Trojan.AVKill.33646

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinDbg.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfw.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravstub.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtask.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmon.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmond.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccApp.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTray.exe] 'Debugger' = 'c:\\ОТ.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe] 'Debugger' = 'c:\\ОТ.exe'

Вредоносные функции:

Создает и запускает на исполнение:

'C:\update.exe'
'C:\xzz.css'
'C:\cc1.exe'
'<Текущая директория>\ycjh197.exe'
'<SYSTEM32>\jh.exe'
'C:\xzz.css' (загружен из сети Интернет)
'C:\cc1.exe' (загружен из сети Интернет)
'C:\update.exe' (загружен из сети Интернет)

Запускает на исполнение:

'<SYSTEM32>\taskkill.exe' /im 360tray.exe /f
'<SYSTEM32>\taskkill.exe' /im 360safe.exe /f

Внедряет код в

следующие системные процессы:

%WINDIR%\Explorer.EXE

Завершает или пытается завершить

следующие пользовательские процессы:

360tray.exe

Изменения в файловой системе:

Создает следующие файлы:

%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\update[1].exe
C:\cc1.exe
C:\update.exe
C:\xzz.css
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\xzz[1].css
%TEMP%\MBX@AF8@392528.###
<Текущая директория>\ycjh197.exe
%TEMP%\MBX@AF8@392518.###
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\jh[1].exe
<SYSTEM32>\jh.exe

Присваивает атрибут 'скрытый' для следующих файлов:

<Текущая директория>\ycjh197.exe

Сетевая активность:

Подключается к:

'localhost':1039
'so##969.cn':80
'localhost':1036

TCP:

Запросы HTTP GET:

so##969.cn/xzz.css
so##969.cn/update.exe
so##969.cn/jh.exe

UDP:

DNS ASK so##969.cn

Другое:

Ищет следующие окна:

ClassName: 'IEFrame' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
ClassName: '(null)' WindowName: '(null)'

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней