Техническая информация
Для обеспечения автозапуска и распространения
Устанавливает следующие настройки сервисов
- [<HKLM>\System\CurrentControlSet\Services\LDrvSvc] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\LDrvSvc] 'ImagePath' = '<SYSTEM32>\svchost.exe -k LocalDriverService'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\LDrvSvc\Parameters] 'ServiceDll' = '%TEMP%\DriveTheLife\LDrvSvc.dll'
- [<HKLM>\System\CurrentControlSet\Services\LDrvPro] 'Start' = '00000000'
- [<HKLM>\System\CurrentControlSet\Services\LDrvPro] 'ImagePath' = 'system32\drivers\LDrvPro64.sys'
- [<HKLM>\System\CurrentControlSet\Services\Wlansvc] 'Start' = '00000002'
Создает следующие сервисы
- 'LDrvSvc' <SYSTEM32>\svchost.exe -k LocalDriverService
- 'LDrvPro' <DRIVERS>\LDrvPro64.sys
Вредоносные функции
Регистрирует фильтр файловой системы
- [<HKLM>\System\CurrentControlSet\Services\LDrvPro] 'Group' = 'FSFilter Activity Monitor'
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\nsg119d.tmp
- %TEMP%\drivethelife\dtldrv\dtldrv3\drv1.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv3\drv0.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv2\drv3.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv2\drv2.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv2\drv1.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv2\drv0.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv1\drv3.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv1\drv2.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv1\drv1.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv1\drv0.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv0\drv6.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv0\drv5.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv0\drv4.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv0\drv3.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv0\drv2.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv0\drv1.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv0\drv0.7zz
- %TEMP%\drivethelife\drv64\wndconfigdata.xml
- %TEMP%\drivethelife\drv64\wndautodata.xml
- %TEMP%\drivethelife\drv64\drv64_usb.exe
- %TEMP%\drivethelife\drv64\drv64.exe
- %TEMP%\drivethelife\drv64\drv32_usb.exe
- %TEMP%\drivethelife\drv64\dev64.exe
- %TEMP%\drivethelife\drv64\dev32.exe
- %TEMP%\drivethelife\drv64\difxapi.dll
- %TEMP%\drivethelife\dtldrv\dtldrv3\drv2.7zz
- %TEMP%\drivethelife\dtldrv\dtldrv3\drv4.7zz
- %TEMP%\drivethelife\dtlplugs\dtlprocrptv10\pcid.dll
- %TEMP%\drivethelife\dtldrv\dtldrv3\drv5.7zz
- %TEMP%\drivethelife\dtlplugs\dtlprocrptv10\dtlprocrptv10.dll
- %ALLUSERSPROFILE%\drivethelife2013\dtlprocrptv10.7z
- %ALLUSERSPROFILE%\drivethelife2013\dtlprocrptv10.plug
- %ALLUSERSPROFILE%\drivethelife2013\dtlplugs.ini
- %TEMP%\drivethelife\dtlplugs\cleanuninstall\cleanuninstall.dll
- %ALLUSERSPROFILE%\drivethelife2013\cleanuninstall.7z
- %ALLUSERSPROFILE%\drivethelife2013\cleanuninstall.plug
- %WINDIR%\temp\udd3d3e.tmp
- D:\dtlfolder\driversdownload\downloadinfo.db
- D:\dtlfolder\driversdownload\downloadinfo.db-journal
- %ALLUSERSPROFILE%\drivethelife2013\backuplist.dat
- %ALLUSERSPROFILE%\drivethelife2013\dtldrvcache101020016.db
- %ALLUSERSPROFILE%\drivethelife2013\dtldrvcache101020016.db-journal
- <DRIVERS>\ldrvpro64.sys
- %APPDATA%\drivethelife2013\dtlconfig\userconfig.dat
- %TEMP%\drivethelife\lan\userconfig.dat
- %TEMP%\nsl1f25.tmp\system.dll
- %TEMP%\drivethelife\lan\chinese.ini
- %TEMP%\drivethelife\dtldrv\wdmaudio\win8_x86\wdmaudio.inf
- %TEMP%\drivethelife\dtldrv\wdmaudio\win8_x64\wdmaudio.inf
- %TEMP%\drivethelife\dtldrv\wdmaudio\win8.1_x86\wdmaudio.inf
- %TEMP%\drivethelife\dtldrv\wdmaudio\win8.1_x64\wdmaudio.inf
- %TEMP%\drivethelife\dtldrv\wdmaudio\win7_x86\wdmaudio.inf
- %TEMP%\drivethelife\dtldrv\wdmaudio\win7_x64\wdmaudio.inf
- %TEMP%\drivethelife\dtldrv\dtldrv3\drv6.7zz
- %TEMP%\drivethelife\download\zlib1.dll
- %TEMP%\drivethelife\dtldrv\dtldrv3\drv3.7zz
- %TEMP%\drivethelife\download\msvcr71.dll
- %TEMP%\drivethelife\dtldrvcheck.dll
- %TEMP%\drivethelife\dstudp.dll
- %TEMP%\drivethelife\drvsrc.dll
- %TEMP%\drivethelife\drvget.dll
- %TEMP%\drivethelife\drvbak.dll
- %TEMP%\drivethelife\detoured.dll
- %TEMP%\drivethelife\bios.dll
- %TEMP%\drivethelife\appconfig.dll
- %TEMP%\drivethelife\netdrvcore.dll
- %TEMP%\drivethelife\monreboot.dll
- %TEMP%\drivethelife\ldrvsvc.dll
- %TEMP%\drivethelife\ldrvproctrl.dll
- %TEMP%\drivethelife\ldrvpro64.sys
- %TEMP%\drivethelife\ldrvpro.sys
- %TEMP%\drivethelife\infdrvsetup.dll
- %TEMP%\drivethelife\dtlplug.dll
- %TEMP%\drivethelife\dtlnetdevice.dll
- %TEMP%\drivethelife\drvallrepair.dll
- %TEMP%\drivethelife\drivethelife.exe
- %TEMP%\drivethelife\devcfg.dll
- %TEMP%\drivethelife\dtlui.dll
- %TEMP%\drivethelife\dtlsubmit.dll
- %TEMP%\drivethelife\dtldrvuninst.dll
- %TEMP%\drivethelife\dtlautosetup.dll
- %TEMP%\drivethelife\difxapi.dll
- %TEMP%\drivethelife\7z.dll
- %TEMP%\drivethelife\dtlconfig.dll
- %TEMP%\drivethelife\feedback.dll
- %TEMP%\drivethelife\download\minizip.dll
- %TEMP%\drivethelife\gzipdll.dll
- %TEMP%\drivethelife\download\id.dat
- %TEMP%\drivethelife\download\download_engine.dll
- %TEMP%\drivethelife\download\dl_peer_id.dll
- %TEMP%\drivethelife\download\atl71.dll
- %TEMP%\drivethelife\download\xlbugreport.exe
- %TEMP%\drivethelife\download\xlbughandler.dll
- %TEMP%\drivethelife\download\minithunderplatform.exe
- %TEMP%\drivethelife\dtlconfig\wndconfigdata.xml
- %TEMP%\drivethelife\dtlconfig\userconfig.dat
- %TEMP%\drivethelife\dtlconfig\unsetup.xml
- %TEMP%\drivethelife\dtlconfig\dtlsetup.xml
- %TEMP%\drivethelife\autosetup\filter.proc
- %TEMP%\drivethelife\xldl.dll
- %TEMP%\drivethelife\usbenum.dll
- %TEMP%\drivethelife\udp.dll
- %TEMP%\drivethelife\substat.dll
- %TEMP%\drivethelife\sqlite3.dll
- %TEMP%\drivethelife\sqlcache.dll
- %TEMP%\drivethelife\pnpdrv.dll
- %TEMP%\drivethelife\pcidrv.dll
- %TEMP%\drivethelife\pcidetect.dll
- %TEMP%\drivethelife\pcid.dll
- %TEMP%\drivethelife\p2spd.dll
- %TEMP%\drivethelife\libcurl.dll
- %TEMP%\drivethelife\key.dat
- %TEMP%\drivethelife\download\msvcp71.dll
- %TEMP%\drivethelife\dtlplugs\dtlprocrptv10\procrpt.dll
Удаляет следующие файлы
- %ALLUSERSPROFILE%\drivethelife2013\dtldrvcache101020016.db-journal
- D:\dtlfolder\driversdownload\downloadinfo.db-journal
- %WINDIR%\temp\udd3d3e.tmp
- %ALLUSERSPROFILE%\drivethelife2013\cleanuninstall.plug
- %ALLUSERSPROFILE%\drivethelife2013\cleanuninstall.7z
- %ALLUSERSPROFILE%\drivethelife2013\dtlprocrptv10.plug
- %ALLUSERSPROFILE%\drivethelife2013\dtlprocrptv10.7z
Подменяет следующие файлы
- %ALLUSERSPROFILE%\drivethelife2013\dtldrvcache101020016.db-journal
- D:\dtlfolder\driversdownload\downloadinfo.db-journal
Сетевая активность
Подключается к
- 'in#.#pdrv.com':80
- 'dt####rch.updrv.com':80
- 'cd####e.updrv.com':80
TCP
Запросы HTTP GET
- http://in#.#pdrv.com/dtl/BloodEnrich.ashx?a=###################################################################
UDP
- DNS ASK di######.integrate.updrv.com
- DNS ASK qu###.#rivethelife.com
- DNS ASK in#.#pdrv.com
- DNS ASK on#####.integrate.updrv.com
- DNS ASK in#.####behavior.updrv.com
- DNS ASK dt####rch.updrv.com
- DNS ASK cd####e.updrv.com
- 'di######.integrate.updrv.com':3800
- 'qu###.#rivethelife.com':3000
- 'qu###.#rivethelife.com':4300
- 'on#####.integrate.updrv.com':6000
- 'in#.####behavior.updrv.com':6130
Другое
Создает и запускает на исполнение
- '%TEMP%\drivethelife\drivethelife.exe'
Запускает на исполнение
- '%WINDIR%\syswow64\svchost.exe' -k LocalDriverService
- '%WINDIR%\syswow64\rundll32.exe' "%TEMP%\DriveTheLife\pcidetect.dll",HDRundllDetect
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%TEMP%\drivethelife\drivethelife...
