Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSvc.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPlus.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'UpdateGenuis' = '%PROGRAM_FILES%\BreezeMedia\BreezePlayer\UpdateGenuis.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'BreezePlayer' = '%PROGRAM_FILES%\BreezeMedia\BreezePlayer\BreezePlayer.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'FirstSetting' = '%PROGRAM_FILES%\BreezeMedia\BreezePlayer\FirstSetting.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVsvcUI.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'MIUI32' = '<SYSTEM32>\MIUI32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Logo_1.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmond.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TBMon.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvMonXP.kxp] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.kxp] 'Debugger' = 'noexist.exist'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] 'Debugger' = 'noexist.exist'
Создает следующие файлы на съемном носителе:
- <Имя диска съемного носителя>:\USBoot.exe
- <Имя диска съемного носителя>:\Autorun.inf
Вредоносные функции:
Запускает на исполнение:
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPlus.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSvc.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Logo_1.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVsvcUI.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TBMon.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmond.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvMonXP.kxp" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.kxp" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe" /v "Debugger" /t REG_SZ /d "noexist.exist" /f
Изменения в файловой системе:
Создает следующие файлы:
- <SYSTEM32>\Logonsvc.inf
- C:\Autorun.inf
- C:\USBoot.exe
- %PROGRAM_FILES%\BreezeMedia\BreezePlayer\BreezePlayer.exe
- <SYSTEM32>\MIUI32.exe
- %PROGRAM_FILES%\BreezeMedia\BreezePlayer\FirstSetting.exe
- %PROGRAM_FILES%\BreezeMedia\BreezePlayer\UpdateGenuis.exe
Присваивает атрибут 'скрытый' для следующих файлов:
- <SYSTEM32>\Logonsvc.inf
- <SYSTEM32>\MIUI32.exe
