Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}] 'ClsidExtension' = '{6671A432-5C3D-463d-A7CF-5587F9B7E191}'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'MiniPcast' = '%ProgramFiles(x86)%\pcast\PodcastbarMini\start.exe'
- [<HKLM>\Software\Classes\pcast\shell\open\command] '' = '%ProgramFiles%\pcast\PODCAS~1\PODCAS~1.EXE "%1"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'YLive.exe' = '%ProgramFiles%\yahoo!\assist~1\ylive.exe'
Создает или изменяет следующие файлы
- %WINDIR%\tasks\dm_install_program.job
- <SYSTEM32>\tasks\dm_install_program
Вредоносные функции
Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\] '<Текущая директория>\601017.exe' = '<Текущая директория>\601017.e...
- [<HKLM>\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%ProgramFiles%\pcast\podcas~1\podcas~1.exe' = '%ProgramFiles%\pcas...
Изменения в файловой системе
Создает следующие файлы
- <Текущая директория>\setup_s38.exe
- %ProgramFiles%\yahoo!\assist~1\assist\images\alertnew.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\alert.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\adkiller.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\coolbar\profile.ini
- %ProgramFiles%\yahoo!\assist~1\assist\coolbar\prodef.ini
- %ProgramFiles%\yahoo!\assist~1\assist\update\securitybar\profile.ini
- %ProgramFiles%\yahoo!\assist~1\assist\update\securitybar\prodef.ini
- %ProgramFiles%\yahoo!\assist~1\assist\update\searchbar\profile.ini
- %ProgramFiles%\yahoo!\assist~1\assist\update\searchbar\prodef.ini
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\yphtb.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\settings.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\searchtop.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\search.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\picture.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\musictop.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\musiclink.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\music.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\anitvirus.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\assist.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\clear.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\custheme.bmp
- %TEMP%\rarsfx0\dtservice.dll
- %ProgramFiles%\yahoo!\assist~1\yalive.dll
- %ProgramFiles(x86)%\pcast\podcastbarmini\pbmini.config.xml
- %ProgramFiles%\yahoo!\assist~1\assist\securitybar\profile.ini
- %ProgramFiles%\yahoo!\assist~1\assist\securitybar\prodef.ini
- %ProgramFiles%\yahoo!\assist~1\assist\searchbar\profile.ini
- %ProgramFiles%\yahoo!\assist~1\assist\searchbar\prodef.ini
- %ProgramFiles%\yahoo!\assist~1\assist\images\yphtb.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\searchtop.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\settings.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\search.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\picture.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\musictop.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\musiclink.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\music.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\logo.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\iefix.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\images\hilight.bmp
- %ProgramFiles(x86)%\ibar\10002\ibar.dll
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\logo.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\iefix.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\hilight.bmp
- %ProgramFiles(x86)%\pcast\podcastbarmini\start.exe
- %TEMP%\nsh9a5c.tmp
- %HOMEPATH%\desktop\podcastbarmini.lnk
- %ProgramFiles(x86)%\pcast\podcastbarmini\version.ini
- %ProgramFiles(x86)%\mmsassist\mmsassist.dll
- %ProgramFiles(x86)%\mmsassist\mms.ini
- %TEMP%\nsm8af2.tmp\nsisdl.dll
- %TEMP%\nsm8af2.tmp\system.dll
- %WINDIR%\syswow64\stdup.dll
- %WINDIR%\syswow64\std.ini
- %TEMP%\nsr8a26.tmp
- <Текущая директория>\rjzc017_yassist.exe
- <Текущая директория>\601017.exe
- <Текущая директория>\pcastbarminis-1.0.0.4_wl_002.exe
- <Текущая директория>\setup_01cncw11.exe
- <Текущая директория>\bind_8160.exe
- <Текущая директория>\installibar.exe
- %ProgramFiles(x86)%\pcast\podcastbarmini\podcastbarmini.exe
- %ProgramFiles(x86)%\pcast\podcastbarmini\pcastctl.dll
- %ProgramFiles(x86)%\pcast\podcastbarmini\uninst.exe
- %ProgramFiles(x86)%\yahoo!\assistant\assist\yalive.dll
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\clear.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\assist.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\anitvirus.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\alertnew.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\alert.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\adkiller.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\coolbar\profile.ini
- %ProgramFiles%\yahoo!\assist~1\assist\update\coolbar\prodef.ini
- %ProgramFiles%\yahoo!\assist~1\ylive.exe
- %ProgramFiles%\yahoo!\assist~1\assist\coolbar.cab
- %ProgramFiles%\yahoo!\assist~1\yhelper.dll
- %ProgramFiles%\yahoo!\assist~1\yal01.dat
- %ProgramFiles%\yahoo!\assist~1\assist\yasbar.dll
- %ProgramFiles%\yahoo!\assist~1\update\assist\yasbar.dll
- %ProgramFiles%\yahoo!\assist~1\update\yal01.dat
- %ProgramFiles%\yahoo!\assist~1\update\yhelper.dll
- %ProgramFiles%\yahoo!\assist~1\update\ylive.exe
- %ProgramFiles%\yahoo!\assist~1\ires.dat
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\custheme.bmp
- %ProgramFiles(x86)%\ibar\10002\ibar.ini
Удаляет следующие файлы
- %ProgramFiles%\yahoo!\assist~1\update\assist\yasbar.dll
- %ProgramFiles%\yahoo!\assist~1\assist\coolbar.cab
- %ProgramFiles%\yahoo!\assist~1\assist\update\securitybar\profile.ini
- %ProgramFiles%\yahoo!\assist~1\assist\update\securitybar\prodef.ini
- %ProgramFiles%\yahoo!\assist~1\assist\update\searchbar\profile.ini
- %ProgramFiles%\yahoo!\assist~1\assist\update\searchbar\prodef.ini
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\yphtb.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\settings.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\searchtop.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\search.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\picture.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\musictop.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\musiclink.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\music.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\logo.bmp
- %ProgramFiles%\yahoo!\assist~1\ires.dat
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\iefix.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\custheme.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\clear.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\assist.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\anitvirus.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\alertnew.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\alert.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\adkiller.bmp
- %ProgramFiles%\yahoo!\assist~1\assist\update\coolbar\profile.ini
- %ProgramFiles%\yahoo!\assist~1\assist\update\coolbar\prodef.ini
- %ProgramFiles%\yahoo!\assist~1\update\ylive.exe
- %ProgramFiles%\yahoo!\assist~1\update\yhelper.dll
- %ProgramFiles%\yahoo!\assist~1\update\yal01.dat
- %TEMP%\nsm8af2.tmp\system.dll
- %TEMP%\nsm8af2.tmp\nsisdl.dll
- %ProgramFiles%\yahoo!\assist~1\assist\update\images\hilight.bmp
- %TEMP%\rarsfx0\dtservice.dll
Сетевая активность
Подключается к
- 'fi###.qqhelper.com':80
- 'fi##.#qhelper.com':80
- 'dm##.dmcast.com':80
TCP
Запросы HTTP GET
- http://fi###.qqhelper.com/bindsoft/bindsetup.exe
- http://fi##.#qhelper.com/bindsoft/bindsetup.exe
- http://dm##.dmcast.com/setup/dmsetup.exe
UDP
- DNS ASK fi###.qqhelper.com
- DNS ASK fi##.#qhelper.com
- DNS ASK li###eng100.com
- DNS ASK dm##.dmcast.com
- DNS ASK pc####l.dudu.com
- DNS ASK it#.mop.com
- DNS ASK re#.##ast.dudu.com
- DNS ASK p-##.io8.org
Другое
Ищет следующие окна
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'MS_WINHELP' WindowName: ''
Создает и запускает на исполнение
- '<Текущая директория>\setup_s38.exe'
- '<Текущая директория>\installibar.exe'
- '<Текущая директория>\bind_8160.exe'
- '<Текущая директория>\pcastbarminis-1.0.0.4_wl_002.exe'
- '<Текущая директория>\setup_01cncw11.exe'
- '<Текущая директория>\rjzc017_yassist.exe'
- '<Текущая директория>\601017.exe'
- '%ProgramFiles(x86)%\pcast\podcastbarmini\start.exe'
- '%ProgramFiles(x86)%\pcast\podcastbarmini\podcastbarmini.exe'
- '%ProgramFiles%\yahoo!\assist~1\ylive.exe'
Запускает на исполнение
- '%WINDIR%\syswow64\rundll32.exe' "<SYSTEM32>\stdup.dll",EasyFunc
- '%WINDIR%\syswow64\rundll32.exe' "C:\PROGRA~2\MMSASS~1\MMSASS~1.DLL",EasyFunc
- '%WINDIR%\syswow64\regsvr32.exe' /s dtservice.dll
- '%WINDIR%\syswow64\regsvr32.exe' ibar.dll /s:softreg;{iBar_0002}
