Trojan.PWS.Siggen1.8252

Техническая информация

Вредоносные функции:

Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Windows Live\Messenger\livecall.exe' = '%PROGRAM_FILES%\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Windows Live\Messenger\msnmsgr.exe' = '%PROGRAM_FILES%\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\ftp.exe' = '<SYSTEM32>\ftp.exe:*:Enabled:Logiciel de transfert de fichiers'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Pinnacle\Studio 10\programs\Studio.exe' = '%PROGRAM_FILES%\Pinnacle\Studio 10\programs\Studio.exe:*:Enabled:Studio'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Pinnacle\Studio 10\programs\RM.exe' = '%PROGRAM_FILES%\Pinnacle\Studio 10\programs\RM.exe:*:Enabled:Render Manager'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Ares\Ares.exe' = '%PROGRAM_FILES%\Ares\Ares.exe:*:Enabled:Ares p2p for windows'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Documents and Settings\Amine-Info\Bureau\repeater_SSL.exe' = 'C:\Documents and Settings\Amine-Info\Bureau\repeater_SSL.exe:*:Enabled:repeater_SSL'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Documents and Settings\Amine-Info\Bureau\Vnc\vncviewer_ssl.exe' = 'C:\Documents and Settings\Amine-Info\Bureau\Vnc\vncviewer_ssl.exe:*:Enabled:vncviewer_ssl'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Documents and Settings\Amine-Info\Bureau\Vnc\repeater_SSL.exe' = 'C:\Documents and Settings\Amine-Info\Bureau\Vnc\repeater_SSL.exe:*:Enabled:repeater_SSL'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\IVT Corporation\BlueSoleil\BlueSoleilCS.exe' = '%PROGRAM_FILES%\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:*:Enabled:BlueSoleilCS'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\iMesh Applications\iMesh\iMesh.exe' = '%PROGRAM_FILES%\iMesh Applications\iMesh\iMesh.exe:*:Enabled:iMesh'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Ubisoft\Far Cry 2\bin\FC2Launcher.exe' = '%PROGRAM_FILES%\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:*:Enabled:Far Cry 2 Updater'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Ubisoft\Far Cry 2\bin\FarCry2.exe' = '%PROGRAM_FILES%\Ubisoft\Far Cry 2\bin\FarCry2.exe:*:Enabled:Far Cry 2'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Ubisoft\Far Cry 2\bin\FC2Editor.exe' = '%PROGRAM_FILES%\Ubisoft\Far Cry 2\bin\FC2Editor.exe:*:Enabled:Editeur'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\PnkBstrB.exe' = '<SYSTEM32>\PnkBstrB.exe:*:Enabled:PnkBstrB'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\PnkBstrA.exe' = '<SYSTEM32>\PnkBstrA.exe:*:Enabled:PnkBstrA'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Valve\hl.exe' = '%PROGRAM_FILES%\Valve\hl.exe:*:Enabled:Half-Life Launcher'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Pinnacle\Studio 10\programs\umi.exe' = '%PROGRAM_FILES%\Pinnacle\Studio 10\programs\umi.exe:*:Enabled:umi'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Pinnacle\Studio 10\programs\PMSRegisterFile.exe' = '%PROGRAM_FILES%\Pinnacle\Studio 10\programs\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\CCP Server 5\ccpsrv.exe' = '%PROGRAM_FILES%\CCP Server 5\ccpsrv.exe:*:Enabled:CyberCafePro Main Control Station'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\RealVNC\VNC4\winvnc4.exe' = '%PROGRAM_FILES%\RealVNC\VNC4\winvnc4.exe:*:Enabled:VNC Server'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Pinnacle\Shared Files\Programs\MediaManager\PMSManager.exe' = '%PROGRAM_FILES%\Pinnacle\Shared Files\Programs\MediaManager\PMSManager.exe:*:Enabled:PMSManager'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Documents and Settings\Amine-Info\Bureau\Vnc\winvnc.exe' = 'C:\Documents and Settings\Amine-Info\Bureau\Vnc\winvnc.exe:*:Enabled:winvnc'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\BitTorrent\bittorrent.exe' = '%PROGRAM_FILES%\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\DNA\btdna.exe' = '%PROGRAM_FILES%\DNA\btdna.exe:*:Enabled:DNA'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Messenger\msmsgs.exe' = '%PROGRAM_FILES%\Messenger\msmsgs.exe:*:Enabled:Windows Messenger'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\KWorld Multimedia\DVBS\DVBS.EXE' = '%PROGRAM_FILES%\KWorld Multimedia\DVBS\DVBS.EXE:*:Enabled:DVBS'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Microsoft Office\Office12\OUTLOOK.EXE' = '%PROGRAM_FILES%\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Explorer.EXE' = '%WINDIR%\Explorer.EXE:*:Enabled:ipsec'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%windir%\Network Diagnostic\xpnetdiag.exe' = '%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'E:\winrar_v4.1.65 by amine info.exe' = 'E:\winrar_v4.1.65 by amine info.exe:*:Enabled:ipsec'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\sessmgr.exe' = '<SYSTEM32>\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Documents and Settings\Amine-Info\Bureau\Amine Info\RemoteTightVNC\WinVNC.exe' = 'C:\Documents and Settings\Amine-Info\Bureau\Amine Info\RemoteTightVNC\WinVNC.exe:*:Enabled:WinVNC'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\BearShare Applications\BearShare\BearShare.exe' = '%PROGRAM_FILES%\BearShare Applications\BearShare\BearShare.exe:*:Enabled:BearShare'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\ORL\VNC\WinVNC.exe' = '%PROGRAM_FILES%\ORL\VNC\WinVNC.exe:*:Enabled:WinVNC'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Documents and Settings\Amine-Info\Mes documents\Downloads\Programs\NVC.exe' = 'C:\Documents and Settings\Amine-Info\Mes documents\Downloads\Programs\NVC.exe:*:Enabled:NVC'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Symantec\pcAnywhere\awhost32.exe' = '%PROGRAM_FILES%\Symantec\pcAnywhere\awhost32.exe:*:Enabled:pcAnywhere Host'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Documents and Settings\Amine-Info\Mes documents\Downloads\TeamViewer.exe' = 'C:\Documents and Settings\Amine-Info\Mes documents\Downloads\TeamViewer.exe:*:Enabled:TeamViewer Remote Control Application'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\MSNImport.exe' = '%WINDIR%\MSNImport.exe:*:Enabled:MSN Content Installer'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Yahoo!\Messenger\YahooMessenger.exe' = '%PROGRAM_FILES%\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Documents and Settings\Amine-Info\Bureau\Amine Info\Midnight\mc2.exe' = 'C:\Documents and Settings\Amine-Info\Bureau\Amine Info\Midnight\mc2.exe:*:Enabled:mc2'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Documents and Settings\Amine-Info\temp\TeamViewer3\TeamViewer.exe' = 'C:\Documents and Settings\Amine-Info\temp\TeamViewer3\TeamViewer.exe:*:Enabled:Application de pilotage à distance TeamViewer'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Mozilla Firefox\firefox.exe' = '%PROGRAM_FILES%\Mozilla Firefox\firefox.exe:*:Enabled:Firefox'

Создает и запускает на исполнение:

'%WINDIR%\hack\steal04.exe' /shtml "Hack4.htm"
'%WINDIR%\hack\Nircmd.exe' execmd steal05.exe /shtml "hack5.htm"
'%WINDIR%\hack\steal03.exe' /shtml "Hack3.htm"
'%WINDIR%\hack\steal06.exe' /shtml "Victime/27/ 0Th-17h29m30s2.htm"
'%WINDIR%\hack\steal05.exe' /shtml "hack5.htm"
'%WINDIR%\hack\Nircmd.exe' execmd steal06.exe /shtml "Victime/27/ 0Th-17h29m30s2.htm"
'%WINDIR%\hack\Steal01.exe' /shtml "Hack1.htm"
'%WINDIR%\hack\Nircmd.exe' execmd steal02.exe /shtml "Hack2.htm"
'%WINDIR%\hack\Nircmd.exe' execmd steal01.exe /shtml "Hack1.htm"
'%WINDIR%\hack\Nircmd.exe' execmd steal04.exe /shtml "Hack4.htm"
'%WINDIR%\hack\steal02.exe' /shtml "Hack2.htm"
'%WINDIR%\hack\Nircmd.exe' execmd steal03.exe /shtml "Hack3.htm"

Запускает на исполнение:

'%WINDIR%\regedit.exe' /s desactive_firwall.reg
'<SYSTEM32>\ftp.exe' -n -i -s:Hack.test
'%WINDIR%\regedit.exe' /s enable_firwall.reg
'<SYSTEM32>\ping.exe' 1.1.1.1 -n 1 -w 3000
'<SYSTEM32>\wscript.exe' "%WINDIR%\hack\hide.vbs"
'<SYSTEM32>\cmd.exe' /c ""%WINDIR%\hack\Psave.bat" "
'<SYSTEM32>\ping.exe' 1.1.1.1 -n 1 -w 4000

Ищет ветки реестра, отвечающие за хранение паролей сторонними программами:

[<HKLM>\Software\Mirabilis\ICQ\NewOwners]
[<HKCU>\Software\Yahoo\Pager]
[<HKCU>\Software\AIM\AIMPRO]
[<HKCU>\Software\Paltalk]
[<HKCU>\Software\Google\Google Talk\Accounts]
[<HKCU>\Software\Mirabilis\ICQ\NewOwners]
[<HKCU>\Software\Microsoft\MSNMessenger]
[<HKLM>\Software\Miranda]
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
[<HKCU>\Software\America Online\AIM6\Passwords]
[<HKCU>\Software\Microsoft\IdentityCRL]
[<HKCU>\Software\Microsoft\MessengerService]

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\hack\Hack.test
%WINDIR%\hack\Hack1.htm
%WINDIR%\hack\enable_firwall.reg
%WINDIR%\hack\Psave.bat
%WINDIR%\hack\Hack4.htm
%WINDIR%\hack\hack5.htm
%WINDIR%\hack\Hack2.htm
%WINDIR%\hack\Hack3.htm
%WINDIR%\hack\desactive_firwall.reg
%WINDIR%\hack\Steal01.exe
%WINDIR%\hack\steal02.exe
%WINDIR%\hack\hide.vbs
%WINDIR%\hack\Nircmd.exe
%WINDIR%\hack\steal05.exe
%WINDIR%\hack\steal06.exe
%WINDIR%\hack\steal03.exe
%WINDIR%\hack\steal04.exe

Удаляет следующие файлы:

%WINDIR%\hack\Hack4.htm
%WINDIR%\hack\hack5.htm
%WINDIR%\hack\Hack3.htm
%WINDIR%\hack\Hack1.htm
%WINDIR%\hack\Hack2.htm

Сетевая активность:

Подключается к:

'am######ouka.freehostia.com':21
'localhost':1039

UDP:

DNS ASK am######ouka.freehostia.com

Другое:

Ищет следующие окна:

ClassName: 'RegEdit_RegEdit' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
ClassName: 'EDIT' WindowName: '(null)'

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней