Adware.Downware.1168

Техническая информация

Вредоносные функции:

Создает и запускает на исполнение:

'%TEMP%\nsd5FBC.tmp\BI.exe' { "user_ie_security_level" : "" , "json_send_time" : "15/4/2013 19:19:10:285" , "internal_error_description" : "HttpPost result: try1- Cannot load xml file %TEMP%\nsd5FBC.tmp\offer.xml; try2- Cannot load xml file %TEMP%\nsd5FBC.tmp\offer.xml; try3- Cannot load xml file %TEMP%\nsd5FBC.tmp\offer.xml" , "internal_error_number" : "3" , "is_parallel" : "0" , "vector_id" : "" , "rule_id" : "" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "551832" , "general_status_code" : "3" , "duration_details" : " InitPluginsDir:16 initializeParams:390 load_BITool:31 send_BI_Init:62 load_DownloadACC:63 retrieveUISource:0 unpack_webappfolder:1170 unpack_icon:15 RetrieveMainOfferKey:0 unpack_OpenCandyDll:172 load_webapphost:0 unpack_ProxyInstaller:31 navigate_loadingUI:203 navigateAsync_constMainOffer:515 BuildUserProfile:31 retrieve cid:0 callService1:13182 callService1:2090 callService1:1233 " , "phase_duration" : "" , "error_details" : "Error Parsing the offer xml response file" , "result" : "Error" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "12" , "build_id" : "00000000" , "dm_version" : "1.3.7.8_HF8" , "bundle_id" : "b5b008a3-95e0-4878-b256-cf146b0745e8" , "machine_user_id" : "{C8AFE5FF-AC02-4DFA-83C5-395756F595F7}" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "6D42F812-B64E-487D-A018-D47096D32108" , "publisher_internal_id" : "27" , "publisher_id" : "Avi Goldfinger" , "publisher_account_id" : "Avi_Goldfinger" , "order" : "2.0" , "phase" : "InitComplete" , "Is_Test" : "0" }
'%TEMP%\nsd5FBC.tmp\BI.exe' { "json_send_time" : "15/4/2013 19:18:51:518" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "551832" , "user_type" : "NULL" , "result" : "Success" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "12" , "build_id" : "00000000" , "dm_version" : "1.3.7.8_HF8" , "bundle_id" : "b5b008a3-95e0-4878-b256-cf146b0745e8" , "machine_user_id" : "{C8AFE5FF-AC02-4DFA-83C5-395756F595F7}" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "6D42F812-B64E-487D-A018-D47096D32108" , "publisher_internal_id" : "27" , "publisher_id" : "Avi Goldfinger" , "publisher_account_id" : "Avi_Goldfinger" , "order" : "1.0" , "phase" : "Init" , "Is_Test" : "0" }

Запускает на исполнение:

'<SYSTEM32>\wermgr.exe' -queuereporting

Изменения в файловой системе:

Создает следующие файлы:

%TEMP%\nsd5FBC.tmp\WebApp\Js\json2.js
%TEMP%\nsd5FBC.tmp\WebApp\Js\json2debug.js
%TEMP%\nsd5FBC.tmp\WebApp\Js\jquery.min.js
%TEMP%\nsd5FBC.tmp\WebApp\Js\Store.js
%TEMP%\nsd5FBC.tmp\WebApp\Js\jquery-ui-1.8.16.custom.min.js
%TEMP%\nsd5FBC.tmp\icon.png
%TEMP%\nsd5FBC.tmp\OCSetupHlp.dll
%TEMP%\nsd5FBC.tmp\WebApp\Js\xml2json.js
%TEMP%\nsd5FBC.tmp\WebApp\Js\json2minified.js
%TEMP%\nsd5FBC.tmp\WebApp\Js\script.js
%TEMP%\nsd5FBC.tmp\WebApp\Images\myiweb-logo.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\truste.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\myiweb-logo.jpg
%TEMP%\nsd5FBC.tmp\WebApp\Images\conduit-logo.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\loaderb64-transparent.gif
%TEMP%\nsd5FBC.tmp\WebApp\Js\PIE.htc
%TEMP%\nsd5FBC.tmp\WebApp\Js\ProgressBar.js
%TEMP%\nsd5FBC.tmp\WebApp\Js\ExternalParams.js
%TEMP%\nsd5FBC.tmp\WebApp\Js\API.js
%TEMP%\nsd5FBC.tmp\WebApp\Js\DD_belatedPNG_0.0.8a-min.js
%TEMP%\nsd5FBC.tmp\ProxyInstaller.exe
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\ErrorPageTemplate[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\errorPageStrings[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\navcancl[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\551529[1]
%TEMP%\nstAEC6.tmp\inetc.dll
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\background_gradient[1]
%TEMP%\nstAEC6.tmp\a.txt
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\bullet[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\httpErrorPagesScripts[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\info_48[1]
%TEMP%\nsd5FBC.tmp\offer.xml
%TEMP%\nsd5FBC.tmp\xml.dll
\Device\HarddiskVolume1\Boot\BCD
%TEMP%\nsd5FBC.tmp\inetc.dll
\Device\HarddiskVolume1\Boot\BCD.LOG
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\error[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\warning[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\error[1]
%TEMP%\nst64BC.tmp\a.txt
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\jquery.min[1].js
%TEMP%\nsd5FBC.tmp\WebApp\Css\Buttons.rtl.css
%TEMP%\nsd5FBC.tmp\WebApp\Css\Copy of Buttons.css
%TEMP%\nsd5FBC.tmp\WebApp\Css\Buttons.ltr.css
%TEMP%\nsd5FBC.tmp\WebApp\SilentSuccess.htm
%TEMP%\nsd5FBC.tmp\WebApp\Css\Buttons.css
%TEMP%\nsd5FBC.tmp\WebApp\Css\css.ltr.css
%TEMP%\nsd5FBC.tmp\WebApp\Css\css.rtl.css
%TEMP%\nsd5FBC.tmp\WebApp\Css\css.css
%TEMP%\nsd5FBC.tmp\WebApp\Css\PIE.htc
%TEMP%\nsd5FBC.tmp\WebApp\Css\Reset.css
%TEMP%\nsd5FBC.tmp\DownloadACC.exe
%TEMP%\nsd5FBC.tmp\WebApp\Failed.htm
%TEMP%\nsd5FBC.tmp\BI.exe
%TEMP%\nsd5FBC.tmp\System.dll
%TEMP%\nsd5FBC.tmp\webapphost.dll
%TEMP%\nsd5FBC.tmp\WebApp\ProgressBar.htm
%TEMP%\nsd5FBC.tmp\WebApp\Reset.css
%TEMP%\nsd5FBC.tmp\WebApp\PIE.htc
%TEMP%\nsd5FBC.tmp\WebApp\Loading.htm
%TEMP%\nsd5FBC.tmp\WebApp\NoneSilentSuccess.htm
%TEMP%\nsd5FBC.tmp\WebApp\Images\-.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\Nana10.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\NextButton_Sprite wide.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\InternetTurbo.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\InstallationFailed.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\InstallationSuccessful.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\button_grey_close.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\check-V.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\button.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\X.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\bla.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\4e9cf9e9-dc9b-4640-832e-afbf4f2d0e5d.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\BG.png
%TEMP%\nst64BC.tmp\inetc.dll
%TEMP%\nsd5FBC.tmp\WebApp\Images\01Net-Logo.jpg
%TEMP%\nsd5FBC.tmp\WebApp\Images\1JPJ.jpg
%TEMP%\nsd5FBC.tmp\WebApp\Images\CancelBG.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\CancelBGGoogleDialog.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\BrotherSoft.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\BoxBg.png
%TEMP%\nsd5FBC.tmp\WebApp\Images\BoxBgNew.png

Удаляет следующие файлы:

<SYSTEM32>\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{eb225e7e-e27b-440e-b394-f6f547a7f393}\snapshot.etl
<SYSTEM32>\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{d6f13fc6-4024-4107-ae73-f082a2f332c7}\snapshot.etl
<SYSTEM32>\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{cf2d55d3-1de0-4509-8048-92f92c10bf0f}\snapshot.etl
%TEMP%\nst64BC.tmp\a.txt
%TEMP%\nstAEC6.tmp\inetc.dll
%TEMP%\nstAEC6.tmp\a.txt
%TEMP%\nst64BC.tmp\inetc.dll
<SYSTEM32>\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{adae45d8-2fab-47b3-87a0-acd5d152faa8}\snapshot.etl
<SYSTEM32>\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{0b280211-5916-4dd7-8521-bee7af2e037c}\snapshot.etl
<SYSTEM32>\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{09648d42-70ce-46d6-9603-634534d5302a}\snapshot.etl
<SYSTEM32>\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{00c7ec2b-f845-4ce8-95ad-bc99224dc312}\snapshot.etl
<SYSTEM32>\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{25bf6d38-6790-4951-b1fc-9c298cae91d9}\snapshot.etl
<SYSTEM32>\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{9d97096f-0f1f-40ee-91c3-2b8d19406a68}\snapshot.etl
<SYSTEM32>\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{694db6cc-ebd3-451d-9194-c6db60200fe1}\snapshot.etl
<SYSTEM32>\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{666f76b6-7a73-4d8f-9230-ae4cd9be13a6}\snapshot.etl

Сетевая активность:

Подключается к:

'aj##.#oogleapis.com':80
'cm#.########tionengine.conduit-services.com':80
'ud#.###duit-data.com':80
'localhost':56336
'of######.#######.distributionengine.conduit-services.com':80

TCP:

Запросы HTTP GET:

cm#.########tionengine.conduit-services.com//MainOffer/551529/?Cu##############################################
aj##.#oogleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js

Запросы HTTP POST:

ud#.###duit-data.com/

UDP:

DNS ASK cm#.########tionengine.conduit-services.com
DNS ASK aj##.#oogleapis.com
DNS ASK ud#.###duit-data.com
DNS ASK of######.#######.distributionengine.conduit-services.com
'22#.0.0.252':5355

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней