Trojan.DownLoader8.30238

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\katmain.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrogAgent.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msconfig.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SnipeSword.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TBMon.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'wextract_cleanup0' = 'rundll32.exe <SYSTEM32>\advpack.dll,DelNodeRunDLL32 "%TEMP%\IXP000.TMP\"'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'

Вредоносные функции:

Создает и запускает на исполнение:

%TEMP%\IXP000.TMP\File.exe
%TEMP%\IXP000.TMP\НкіЙ.exe
%TEMP%\IXP000.TMP\File.exe (загружен из сети Интернет)

Запускает на исполнение:

<SYSTEM32>\cmd.exe /c ""kill.bat""

Изменения в файловой системе:

Создает следующие файлы:

%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\cc1[1].exe
%TEMP%\IXP000.TMP\File.exe
%TEMP%\IXP000.TMP\kill.bat
%TEMP%\IXP000.TMP\win32info.sys
%TEMP%\IXP000.TMP\НкіЙ.exe
%TEMP%\IXP000.TMP\kills.sys

Удаляет следующие файлы: