Trojan.MulDrop21.1910

Добавлен в вирусную базу Dr.Web: 2022-10-18

Описание добавлено: 2022-10-20

Техническая информация

Для обеспечения автозапуска и распространения

Модифицирует следующие ключи реестра

[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...

Устанавливает следующие настройки сервисов

[<HKLM>\System\CurrentControlSet\Services\Dhcp] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\DPS] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\lmhosts] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\NlaSvc] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\nsi] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\Winmgmt] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\Wlansvc] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\BFE] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\Dnscache] 'Start' = '00000002'

Вредоносные функции

Завершает или пытается завершить

следующие системные процессы:

<SYSTEM32>\cmd.exe

Изменения в файловой системе

Создает следующие файлы

%TEMP%\e1d6.tmp\e1d7.tmp\e1d8.bat

Удаляет следующие файлы

%TEMP%\e1d6.tmp\e1d7.tmp\e1d8.bat

Другое

Запускает на исполнение

'<SYSTEM32>\cmd.exe' /c "%TEMP%\E1D6.tmp\E1D7.tmp\E1D8.bat <Полный путь к файлу>"
'<SYSTEM32>\net.exe' start Wcmsvc
'<SYSTEM32>\net1.exe' start Wcmsvc
'<SYSTEM32>\net.exe' start RmSvc
'<SYSTEM32>\net1.exe' start RmSvc
'<SYSTEM32>\wbem\wmic.exe' path win32_networkadapter where index=0 call disable
'<SYSTEM32>\wbem\wmic.exe' path win32_networkadapter where index=1 call disable
'<SYSTEM32>\wbem\wmic.exe' path win32_networkadapter where index=2 call disable
'<SYSTEM32>\wbem\wmic.exe' path win32_networkadapter where index=3 call disable
'<SYSTEM32>\wbem\wmic.exe' path win32_networkadapter where index=4 call disable
'<SYSTEM32>\wbem\wmic.exe' path win32_networkadapter where index=5 call disable
'<SYSTEM32>\wbem\wmic.exe' path win32_networkadapter where index=0 call enable
'<SYSTEM32>\wbem\wmic.exe' path win32_networkadapter where index=1 call enable
'<SYSTEM32>\wbem\wmic.exe' path win32_networkadapter where index=2 call enable
'<SYSTEM32>\wbem\wmic.exe' path win32_networkadapter where index=3 call enable
'<SYSTEM32>\wbem\wmic.exe' path win32_networkadapter where index=5 call enable
'<SYSTEM32>\ipconfig.exe' /release
'<SYSTEM32>\arp.exe' -d *
'<SYSTEM32>\route.exe' -f
'<SYSTEM32>\nbtstat.exe' -R
'<SYSTEM32>\nbtstat.exe' -RR
'<SYSTEM32>\netcfg.exe' -d
'<SYSTEM32>\netsh.exe' winsock reset
'<SYSTEM32>\netsh.exe' int 6to4 reset all
'<SYSTEM32>\netsh.exe' int httpstunnel reset all
'<SYSTEM32>\netsh.exe' int ip reset
'<SYSTEM32>\netsh.exe' int isatap reset all
'<SYSTEM32>\netsh.exe' int portproxy reset all
'<SYSTEM32>\netsh.exe' int tcp reset all
'<SYSTEM32>\netsh.exe' int teredo reset all
'<SYSTEM32>\netsh.exe' branchcache reset
'<SYSTEM32>\net1.exe' start Dhcp
'<SYSTEM32>\wbem\wmic.exe' path win32_networkadapter where index=4 call enable
'<SYSTEM32>\net.exe' start Dhcp
'<SYSTEM32>\sc.exe' config WlanSvc start= auto
'<SYSTEM32>\sc.exe' config LanmanWorkstation start= demand
'<SYSTEM32>\sc.exe' config WdiServiceHost start= demand
'<SYSTEM32>\sc.exe' config NcbService start= demand
'<SYSTEM32>\sc.exe' config ndu start= demand
'<SYSTEM32>\sc.exe' config Netman start= demand
'<SYSTEM32>\sc.exe' config netprofm start= demand
'<SYSTEM32>\sc.exe' config Dhcp start= auto
'<SYSTEM32>\sc.exe' config DPS start= auto
'<SYSTEM32>\sc.exe' config lmhosts start= auto
'<SYSTEM32>\sc.exe' config NlaSvc start= auto
'<SYSTEM32>\sc.exe' config nsi start= auto
'<SYSTEM32>\sc.exe' config RmSvc start= auto
'<SYSTEM32>\sc.exe' config Wcmsvc start= auto
'<SYSTEM32>\sc.exe' config Winmgmt start= auto
'<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Enable
'<SYSTEM32>\net.exe' start NlaSvc
'<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Enable
'<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Enable
'<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Enable
'<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Enable
'<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Enable
'<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "2" /f
'<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "2" /f
'<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "3" /f
'<SYSTEM32>\net.exe' start DPS
'<SYSTEM32>\net1.exe' start DPS
'<SYSTEM32>\net.exe' start nsi
'<SYSTEM32>\net1.exe' start nsi
'<SYSTEM32>\net1.exe' start NlaSvc
'<SYSTEM32>\ipconfig.exe' /renew

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней