Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ПµНіµЗВјЅшіМОДјю' = '%WINDIR%\CRNJEUFU.exe'
Вредоносные функции:
Запускает на исполнение:
- <SYSTEM32>\ntvdm.exe -f -i23
- <SYSTEM32>\ntvdm.exe -f -i22
- <SYSTEM32>\ntvdm.exe -f -i21
- <SYSTEM32>\ntvdm.exe -f -i24
- <SYSTEM32>\ntvdm.exe -f -i27
- <SYSTEM32>\ntvdm.exe -f -i26
- <SYSTEM32>\ntvdm.exe -f -i25
- <SYSTEM32>\ntvdm.exe -f -i1c
- <SYSTEM32>\ntvdm.exe -f -i1b
- <SYSTEM32>\ntvdm.exe -f -i1a
- <SYSTEM32>\ntvdm.exe -f -i1d
- <SYSTEM32>\ntvdm.exe -f -i20
- <SYSTEM32>\ntvdm.exe -f -i1f
- <SYSTEM32>\ntvdm.exe -f -i1e
- <SYSTEM32>\ntvdm.exe -f -i31
- <SYSTEM32>\ntvdm.exe -f -i30
- <SYSTEM32>\ntvdm.exe -f -i2f
- <SYSTEM32>\ntvdm.exe -f -i32
- <SYSTEM32>\ntvdm.exe -f -i35
- <SYSTEM32>\ntvdm.exe -f -i34
- <SYSTEM32>\ntvdm.exe -f -i33
- <SYSTEM32>\ntvdm.exe -f -i2a
- <SYSTEM32>\ntvdm.exe -f -i29
- <SYSTEM32>\ntvdm.exe -f -i28
- <SYSTEM32>\ntvdm.exe -f -i2b
- <SYSTEM32>\ntvdm.exe -f -i2e
- <SYSTEM32>\ntvdm.exe -f -i2d
- <SYSTEM32>\ntvdm.exe -f -i2c
- <SYSTEM32>\ntvdm.exe -f -i7
- <SYSTEM32>\ntvdm.exe -f -i6
- <SYSTEM32>\ntvdm.exe -f -i5
- <SYSTEM32>\ntvdm.exe -f -i8
- <SYSTEM32>\ntvdm.exe -f -ib
- <SYSTEM32>\ntvdm.exe -f -ia
- <SYSTEM32>\ntvdm.exe -f -i9
- <SYSTEM32>\wscript.exe "%TEMP%\932262.vbs"
- %PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE http://www.99#4.cn/tj/tj.asp?id##################
- <SYSTEM32>\wscript.exe "<LS_APPDATA>\Temp\NXRQYBMZXC.vbs"
- <SYSTEM32>\ntvdm.exe -f -i1
- <SYSTEM32>\ntvdm.exe -f -i4
- <SYSTEM32>\ntvdm.exe -f -i3
- <SYSTEM32>\ntvdm.exe -f -i2
- <SYSTEM32>\ntvdm.exe -f -i15
- <SYSTEM32>\ntvdm.exe -f -i14
- <SYSTEM32>\ntvdm.exe -f -i13
- <SYSTEM32>\ntvdm.exe -f -i16
- <SYSTEM32>\ntvdm.exe -f -i19
- <SYSTEM32>\ntvdm.exe -f -i18
- <SYSTEM32>\ntvdm.exe -f -i17
- <SYSTEM32>\ntvdm.exe -f -ie
- <SYSTEM32>\ntvdm.exe -f -id
- <SYSTEM32>\ntvdm.exe -f -ic
- <SYSTEM32>\ntvdm.exe -f -if
- <SYSTEM32>\ntvdm.exe -f -i12
- <SYSTEM32>\ntvdm.exe -f -i11
- <SYSTEM32>\ntvdm.exe -f -i10
Изменяет следующие настройки проводника Windows (Windows Explorer):
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoInternetIcon' = '00000001'
Без разрешения пользователя устанавливает новую стартовую страницу для Windows Internet Explorer.
Изменения в файловой системе:
Создает следующие файлы:
- %WINDIR%\Temp\scs44.tmp
- %WINDIR%\Temp\scs45.tmp
- %WINDIR%\Temp\scs46.tmp
- %WINDIR%\Temp\scs41.tmp
- %WINDIR%\Temp\scs42.tmp
- %WINDIR%\Temp\scs43.tmp
- %WINDIR%\Temp\scs47.tmp
- %WINDIR%\Temp\scs4B.tmp
- %WINDIR%\Temp\scs4C.tmp
- %WINDIR%\Temp\scs4D.tmp
- %WINDIR%\Temp\scs48.tmp
- %WINDIR%\Temp\scs49.tmp
- %WINDIR%\Temp\scs4A.tmp
- %WINDIR%\Temp\scs40.tmp
- %WINDIR%\Temp\scs36.tmp
- %WINDIR%\Temp\scs37.tmp
- %WINDIR%\Temp\scs38.tmp
- %WINDIR%\Temp\scs33.tmp
- %WINDIR%\Temp\scs34.tmp
- %WINDIR%\Temp\scs35.tmp
- %WINDIR%\Temp\scs39.tmp
- %WINDIR%\Temp\scs3D.tmp
- %WINDIR%\Temp\scs3E.tmp
- %WINDIR%\Temp\scs3F.tmp
- %WINDIR%\Temp\scs3A.tmp
- %WINDIR%\Temp\scs3B.tmp
- %WINDIR%\Temp\scs3C.tmp
- %WINDIR%\Temp\scs4E.tmp
- %WINDIR%\Temp\scs60.tmp
- %WINDIR%\Temp\scs61.tmp
- %WINDIR%\Temp\scs62.tmp
- %WINDIR%\Temp\scs5D.tmp
- %WINDIR%\Temp\scs5E.tmp
- %WINDIR%\Temp\scs5F.tmp
- %WINDIR%\Temp\scs63.tmp
- %WINDIR%\Temp\scs67.tmp
- %WINDIR%\Temp\scs68.tmp
- %WINDIR%\Temp\scs69.tmp
- %WINDIR%\Temp\scs64.tmp
- %WINDIR%\Temp\scs65.tmp
- %WINDIR%\Temp\scs66.tmp
- %WINDIR%\Temp\scs5C.tmp
- %WINDIR%\Temp\scs52.tmp
- %WINDIR%\Temp\scs53.tmp
- %WINDIR%\Temp\scs54.tmp
- %WINDIR%\Temp\scs4F.tmp
- %WINDIR%\Temp\scs50.tmp
- %WINDIR%\Temp\scs51.tmp
- %WINDIR%\Temp\scs55.tmp
- %WINDIR%\Temp\scs59.tmp
- %WINDIR%\Temp\scs5A.tmp
- %WINDIR%\Temp\scs5B.tmp
- %WINDIR%\Temp\scs56.tmp
- %WINDIR%\Temp\scs57.tmp
- %WINDIR%\Temp\scs58.tmp
- %WINDIR%\Temp\scsD.tmp
- %WINDIR%\Temp\scsE.tmp
- %WINDIR%\Temp\scsF.tmp
- %WINDIR%\Temp\scsA.tmp
- %WINDIR%\Temp\scsB.tmp
- %WINDIR%\Temp\scsC.tmp
- %WINDIR%\Temp\scs10.tmp
- %WINDIR%\Temp\scs14.tmp
- %WINDIR%\Temp\scs15.tmp
- %WINDIR%\Temp\scs16.tmp
- %WINDIR%\Temp\scs11.tmp
- %WINDIR%\Temp\scs12.tmp
- %WINDIR%\Temp\scs13.tmp
- %WINDIR%\Temp\scs9.tmp
- %WINDIR%\CRNJEUFU.exe
- %WINDIR%\Temp\scs1.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\tj[1].asp
- <LS_APPDATA>\Temp\NXRQYBMZXC.vbs
- %HOMEPATH%\Favorites\РЎУОП·НшХѕ.url
- %TEMP%\932262.vbs
- %WINDIR%\Temp\scs2.tmp
- %WINDIR%\Temp\scs6.tmp
- %WINDIR%\Temp\scs7.tmp
- %WINDIR%\Temp\scs8.tmp
- %WINDIR%\Temp\scs3.tmp
- %WINDIR%\Temp\scs4.tmp
- %WINDIR%\Temp\scs5.tmp
- %WINDIR%\Temp\scs17.tmp
- %WINDIR%\Temp\scs29.tmp
- %WINDIR%\Temp\scs2A.tmp
- %WINDIR%\Temp\scs2B.tmp
- %WINDIR%\Temp\scs26.tmp
- %WINDIR%\Temp\scs27.tmp
- %WINDIR%\Temp\scs28.tmp
- %WINDIR%\Temp\scs2C.tmp
- %WINDIR%\Temp\scs30.tmp
- %WINDIR%\Temp\scs31.tmp
- %WINDIR%\Temp\scs32.tmp
- %WINDIR%\Temp\scs2D.tmp
- %WINDIR%\Temp\scs2E.tmp
- %WINDIR%\Temp\scs2F.tmp
- %WINDIR%\Temp\scs25.tmp
- %WINDIR%\Temp\scs1B.tmp
- %WINDIR%\Temp\scs1C.tmp
- %WINDIR%\Temp\scs1D.tmp
- %WINDIR%\Temp\scs18.tmp
- %WINDIR%\Temp\scs19.tmp
- %WINDIR%\Temp\scs1A.tmp
- %WINDIR%\Temp\scs1E.tmp
- %WINDIR%\Temp\scs22.tmp
- %WINDIR%\Temp\scs23.tmp
- %WINDIR%\Temp\scs24.tmp
- %WINDIR%\Temp\scs1F.tmp
- %WINDIR%\Temp\scs20.tmp
- %WINDIR%\Temp\scs21.tmp
Присваивает атрибут 'скрытый' для следующих файлов:
- %TEMP%\932262.vbs
Удаляет следующие файлы:
- %WINDIR%\Temp\scs45.tmp
- %WINDIR%\Temp\scs46.tmp
- %WINDIR%\Temp\scs47.tmp
- %WINDIR%\Temp\scs42.tmp
- %WINDIR%\Temp\scs43.tmp
- %WINDIR%\Temp\scs44.tmp
- %WINDIR%\Temp\scs48.tmp
- %WINDIR%\Temp\scs4C.tmp
- %WINDIR%\Temp\scs4D.tmp
- %WINDIR%\Temp\scs4E.tmp
- %WINDIR%\Temp\scs49.tmp
- %WINDIR%\Temp\scs4A.tmp
- %WINDIR%\Temp\scs4B.tmp
- %WINDIR%\Temp\scs38.tmp
- %WINDIR%\Temp\scs39.tmp
- %WINDIR%\Temp\scs3A.tmp
- %WINDIR%\Temp\scs35.tmp
- %WINDIR%\Temp\scs36.tmp
- %WINDIR%\Temp\scs37.tmp
- %WINDIR%\Temp\scs3B.tmp
- %WINDIR%\Temp\scs3F.tmp
- %WINDIR%\Temp\scs40.tmp
- %WINDIR%\Temp\scs41.tmp
- %WINDIR%\Temp\scs3C.tmp
- %WINDIR%\Temp\scs3D.tmp
- %WINDIR%\Temp\scs3E.tmp
- %WINDIR%\Temp\scs5F.tmp
- %WINDIR%\Temp\scs60.tmp
- %WINDIR%\Temp\scs61.tmp
- %WINDIR%\Temp\scs5C.tmp
- %WINDIR%\Temp\scs5D.tmp
- %WINDIR%\Temp\scs5E.tmp
- %WINDIR%\Temp\scs62.tmp
- %WINDIR%\Temp\scs66.tmp
- %WINDIR%\Temp\scs67.tmp
- %WINDIR%\Temp\scs68.tmp
- %WINDIR%\Temp\scs63.tmp
- %WINDIR%\Temp\scs64.tmp
- %WINDIR%\Temp\scs65.tmp
- %WINDIR%\Temp\scs52.tmp
- %WINDIR%\Temp\scs53.tmp
- %WINDIR%\Temp\scs54.tmp
- %WINDIR%\Temp\scs4F.tmp
- %WINDIR%\Temp\scs50.tmp
- %WINDIR%\Temp\scs51.tmp
- %WINDIR%\Temp\scs55.tmp
- %WINDIR%\Temp\scs59.tmp
- %WINDIR%\Temp\scs5A.tmp
- %WINDIR%\Temp\scs5B.tmp
- %WINDIR%\Temp\scs56.tmp
- %WINDIR%\Temp\scs57.tmp
- %WINDIR%\Temp\scs58.tmp
- %WINDIR%\Temp\scs34.tmp
- %WINDIR%\Temp\scs10.tmp
- %WINDIR%\Temp\scs11.tmp
- %WINDIR%\Temp\scs12.tmp
- %WINDIR%\Temp\scsD.tmp
- %WINDIR%\Temp\scsE.tmp
- %WINDIR%\Temp\scsF.tmp
- %WINDIR%\Temp\scs13.tmp
- %WINDIR%\Temp\scs17.tmp
- %WINDIR%\Temp\scs18.tmp
- %WINDIR%\Temp\scs19.tmp
- %WINDIR%\Temp\scs14.tmp
- %WINDIR%\Temp\scs15.tmp
- %WINDIR%\Temp\scs16.tmp
- %WINDIR%\Temp\scs3.tmp
- %WINDIR%\Temp\scs4.tmp
- %WINDIR%\Temp\scs5.tmp
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs2.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\tj[1].asp
- %WINDIR%\Temp\scs6.tmp
- %WINDIR%\Temp\scsA.tmp
- %WINDIR%\Temp\scsB.tmp
- %WINDIR%\Temp\scsC.tmp
- %WINDIR%\Temp\scs7.tmp
- %WINDIR%\Temp\scs8.tmp
- %WINDIR%\Temp\scs9.tmp
- %WINDIR%\Temp\scs2A.tmp
- %WINDIR%\Temp\scs2B.tmp
- %WINDIR%\Temp\scs2C.tmp
- %WINDIR%\Temp\scs27.tmp
- %WINDIR%\Temp\scs28.tmp
- %WINDIR%\Temp\scs29.tmp
- %WINDIR%\Temp\scs2D.tmp
- %WINDIR%\Temp\scs31.tmp
- %WINDIR%\Temp\scs32.tmp
- %WINDIR%\Temp\scs33.tmp
- %WINDIR%\Temp\scs2E.tmp
- %WINDIR%\Temp\scs2F.tmp
- %WINDIR%\Temp\scs30.tmp
- %WINDIR%\Temp\scs1D.tmp
- %WINDIR%\Temp\scs1E.tmp
- %WINDIR%\Temp\scs1F.tmp
- %WINDIR%\Temp\scs1A.tmp
- %WINDIR%\Temp\scs1B.tmp
- %WINDIR%\Temp\scs1C.tmp
- %WINDIR%\Temp\scs20.tmp
- %WINDIR%\Temp\scs24.tmp
- %WINDIR%\Temp\scs25.tmp
- %WINDIR%\Temp\scs26.tmp
- %WINDIR%\Temp\scs21.tmp
- %WINDIR%\Temp\scs22.tmp
- %WINDIR%\Temp\scs23.tmp
Сетевая активность:
Подключается к:
- 'www.99#4.cn':80
- 'localhost':1037
TCP:
Запросы HTTP GET:
- www.99#4.cn/tj/tj.asp?id##################
UDP:
- DNS ASK www.99#4.cn
Другое:
Ищет следующие окна:
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d24.d28.5a0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d14.d18.590001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d04.d08.580001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d34.d38.5b0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d64.d68.5e0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d54.d58.5d0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d44.d48.5c0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-cb0.cb4.530001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ca0.ca4.520001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c88.c8c.510001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-cc0.cc4.540001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-cf4.cf8.570001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ce0.ce4.560001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-cd0.cd4.550001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-e08.e0c.680001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-df8.dfc.670001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-de8.dec.660001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-e18.e1c.690001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-e4c.e50.6c0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-e3c.e40.6b0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-e2c.e30.6a0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d94.d98.610001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d84.d88.600001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d74.d78.5f0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-da8.dac.620001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-dd8.ddc.650001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-dc8.dcc.640001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-db8.dbc.630001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c74.c78.500001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b2c.b30.3d0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b1c.b20.3c0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b0c.b10.3b0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b3c.b40.3e0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b6c.b70.410001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b5c.b60.400001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b4c.b50.3f0001'
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ae8.aec.3a0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ad8.adc.390001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ac4.ac8.380001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c24.c28.4b0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c14.c18.4a0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c04.c08.490001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c34.c38.4c0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c64.c68.4f0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c54.c58.4e0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c44.c48.4d0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bac.bb0.440001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b9c.ba0.430001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b7c.b80.420001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bbc.bc0.450001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bec.bf0.480001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bdc.be0.470001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bcc.bd0.460001'
