotalVNC_srv /E /G Wszyscy:F /Q
- '%ProgramFiles%\totalvnc4\tvncsas64.exe'
- '%ProgramFiles%\totalvnc4\totalvnc4_gui.exe'
- '%ProgramFiles%\totalvnc4\tuneport.exe' --connect-timeout 120 -m 120 -d "addtunnel=ID_25956_vwzfqnepdi_3B885DD9-1DF9-E54C-A5C5-D08BB6A85DEC" -X POST --retry 3 -s -k https://master01.totalvnc.com/sessionwatcher.php -o idtest.log
- '%ProgramFiles%\totalvnc4\tunelinksrv.exe' -l 25956 -C -4 -N -host_totalvnc_srv -R 127.55.5.2:25956:localhost:3379 -L localhost:27:master01.totalvnc.com:80 clients01.totalvnc.com -P 26
- '%ProgramFiles%\totalvnc4\tvncsmgr.exe' install TotalVNC_tun "%ProgramFiles%\TotalVNC4\tvncservice.exe" /service
- '%ProgramFiles%\totalvnc4\tvncsmgr.exe' set TotalVNC_srv Description "TotalVNC Remote Desktop Service Engine"
- '%ProgramFiles%\totalvnc4\tvncserver.exe' -install
- '%ProgramFiles%\totalvnc4\tvncpgen.exe' 01803725 01864837
- '%ProgramFiles%\totalvnc4\tuneport.exe' --connect-timeout 120 -m 120 -d "version" -X POST --retry 3 -s -k https://master.totalvnc.com/sessionwatcher.php -o version.log
- '%ProgramFiles%\totalvnc4\tvncservice.exe' /service
- '%WINDIR%\syswow64\cmd.exe' /c net start TotalVNC_srv' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c net start TotalVNC_tun' (со скрытым окном)
- '%WINDIR%\syswow64\icacls.exe' C:"\Program Files\TotalVNC4" /grant *S-1-2-0:(OI)(CI)F' (со скрытым окном)
- '%WINDIR%\syswow64\icacls.exe' C:"\Program Files\TotalVNC4" /grant *S-1-1-0:(OI)(CI)F' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c %systemdrive%\Windows\SysWOW64\regedit /s "%systemdrive%\Program Files\TotalVNC4\install_key.reg"' (со скрытым окном)
- '%ProgramFiles%\totalvnc4\tunelinksrv.exe' -l 25956 -C -4 -N -host_totalvnc_srv -R 127.55.5.2:25956:localhost:3379 -L localhost:27:master01.totalvnc.com:80 clients01.totalvnc.com -P 26' (со скрытым окном)
- '%WINDIR%\syswow64\cacls.exe' C:"\Program Files\TotalVNC4"" /E /G Everyone:F"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="TotalVNC_PORTS_IN"' (со скрытым окном)
- '%WINDIR%\syswow64\cacls.exe' C:"\Program Files\TotalVNC4"" /E /G Wszyscy:F"' (со скрытым окном)
- '%WINDIR%\syswow64\net.exe' start "TotalVNC_srv"' (со скрытым окном)
- '%ProgramFiles%\totalvnc4\tuneport.exe' --connect-timeout 120 -m 120 -d "version" -X POST --retry 3 -s -k https://master.totalvnc.com/sessionwatcher.php -o version.log' (со скрытым окном)
- '%WINDIR%\syswow64\cacls.exe' C:"\Program Files\TotalVNC4"" /E /G Users:F"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c tvncscacl.exe TotalVNC_tun /E /G S-1-1-0:F /Q' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="TotalVNC_PORTS_OUT" dir=OUT action=allow protocol=TCP localport=3379,3369,3389,27,57,79,89,26,443,80 profile=any enable=yes' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c tvncsmgr.exe install TotalVNC_tun "%SystemDrive%\Program Files\TotalVNC4\tvncservice.exe" /service' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c tvncpgen.exe 01803725 01864837' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="TotalVNC_PORTS_OUT"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c tvncsmgr.exe set TotalVNC_tun Description "TotalVNC Remote Desktop Service Tunnel"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c wmic csproduct get "UUID" | find "-">uuid.log' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c tvncsmgr.exe set TotalVNC_srv Description "TotalVNC Remote Desktop Service Engine"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c tvncscacl.exe TotalVNC_srv /E /G Wszyscy:F /Q' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c tvncserver.exe -install' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c tvncscacl.exe TotalVNC_srv /E /G Everyone:F /Q' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c tvncscacl.exe TotalVNC_srv /E /G S-1-1-0:F /Q' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c tvncscacl.exe TotalVNC_tun /E /G Wszyscy:F /Q' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="TotalVNC_PORTS_IN" dir=IN action=allow protocol=TCP localport=3379,3369,27,57,79,89,26 profile=any enable=yes' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c tvncscacl.exe TotalVNC_tun /E /G Everyone:F /Q' (со скрытым окном)
- '%ProgramFiles%\totalvnc4\tuneport.exe' --connect-timeout 120 -m 120 -d "addtunnel=ID_25956_vwzfqnepdi_3B885DD9-1DF9-E54C-A5C5-D08BB6A85DEC" -X POST --retry 3 -s -k https://master01.totalvnc.com/sessionwatcher.php -o idtest.log' (со скрытым окном)
- '%ProgramFiles%\totalvnc4\tuneport.exe' --connect-timeout 120 -m 120 -d "checkstate" -X POST --retry 3 -s -k http://lo###host:27/sessionwatcher.php -o checkconstate.log' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\cacls.exe' C:"\Program Files\TotalVNC4"" /E /G Wszyscy:F"
- '%WINDIR%\syswow64\cmd.exe' /c tvncsmgr.exe set TotalVNC_tun Description "TotalVNC Remote Desktop Service Tunnel"
- '%WINDIR%\syswow64\cmd.exe' /c tvncsmgr.exe set TotalVNC_srv Description "TotalVNC Remote Desktop Service Engine"
- '%WINDIR%\syswow64\cmd.exe' /c tvncscacl.exe TotalVNC_srv /E /G Wszyscy:F /Q
- '%WINDIR%\syswow64\cmd.exe' /c tvncscacl.exe TotalVNC_srv /E /G Everyone:F /Q
- '%WINDIR%\syswow64\cmd.exe' /c tvncscacl.exe TotalVNC_tun /E /G Wszyscy:F /Q
- '%WINDIR%\syswow64\cmd.exe' /c tvncscacl.exe TotalVNC_tun /E /G Everyone:F /Q
- '%WINDIR%\syswow64\cmd.exe' /c tvncscacl.exe TotalVNC_tun /E /G S-1-1-0:F /Q
- '%WINDIR%\syswow64\cmd.exe' /c %systemdrive%\Windows\SysWOW64\regedit /s "%systemdrive%\Program Files\TotalVNC4\install_key.reg"
- '%WINDIR%\syswow64\cmd.exe' /c net start TotalVNC_srv
- '%WINDIR%\syswow64\net.exe' start TotalVNC_srv
- '%WINDIR%\syswow64\net1.exe' start TotalVNC_srv
- '%WINDIR%\syswow64\cmd.exe' /c net start TotalVNC_tun
- '%WINDIR%\syswow64\net.exe' start TotalVNC_tun
- '%WINDIR%\syswow64\net1.exe' start TotalVNC_tun
- '%WINDIR%\syswow64\net1.exe' start "TotalVNC_srv"
- '%WINDIR%\syswow64\cmd.exe' /c tvncscacl.exe TotalVNC_srv /E /G S-1-1-0:F /Q
- '%WINDIR%\syswow64\cmd.exe' /c tvncsmgr.exe install TotalVNC_tun "%SystemDrive%\Program Files\TotalVNC4\tvncservice.exe" /service
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="TotalVNC_PORTS_OUT"
- '%WINDIR%\syswow64\cacls.exe' C:"\Program Files\TotalVNC4"" /E /G Everyone:F"
- '%WINDIR%\syswow64\cacls.exe' C:"\Program Files\TotalVNC4"" /E /G Users:F"
- '%WINDIR%\syswow64\icacls.exe' C:"\Program Files\TotalVNC4" /grant *S-1-1-0:(OI)(CI)F
- '%WINDIR%\syswow64\icacls.exe' C:"\Program Files\TotalVNC4" /grant *S-1-2-0:(OI)(CI)F
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="TotalVNC_PORTS_IN"
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="TotalVNC_PORTS_OUT"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="TotalVNC_PORTS_IN"
- '%WINDIR%\syswow64\cmd.exe' /c tvncserver.exe -install
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="TotalVNC_PORTS_IN" dir=IN action=allow protocol=TCP localport=3379,3369,27,57,79,89,26 profile=any enable=yes
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="TotalVNC_PORTS_OUT" dir=OUT action=allow protocol=TCP localport=3379,3369,3389,27,57,79,89,26,443,80 profile=any enable=yes
- '%WINDIR%\syswow64\cmd.exe' /c tvncpgen.exe 01803725 01864837
- '%WINDIR%\syswow64\cmd.exe' /c wmic csproduct get "UUID" | find "-">uuid.log
- '%WINDIR%\syswow64\wbem\wmic.exe' csproduct get "UUID"
- '%WINDIR%\syswow64\find.exe' "-"
- '%WINDIR%\syswow64\net.exe' start "TotalVNC_srv"
- '%WINDIR%\syswow64\regedit.exe' /s "%ProgramFiles%\TotalVNC4\install_key.reg"
