Техническая информация
Вредоносные функции:
Создает и запускает на исполнение:
- %TEMP%\nsx2.tmp\BI.exe { "conduit_product_type" : "" , "conduit_product_id" : "" , "offer_id" : "4045" , "general_status_code" : "3" , "duration_details" : " InitPluginsDir:16 initializeParams:47 load_BITool:47 send_BI_Init:656 load_DownloadACC:187 retrieveUISource:63 unpack_webappfolder:2969 unpack_icon:140 RetrieveMainOfferKey:16 unpack_OpenCandyDll:328 load_webapphost:719 unpack_ProxyInstaller:109 navigate_loadingUI:31 navigateAsync_constMainOffer:500 BuildUserProfile:94 retrieve cid:16 callService1:8672 " , "phase_duration" : "" , "error_details" : "Error Parsing the offer xml response file" , "result" : "Error" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.6.1" , "bundle_id" : "007c0b33-a9fd-4182-bc5c-a7f5bfeb4282" , "machine_user_id" : "{48C60088-A22E-4C5E-99AB-8B18C7366E75}" , "installation_session_id" : "{2BA5C432-096D-488F-98C1-7D66A2201E53}" , "publisher_id" : "Brothersoft" , "order" : "2.0" , "phase" : "InitComplete" , "Is_Test" : "0" }
- %TEMP%\nsx2.tmp\BI.exe { "conduit_product_type" : "" , "conduit_product_id" : "" , "offer_id" : "4045" , "general_status_code" : "3" , "duration_details" : " InitPluginsDir:16 initializeParams:47 load_BITool:47 send_BI_Init:656 load_DownloadACC:187 retrieveUISource:63 unpack_webappfolder:2969 unpack_icon:140 RetrieveMainOfferKey:16 unpack_OpenCandyDll:328 load_webapphost:719 unpack_ProxyInstaller:109 navigate_loadingUI:31 navigateAsync_constMainOffer:500 BuildUserProfile:94 retrieve cid:16 callService1:8672 " , "phase_duration" : "" , "error_details" : "Error Parsing the offer xml response file" , "result" : "Error" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.6.1" , "bundle_id" : "007c0b33-a9fd-4182-bc5c-a7f5bfeb4282" , "machine_user_id" : "{48C60088-A22E-4C5E-99AB-8B18C7366E75}" , "installation_session_id" : "{2BA5C432-096D-488F-98C1-7D66A2201E53}" , "publisher_id" : "Brothersoft" , "order" : "2.0" , "phase" : "InitComplete" , "Is_Test" : "1" }
- %TEMP%\nsx2.tmp\BI.exe { "conduit_product_type" : "" , "conduit_product_id" : "" , "offer_id" : "4045" , "user_type" : "NULL" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.6.1" , "bundle_id" : "007c0b33-a9fd-4182-bc5c-a7f5bfeb4282" , "machine_user_id" : "{48C60088-A22E-4C5E-99AB-8B18C7366E75}" , "installation_session_id" : "{2BA5C432-096D-488F-98C1-7D66A2201E53}" , "publisher_id" : "Brothersoft" , "order" : "1.0" , "phase" : "Init" , "Is_Test" : "0" }
- %TEMP%\nsx2.tmp\BI.exe { "conduit_product_type" : "" , "conduit_product_id" : "" , "offer_id" : "4045" , "user_type" : "NULL" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.6.1" , "bundle_id" : "007c0b33-a9fd-4182-bc5c-a7f5bfeb4282" , "machine_user_id" : "{48C60088-A22E-4C5E-99AB-8B18C7366E75}" , "installation_session_id" : "{2BA5C432-096D-488F-98C1-7D66A2201E53}" , "publisher_id" : "Brothersoft" , "order" : "1.0" , "phase" : "Init" , "Is_Test" : "1" }
Изменения в файловой системе:
Создает следующие файлы:
- %TEMP%\nsx2.tmp\WebApp\Js\json2.js
- %TEMP%\nsx2.tmp\WebApp\Js\script.js
- %TEMP%\nsx2.tmp\WebApp\Js\Store.js
- %TEMP%\nsx2.tmp\WebApp\Js\jquery-ui-1.8.16.custom.min.js
- %TEMP%\nsx2.tmp\OCSetupHlp.dll
- %TEMP%\nsx2.tmp\webapphost.dll
- %TEMP%\nsx2.tmp\WebApp\Js\xml2json.js
- %TEMP%\nsx2.tmp\icon.png
- %TEMP%\nsx2.tmp\WebApp\Images\myiweb-logo.jpg
- %TEMP%\nsx2.tmp\WebApp\Images\myiweb-logo.png
- %TEMP%\nsx2.tmp\WebApp\Images\conduit-logo.png
- %TEMP%\nsx2.tmp\WebApp\Images\loaderb64-transparent.gif
- %TEMP%\nsx2.tmp\WebApp\Js\PIE.htc
- %TEMP%\nsx2.tmp\WebApp\Js\ProgressBar.js
- %TEMP%\nsx2.tmp\WebApp\Js\API.js
- %TEMP%\nsx2.tmp\WebApp\Js\ExternalParams.js
- <SYSTEM32>\wbem\Performance\WmiApRpl_new.ini
- %TEMP%\nsxA.tmp\inetc.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\en[1]
- %TEMP%\nsx2.tmp\xml.dll
- %TEMP%\nsc9.tmp\inetc.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\jquery.min[1].js
- %TEMP%\nsc9.tmp\a.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ude.conduit-data[1].htm
- %TEMP%\nsxA.tmp\a.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ude.conduit-data[1].htm
- %TEMP%\nsb6.tmp\a.txt
- %TEMP%\nsx2.tmp\ProxyInstaller.exe
- %TEMP%\nsx2.tmp\inetc.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\DecisionEngine[1].htm
- %TEMP%\nsx2.tmp\offer.xml
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ude.conduit-data[1].htm
- %TEMP%\nsq4.tmp\a.txt
- %TEMP%\nsx2.tmp\WebApp\Images\check-V.png
- %TEMP%\nsx2.tmp\WebApp\Css\Buttons.css
- %TEMP%\nsx2.tmp\WebApp\Css\Buttons.ltr.css
- %TEMP%\nsx2.tmp\WebApp\Reset.css
- %TEMP%\nsx2.tmp\WebApp\SilentSuccess.htm
- %TEMP%\nsq4.tmp\inetc.dll
- %TEMP%\nsx2.tmp\WebApp\Css\PIE.htc
- %TEMP%\nsx2.tmp\WebApp\Css\Buttons.rtl.css
- %TEMP%\nsx2.tmp\WebApp\Css\Copy of Buttons.css
- %TEMP%\nsx2.tmp\DownloadACC.exe
- %TEMP%\nsx2.tmp\WebApp\Failed.htm
- %TEMP%\nsx2.tmp\System.dll
- %TEMP%\nsx2.tmp\BI.exe
- %TEMP%\nsx2.tmp\WebApp\PIE.htc
- %TEMP%\nsx2.tmp\WebApp\ProgressBar.htm
- %TEMP%\nsx2.tmp\WebApp\Loading.htm
- %TEMP%\nsx2.tmp\WebApp\NoneSilentSuccess.htm
- %TEMP%\nsx2.tmp\WebApp\Css\Reset.css
- %TEMP%\nsx2.tmp\WebApp\Images\InstallationFailed.png
- %TEMP%\nsx2.tmp\WebApp\Images\InstallationSuccessful.png
- %TEMP%\nsx2.tmp\WebApp\Images\BrotherSoft.png
- %TEMP%\nsx2.tmp\WebApp\Images\CancelBG.png
- %TEMP%\nsx2.tmp\WebApp\Images\X.png
- %TEMP%\nsx2.tmp\WebApp\Images\button.png
- %TEMP%\nsx2.tmp\WebApp\Images\InternetTurbo.png
- %TEMP%\nsx2.tmp\WebApp\Images\Nana10.png
- %TEMP%\nsx2.tmp\WebApp\Css\css.rtl.css
- %TEMP%\nsx2.tmp\WebApp\Images\-.png
- %TEMP%\nsx2.tmp\WebApp\Css\css.css
- %TEMP%\nsx2.tmp\WebApp\Css\css.ltr.css
- %TEMP%\nsx2.tmp\WebApp\Images\BG.png
- %TEMP%\nsx2.tmp\WebApp\Images\BoxBg.png
- %TEMP%\nsx2.tmp\WebApp\Images\01Net-Logo.jpg
- %TEMP%\nsb6.tmp\inetc.dll
Удаляет следующие файлы:
- %TEMP%\nsxA.tmp\inetc.dll
- %TEMP%\nsxA.tmp\a.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ude.conduit-data[1].htm
- %TEMP%\nsc9.tmp\inetc.dll
- %TEMP%\nsc9.tmp\a.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ude.conduit-data[1].htm
- %TEMP%\nsb6.tmp\inetc.dll
- %TEMP%\nsb6.tmp\a.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ude.conduit-data[1].htm
- %TEMP%\nsq4.tmp\inetc.dll
- %TEMP%\nsq4.tmp\a.txt
Сетевая активность:
Подключается к:
- 'cm#.########tionengine.conduit-services.com':80
- 'aj##.#oogleapis.com':80
- 'of######.#######.distributionengine.conduit-services.com':80
- 'localhost':1038
- 'ud#.###duit-data.com':80
TCP:
Запросы HTTP GET:
- aj##.#oogleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
- cm#.########tionengine.conduit-services.com/ContentIDtr/1/7/4045/program/en/?Cu########################
Запросы HTTP POST:
- of######.#######.distributionengine.conduit-services.com//DecisionEngine.ashx
- ud#.###duit-data.com/
UDP:
- DNS ASK of######.#######.distributionengine.conduit-services.com
- DNS ASK aj##.#oogleapis.com
- DNS ASK ud#.###duit-data.com
- DNS ASK cm#.########tionengine.conduit-services.com
Другое:
Ищет следующие окна:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
