Tool.Siggen.6796

Техническая информация

Вредоносные функции:

Для затруднения выявления своего присутствия в системе

блокирует:

Компонент восстановления системы (SR)
Cредство проверки системных файлов (SFC)

Запускает на исполнение:

'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vxd\BIOS" /v CPUPriority /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vxd\BIOS" /v PCIConcur /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 00000001 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d 00000001 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vxd\BIOS" /v FastDRAM /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer" /v link /t REG_BINARY /d 00000000 /f
'<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v AutoShareWks /t REG_DWORD /d 0 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vxd\BIOS" /v AGPConcu /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' delete "HKEY_CLASSES_ROOT\piffile" /v IsShortcut /f
'<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Control Panel\Desktop" /v MenuShowDelay /t REG_SZ /d 40 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem" /v ConfigFileAllocSize /t REG_DWORD /d 000001f4 /f
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Auto /d 0 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v WaitToKillServiceTimeout /t REG_SZ /d 1000 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RemoteComputer\NameSpace" /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update" /v UpdateMode /t REG_DWORD /d 00000000 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting" /v DoReport /t REG_DWORD /d 00000000 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RemoteComputer\NameSpace\{2227A280-3AEA-1069-A2DE-08002B30309D}" /ve /t REG_SZ /d Printers /f
'<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RemoteComputer\NameSpace\{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" /f
'<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v AutoShareServer /t REG_DWORD /d 0 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\Select" /v LastKnownGood /t REG_DWORD /d 00000001 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v ReportBootOk /t REG_SZ /d 0 /f
'<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Control Panel\Desktop" /v FontSmoothingType /t REG_DWORD /d 00000002 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoLowDiskSpaceChecks /t REG_DWORD /d 00000001 /f
'<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /f
'<SYSTEM32>\reg.exe' Add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FD052FB9-FE90-4438-B355-15EDC89D8FB1} /F
'<SYSTEM32>\mmc.exe' "<SYSTEM32>\devmgmt.msc"
'<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network" /f
'<SYSTEM32>\reg.exe' Add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B578C85A-A84C-4230-A177-C5B2AF565B8C} /F
'<SYSTEM32>\net1.exe' share E$ /delete
'<SYSTEM32>\net1.exe' share Z$ /delete
'<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_DWORD /d 0 /f
'<SYSTEM32>\net1.exe' share C$ /delete
'<SYSTEM32>\net1.exe' share admin$ /delete
'<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\FontSmoothing" /v DefaultValue /t REG_DWORD /D 1 /f /f
'<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Control Panel\Desktop" /v FontSmoothing /d 1 /f
'<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v ForceClassicControlPanel /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\FontSmoothing" /v DefaultApplied /t REG_DWORD /D 1 /f /f
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v AlwaysUnloadDLL /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add "HKCU\SYSTEM\CurrentControlSet\Control" /v WaitToKillAppTimeout /t REG_SZ /d 500 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Auto /t REG_SZ /d 0 /f
'<SYSTEM32>\reg.exe' add "HKCU\SYSTEM\CurrentControlSet\Control" /v AutoEndTasks /t REG_SZ /d 1 /f
'<SYSTEM32>\reg.exe' add "HKCU\SYSTEM\CurrentControlSet\Control" /v HungAppTimeout /t REG_SZ /d 200 /f
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoLowDiskSpaceChecks /t REG_DWORD /d 0 /f
'<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1806 /t REG_DWORD /d 0 /f
'<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState" /v "Use Search Asst" /t REG_SZ /d no /f
'<SYSTEM32>\reg.exe' add "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer" /v Link /t REG_BINARY /d 00000000 /f
'<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v Link /t REG_BINARY /d 00000000 /f
'<SYSTEM32>\reg.exe' add "HKUS\.DEFAULT\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "46" /f
'<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoTaskGrouping" /t REG_DWORD /d 00000001 /f
'<SYSTEM32>\reg.exe' add "HKUS\.DEFAULT\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d "2" /f
'<SYSTEM32>\reg.exe' add "HKUS\.DEFAULT\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f
'<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LockTaskbar" /t REG_DWORD /d 00000001 /f
'<SYSTEM32>\reg.exe' add "HKCU\Control Panel\Desktop" /v HungAppTimeout /t REG_SZ /d 200 /f
'<SYSTEM32>\reg.exe' add "HKCU\Control Panel\Desktop" /v WaitToKillAppTimeout /t REG_SZ /d 500 /f
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_SZ /d 1 /f
'<SYSTEM32>\reg.exe' add "HKCU\Console" /v LoadConIme /t REG_DWORD /d 0 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d ffffff9d /f
'<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLowDiskSpaceChecks /t REG_DWORD /d 00000001 /f
'<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowStatusBar /t REG_DWORD /d 00000001 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction" /v Enable /t REG_SZ /d Y /f
'<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarGlomming /t REG_DWORD /d 00000000 /f
'<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 00000001 /f
'<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Control Panel\Desktop" /v WaitToKillAppTimeout /t REG_SZ /d 1000 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarGlomming /t REG_DWORD /d 00000000 /f
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl" /v AutoReboot /t REG_DWORD /d 00000000 /f
'<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v MaxConnectionsPerServer /t REG_DWORD /d 9 /f
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAcessUpdate /t REG_DWORD /d 0 /f
'<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v MaxConnectionsPer1_0Server /t REG_DWORD /d 9 /f
'<SYSTEM32>\gpupdate.exe' /force
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders" /f
'<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{59031a47-3f72-44a7-89c5-5595fe6b30ee}" /f
'<SYSTEM32>\rundll32.exe' USER32.DLL,UpdatePerUserSystemParameters
'<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v AlwaysUnloadDLL /t REG_DWORD /d 00000001 /f

Изменяет следующие настройки браузера Windows Internet Explorer:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1806' = '00000000'

Изменения в файловой системе:

Создает следующие файлы:

%TEMP%\~1.bat

Присваивает атрибут 'скрытый' для следующих файлов:

%TEMP%\~1.bat

Удаляет следующие файлы:

<SYSTEM32>\CatRoot2\edb00010.log
<SYSTEM32>\CatRoot2\edb00011.log
<SYSTEM32>\CatRoot2\edb0000F.log
<SYSTEM32>\CatRoot2\edb0000D.log
<SYSTEM32>\CatRoot2\edb0000E.log
<SYSTEM32>\CatRoot2\edb00015.log
<SYSTEM32>\CatRoot2\edb00016.log
<SYSTEM32>\CatRoot2\edb00014.log
<SYSTEM32>\CatRoot2\edb00012.log
<SYSTEM32>\CatRoot2\edb00013.log
%WINDIR%\security\logs\SceRoot.log
%WINDIR%\security\logs\scesetup.log
%WINDIR%\security\logs\backup.log
%WINDIR%\pchealth\helpctr\Logs\hcupdate.log
%WINDIR%\repair\setup.log
%WINDIR%\SoftwareDistribution\DataStore\Logs\res2.log
<SYSTEM32>\CatRoot2\edb.log
%WINDIR%\SoftwareDistribution\DataStore\Logs\res1.log
%WINDIR%\SoftwareDistribution\ReportingEvents.log
%WINDIR%\SoftwareDistribution\DataStore\Logs\edb.log
<SYSTEM32>\wbem\Logs\wmiprov.log
%WINDIR%\SoftwareDistribution\DataStore\Logs\edb.chk
<SYSTEM32>\wbem\Logs\wmiadap.log
<SYSTEM32>\wbem\Logs\wbemess.log
<SYSTEM32>\wbem\Logs\wbemprox.log
%WINDIR%\pchealth\helpctr\Config\Cache\Professional_32_1033.dat.bak
<SYSTEM32>\config\systemprofile\Application Data\Microsoft\Internet Explorer\brndlog.bak
%WINDIR%\imsins.BAK
<SYSTEM32>\CatRoot2\edb.chk
%WINDIR%\REGLOCS.OLD
<SYSTEM32>\MsDtc\MSDTC.LOG
<SYSTEM32>\MsDtc\Trace\dtctrace.log
<SYSTEM32>\CatRoot2\res2.log
<SYSTEM32>\CatRoot2\edb00017.log
<SYSTEM32>\CatRoot2\res1.log
<SYSTEM32>\wbem\Logs\setup.log
<SYSTEM32>\wbem\Logs\wbemcore.log
<SYSTEM32>\wbem\Logs\replog.log
<SYSTEM32>\wbem\Logs\FrameWork.log
<SYSTEM32>\wbem\Logs\mofcomp.log
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
%WINDIR%\MedCtrOC.log
%WINDIR%\msgsocm.log
%WINDIR%\KB942288-v3.log
%WINDIR%\iis6.log
%WINDIR%\imsins.log
%WINDIR%\ocgen.log
%WINDIR%\ocmsn.log
%WINDIR%\ntdtcsetup.log
%WINDIR%\msmqinst.log
%WINDIR%\netfxocm.log
<SYSTEM32>\CONFIG.TMP
%WINDIR%\0.log
%WINDIR%\SET8.tmp
%WINDIR%\SET3.tmp
%WINDIR%\SET4.tmp
%WINDIR%\DtcInstall.log
%WINDIR%\FaxSetup.log
%WINDIR%\comsetup.log
%WINDIR%\cmsetacl.log
%WINDIR%\COM+.log
%WINDIR%\wmsetup.log
%WINDIR%\Debug\blastcln.log
%WINDIR%\WindowsUpdate.log
%WINDIR%\wiadebug.log
%WINDIR%\wiaservc.log
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ngen.log
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\ngen.log
%WINDIR%\Debug\NetSetup.LOG
%WINDIR%\Debug\UserMode\userenv.log
%WINDIR%\setupapi.log
%WINDIR%\setuperr.log
%WINDIR%\setupact.log
%WINDIR%\regopt.log
%WINDIR%\sessmgr.setup.log
%WINDIR%\tsoc.log
%WINDIR%\updspapi.log
%WINDIR%\tabletoc.log
%WINDIR%\spupdsvc.log
%WINDIR%\Sti_Trace.log

Другое:

Ищет следующие окна:

ClassName: 'Shell_TrayWnd' WindowName: '(null)'

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней