Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = '{43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,68,61,72,64,70,6f,6c,5c,68,61,72,64,70,6f,6c,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,...'
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = '{43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,68,61,72,64,70,6f,6c,5c,68,61,72,64,70,6f,6c,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,...'
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = '{43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,68,61,72,64,70,6f,6c,5c,68,61,72,64,70,6f,6c,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,...'
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = '{43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,68,61,72,64,70,6f,6c,5c,68,61,72,64,70,6f,6c,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,...'
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = '{43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,68,61,72,64,70,6f,6c,5c,68,61,72,64,70,6f,6c,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,...'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\NetHomeIDE] 'Start' = '00000002'
Вредоносные функции:
Создает и запускает на исполнение:
- '%PROGRAM_FILES%\baidu\msfsg.exe' md5 -s newnetgar.dll -d newnetgar.dll
- '%PROGRAM_FILES%\baidu\msfsg.exe' md5 -s sumpod-nos.sys -d sumpod-nos.sys
- '%PROGRAM_FILES%\baidu\dsetup.exe' install
- '%PROGRAM_FILES%\baidu\msfsg.exe' md5 -s spass.dll -d spass.dll
- '%TEMP%\is-61431.tmp\<Имя вируса>.tmp' /SL5="$30092,822994,54272,<Полный путь к вирусу>"
- '%PROGRAM_FILES%\baidu\msfsg.exe' md5 -s passthru.dll -d passthru.dll
- '%PROGRAM_FILES%\baidu\msfsg.exe' md5 -s dsetup.exe -d dsetup.exe
Запускает на исполнение:
- '<SYSTEM32>\svchost.exe' -k mysysgroup3
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\idecomp.dll RundllInstall NetHomeIDE
- '<SYSTEM32>\runonce.exe' -r
Изменения в файловой системе:
Создает следующие файлы:
- %WINDIR%\inf\oem3.inf
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %WINDIR%\inf\oem4.inf
- %WINDIR%\inf\oem3.PNF
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\Preferred
- %PROGRAM_FILES%\baidu\sumpod-nos.sys
- %PROGRAM_FILES%\baidu\newnetgar.dll
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\9558c923-026a-44f8-b5f2-2f97c9a42663
- <SYSTEM32>\hardpol\hardpol.dll
- <SYSTEM32>\idecomp.dll
- <DRIVERS>\sumpod.sys
- <SYSTEM32>\hardpol\MyIEData\SysDat.bin
- %APPDATA%\MyIEData\main.ini
- %WINDIR%\inf\INFCACHE.0
- %WINDIR%\inf\oem4.PNF
- <DRIVERS>\SET6.tmp
- <SYSTEM32>\SET5.tmp
- %PROGRAM_FILES%\baidu\is-L52D5.tmp
- %PROGRAM_FILES%\baidu\is-HJRRP.tmp
- %PROGRAM_FILES%\baidu\is-P0CJF.tmp
- %PROGRAM_FILES%\baidu\is-PCBL5.tmp
- %PROGRAM_FILES%\baidu\is-O8F1V.tmp
- %TEMP%\is-1I7A8.tmp\_isetup\_RegDLL.tmp
- %TEMP%\is-61431.tmp\<Имя вируса>.tmp
- %TEMP%\is-1I7A8.tmp\spass.dll
- %TEMP%\is-1I7A8.tmp\_isetup\_shfoldr.dll
- %PROGRAM_FILES%\baidu\passthru.dll
- <SYSTEM32>\hardpol\MyIEData\main.ini
- %PROGRAM_FILES%\baidu\spass.dll
- %PROGRAM_FILES%\baidu\dsetup.exe
- %PROGRAM_FILES%\baidu\is-3H426.tmp
- %PROGRAM_FILES%\baidu\is-5MD8Q.tmp
- %PROGRAM_FILES%\baidu\is-OGMQA.tmp
- %PROGRAM_FILES%\baidu\is-EN8T8.tmp
- %PROGRAM_FILES%\baidu\is-9BMEG.tmp
Удаляет следующие файлы:
- %PROGRAM_FILES%\baidu\sumpod-nos.sys
- %PROGRAM_FILES%\baidu\SysDat.bin
- %PROGRAM_FILES%\baidu\netsf_m.inf
- %TEMP%\is-1I7A8.tmp\spass.dll
- %TEMP%\is-61431.tmp\<Имя вируса>.tmp
- %TEMP%\is-1I7A8.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-1I7A8.tmp\_isetup\_RegDLL.tmp
- %PROGRAM_FILES%\baidu\msfsg.exe
- %PROGRAM_FILES%\baidu\dsetup.exe
- %PROGRAM_FILES%\baidu\spass.dll
- %PROGRAM_FILES%\baidu\passthru.dll
- %PROGRAM_FILES%\baidu\netsf.inf
- %PROGRAM_FILES%\baidu\newnetgar.dll
- %PROGRAM_FILES%\baidu\sumpod.sys
Перемещает следующие системные файлы:
- %WINDIR%\inf\INFCACHE.2 в %WINDIR%\inf\OLDCACHE.000
- %WINDIR%\inf\INFCACHE.1 в %WINDIR%\inf\INFCACHE.2
Перемещает следующие файлы:
- %PROGRAM_FILES%\baidu\is-EN8T8.tmp в %PROGRAM_FILES%\baidu\netsf_m.inf
- %PROGRAM_FILES%\baidu\is-9BMEG.tmp в %PROGRAM_FILES%\baidu\netsf.inf
- %PROGRAM_FILES%\baidu\is-5MD8Q.tmp в %PROGRAM_FILES%\baidu\msfsg.exe
- <DRIVERS>\SET6.tmp в <DRIVERS>\sumpod.sys
- <SYSTEM32>\SET5.tmp в <SYSTEM32>\passthru.dll
- %PROGRAM_FILES%\baidu\is-3H426.tmp в %PROGRAM_FILES%\baidu\SysDat.bin
- %PROGRAM_FILES%\baidu\is-L52D5.tmp в %PROGRAM_FILES%\baidu\sumpod.sys
- %PROGRAM_FILES%\baidu\is-HJRRP.tmp в %PROGRAM_FILES%\baidu\dsetup.exe
- %PROGRAM_FILES%\baidu\is-O8F1V.tmp в %PROGRAM_FILES%\baidu\passthru.dll
- %PROGRAM_FILES%\baidu\is-OGMQA.tmp в %PROGRAM_FILES%\baidu\spass.dll
- %PROGRAM_FILES%\baidu\is-P0CJF.tmp в %PROGRAM_FILES%\baidu\newnetgar.dll
- %PROGRAM_FILES%\baidu\is-PCBL5.tmp в %PROGRAM_FILES%\baidu\sumpod-nos.sys
Сетевая активность:
UDP:
- 'localhost':1044
- '23#.#55.255.250':1900
Другое:
Ищет следующие окна:
- ClassName: '(null)' WindowName: '??????...'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
