Trojan.Virtumod.13849

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'zyiej' = '%HOMEPATH%\zyiej\start.vbs'

Вредоносные функции:

Создает и запускает на исполнение:

'%HOMEPATH%\zyiej\wmhx.exe' 8666088.ZIV

Запускает на исполнение:

'<SYSTEM32>\taskkill.exe' /IM mshta.exe
'%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
'<SYSTEM32>\wscript.exe' "%HOMEPATH%\zyiej\1107559.vbs"
'<SYSTEM32>\mshta.exe'

Внедряет код в

следующие системные процессы:

%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Изменения в файловой системе:

Создает следующие файлы:

%HOMEPATH%\zyiej\64586.aof
%HOMEPATH%\zyiej\63415.pjz
%HOMEPATH%\zyiej\32589.neo
%HOMEPATH%\zyiej\58253.lvo
%HOMEPATH%\zyiej\91122.eut
%HOMEPATH%\zyiej\13519.mua
%HOMEPATH%\zyiej\73576.cfv
%HOMEPATH%\zyiej\34580.hlu
%HOMEPATH%\zyiej\11346.fzp
%HOMEPATH%\zyiej\18346.avh
%HOMEPATH%\zyiej\62537.skh
%HOMEPATH%\zyiej\97917.lib
%HOMEPATH%\zyiej\50586.iwm
%HOMEPATH%\zyiej\79396.axy
%HOMEPATH%\zyiej\6649.sjl
%HOMEPATH%\zyiej\88987.jrm
%HOMEPATH%\zyiej\86501.aqq
%HOMEPATH%\zyiej\3538.iqh
%HOMEPATH%\zyiej\18597.wop
%HOMEPATH%\zyiej\59426.vlm
%HOMEPATH%\zyiej\36500.xal
%HOMEPATH%\zyiej\50469.gqa
%HOMEPATH%\zyiej\48851.ohg
%HOMEPATH%\zyiej\92451.gge
%HOMEPATH%\zyiej\14866.cwe
%HOMEPATH%\zyiej\91353.nlv
%HOMEPATH%\zyiej\11304.ygw
%HOMEPATH%\zyiej\65763.vjv
%HOMEPATH%\zyiej\19282.vzp
%HOMEPATH%\zyiej\58332.vfm
%HOMEPATH%\zyiej\72624.xtt
%HOMEPATH%\zyiej\9305.qep
%HOMEPATH%\zyiej\28254.aoi
%HOMEPATH%\zyiej\53143.ors
%HOMEPATH%\zyiej\14348.ffz
%HOMEPATH%\zyiej\71383.pav
%HOMEPATH%\zyiej\41198.wvm
%HOMEPATH%\zyiej\15594.tuu
%HOMEPATH%\zyiej\60584.rwl
%HOMEPATH%\zyiej\45869.rgn
%HOMEPATH%\zyiej\69715.ijb
%HOMEPATH%\zyiej\9167.szh
%HOMEPATH%\zyiej\88057.pzh
%HOMEPATH%\zyiej\79435.yes
%HOMEPATH%\zyiej\60974.uif
%HOMEPATH%\zyiej\64769.lkj
%HOMEPATH%\zyiej\63197.epe
%HOMEPATH%\zyiej\77226.ibx
%HOMEPATH%\zyiej\94718.zwt
%HOMEPATH%\zyiej\45982.yno
%HOMEPATH%\zyiej\60042.pms
%HOMEPATH%\zyiej\start.cmd
%HOMEPATH%\zyiej\92047.mzy
%HOMEPATH%\zyiej\start.vbs
%APPDATA%\Microsoft\Windows\Cm0nRmndlD\Cm0nRmndlD.svr
%APPDATA%\Microsoft\Windows\Cm0nRmndlD\Cm0nRmndlD.nfo
%HOMEPATH%\zyiej\56496.woh
%HOMEPATH%\zyiej\19942.zsb
%HOMEPATH%\zyiej\53467.wfu
%HOMEPATH%\zyiej\4658.fbt
%HOMEPATH%\zyiej\70595.abo
%HOMEPATH%\zyiej\28690.hmn
%HOMEPATH%\zyiej\17594.qkt
%HOMEPATH%\zyiej\95967.hqo
%HOMEPATH%\zyiej\73632.csg
%HOMEPATH%\zyiej\62994.lra
%HOMEPATH%\zyiej\93395.ttt
%HOMEPATH%\zyiej\56986.lri
%HOMEPATH%\zyiej\16917.hlv
%HOMEPATH%\zyiej\50515.hqs
%HOMEPATH%\zyiej\77036.wrv
%HOMEPATH%\zyiej\49460.ehv
%HOMEPATH%\zyiej\84611.kub
%HOMEPATH%\zyiej\31153.koh
%HOMEPATH%\zyiej\39693.svl
%HOMEPATH%\zyiej\26700.iqi
%HOMEPATH%\zyiej\76772.hej
%HOMEPATH%\zyiej\58123.lwf
%HOMEPATH%\zyiej\25552.gqx
%HOMEPATH%\zyiej\26151.got
%HOMEPATH%\zyiej\39150.xqk
%HOMEPATH%\zyiej\66909.dvu
%HOMEPATH%\zyiej\10214.lwp
%HOMEPATH%\zyiej\13207.kiw
%HOMEPATH%\zyiej\73013.pgq
%HOMEPATH%\zyiej\90654.iwg
%HOMEPATH%\zyiej\98680.bge
%HOMEPATH%\zyiej\85566.ylo
%HOMEPATH%\zyiej\3542.aqm
%HOMEPATH%\zyiej\62503.kwa
%HOMEPATH%\zyiej\26825.rcm
%HOMEPATH%\zyiej\69017.tbq
%HOMEPATH%\zyiej\66288.vkf
%HOMEPATH%\zyiej\78774.iya
%HOMEPATH%\zyiej\79250.hxj
%HOMEPATH%\zyiej\91132.bmh
%HOMEPATH%\zyiej\67302.rcr
%HOMEPATH%\zyiej\80338.kqi
%HOMEPATH%\zyiej\45032.wet
%HOMEPATH%\zyiej\24638.hax
%HOMEPATH%\zyiej\78216.rlk
%HOMEPATH%\zyiej\76913.zmu
%HOMEPATH%\zyiej\83732.tnw
%HOMEPATH%\zyiej\56532.jsb
%HOMEPATH%\zyiej\23213.wmn
%HOMEPATH%\zyiej\95544.cbf
%HOMEPATH%\zyiej\wmhx.exe
%HOMEPATH%\zyiej\27092.NEC
%HOMEPATH%\zyiej\1107559.vbs
%HOMEPATH%\zyiej\16726.QTT
%HOMEPATH%\zyiej\8666088.ZIV
%HOMEPATH%\zyiej\58553.eaj
%HOMEPATH%\zyiej\89043.kxf
%HOMEPATH%\zyiej\55439.tfv
%HOMEPATH%\zyiej\69451.cjb
%HOMEPATH%\zyiej\40172.mxw
%HOMEPATH%\zyiej\86371.wgk
%HOMEPATH%\zyiej\95351.uno
%HOMEPATH%\zyiej\17160.ueu
%HOMEPATH%\zyiej\73313.tgm
%HOMEPATH%\zyiej\90592.ifj
%HOMEPATH%\zyiej\94443.cmx
%HOMEPATH%\zyiej\56495.rkt
%HOMEPATH%\zyiej\79551.lea
%HOMEPATH%\zyiej\7474.cke
%HOMEPATH%\zyiej\30132.hqq
%HOMEPATH%\zyiej\1088.spu
%HOMEPATH%\zyiej\94546.lrj
%HOMEPATH%\zyiej\55915.rmp
%HOMEPATH%\zyiej\52261.ncz
%HOMEPATH%\zyiej\18118.hnn
%HOMEPATH%\zyiej\97311.gfm
%HOMEPATH%\zyiej\24603.fjx
%HOMEPATH%\zyiej\52281.yko
%HOMEPATH%\zyiej\16574.cri
%HOMEPATH%\zyiej\14191.blz
%HOMEPATH%\zyiej\66577.cit
%HOMEPATH%\zyiej\95544.dci
%HOMEPATH%\zyiej\77005.dhu
%HOMEPATH%\zyiej\81757.bha
%HOMEPATH%\zyiej\6225.zof
%HOMEPATH%\zyiej\42484.uof
%HOMEPATH%\zyiej\55527.zlg
%HOMEPATH%\zyiej\46214.ghk
%HOMEPATH%\zyiej\17891.bil
%HOMEPATH%\zyiej\19268.xaf
%HOMEPATH%\zyiej\46060.bnd
%HOMEPATH%\zyiej\26548.qdn
%HOMEPATH%\zyiej\56154.guj
%HOMEPATH%\zyiej\28745.cts
%HOMEPATH%\zyiej\52926.dkl
%HOMEPATH%\zyiej\28732.biq
%HOMEPATH%\zyiej\23707.ygd
%HOMEPATH%\zyiej\76101.fzn
%HOMEPATH%\zyiej\74493.enq
%HOMEPATH%\zyiej\94297.jnt
%HOMEPATH%\zyiej\39814.pze
%HOMEPATH%\zyiej\34418.uxk
%HOMEPATH%\zyiej\60146.fib
%HOMEPATH%\zyiej\72360.gwq
%HOMEPATH%\zyiej\91918.iap
%HOMEPATH%\zyiej\1608.efj

Присваивает атрибут 'скрытый' для следующих файлов:

%HOMEPATH%\zyiej\32589.neo
%HOMEPATH%\zyiej\64586.aof
%HOMEPATH%\zyiej\91122.eut
%HOMEPATH%\zyiej\86501.aqq
%HOMEPATH%\zyiej\58253.lvo
%HOMEPATH%\zyiej\34580.hlu
%HOMEPATH%\zyiej\13519.mua
%HOMEPATH%\zyiej\18346.avh
%HOMEPATH%\zyiej\63415.pjz
%HOMEPATH%\zyiej\11346.fzp
%HOMEPATH%\zyiej\50586.iwm
%HOMEPATH%\zyiej\62537.skh
%HOMEPATH%\zyiej\6649.sjl
%HOMEPATH%\zyiej\69715.ijb
%HOMEPATH%\zyiej\79396.axy
%HOMEPATH%\zyiej\3538.iqh
%HOMEPATH%\zyiej\88987.jrm
%HOMEPATH%\zyiej\59426.vlm
%HOMEPATH%\zyiej\97917.lib
%HOMEPATH%\zyiej\18597.wop
%HOMEPATH%\zyiej\48851.ohg
%HOMEPATH%\zyiej\36500.xal
%HOMEPATH%\zyiej\14866.cwe
%HOMEPATH%\zyiej\41198.wvm
%HOMEPATH%\zyiej\92451.gge
%HOMEPATH%\zyiej\65763.vjv
%HOMEPATH%\zyiej\91353.nlv
%HOMEPATH%\zyiej\58332.vfm
%HOMEPATH%\zyiej\50469.gqa
%HOMEPATH%\zyiej\19282.vzp
%HOMEPATH%\zyiej\28254.aoi
%HOMEPATH%\zyiej\72624.xtt
%HOMEPATH%\zyiej\14348.ffz
%HOMEPATH%\zyiej\73576.cfv
%HOMEPATH%\zyiej\53143.ors
%HOMEPATH%\zyiej\15594.tuu
%HOMEPATH%\zyiej\71383.pav
%HOMEPATH%\zyiej\45869.rgn
%HOMEPATH%\zyiej\9305.qep
%HOMEPATH%\zyiej\60584.rwl
%HOMEPATH%\zyiej\9167.szh
%HOMEPATH%\zyiej\88057.pzh
%HOMEPATH%\zyiej\79435.yes
%HOMEPATH%\zyiej\60974.uif
%HOMEPATH%\zyiej\64769.lkj
%HOMEPATH%\zyiej\63197.epe
%HOMEPATH%\zyiej\77226.ibx
%HOMEPATH%\zyiej\94718.zwt
%HOMEPATH%\zyiej\45982.yno
%HOMEPATH%\zyiej\60042.pms
%HOMEPATH%\zyiej\start.vbs
%HOMEPATH%\zyiej\92047.mzy
%HOMEPATH%\zyiej\start.cmd
%APPDATA%\Microsoft\Windows\Cm0nRmndlD\Cm0nRmndlD.svr
%APPDATA%\Microsoft\Windows\Cm0nRmndlD\Cm0nRmndlD.nfo
%HOMEPATH%\zyiej\56496.woh
%HOMEPATH%\zyiej\19942.zsb
%HOMEPATH%\zyiej\53467.wfu
%HOMEPATH%\zyiej\4658.fbt
%HOMEPATH%\zyiej\70595.abo
%HOMEPATH%\zyiej\28690.hmn
%HOMEPATH%\zyiej\17594.qkt
%HOMEPATH%\zyiej\95967.hqo
%HOMEPATH%\zyiej\73632.csg
%HOMEPATH%\zyiej\62994.lra
%HOMEPATH%\zyiej\93395.ttt
%HOMEPATH%\zyiej\56986.lri
%HOMEPATH%\zyiej\16917.hlv
%HOMEPATH%\zyiej\50515.hqs
%HOMEPATH%\zyiej\77036.wrv
%HOMEPATH%\zyiej\49460.ehv
%HOMEPATH%\zyiej\84611.kub
%HOMEPATH%\zyiej\31153.koh
%HOMEPATH%\zyiej\39693.svl
%HOMEPATH%\zyiej\26700.iqi
%HOMEPATH%\zyiej\76772.hej
%HOMEPATH%\zyiej\58123.lwf
%HOMEPATH%\zyiej\25552.gqx
%HOMEPATH%\zyiej\26151.got
%HOMEPATH%\zyiej\39150.xqk
%HOMEPATH%\zyiej\11304.ygw
%HOMEPATH%\zyiej\13207.kiw
%HOMEPATH%\zyiej\66909.dvu
%HOMEPATH%\zyiej\90654.iwg
%HOMEPATH%\zyiej\80338.kqi
%HOMEPATH%\zyiej\73013.pgq
%HOMEPATH%\zyiej\3542.aqm
%HOMEPATH%\zyiej\98680.bge
%HOMEPATH%\zyiej\26825.rcm
%HOMEPATH%\zyiej\10214.lwp
%HOMEPATH%\zyiej\62503.kwa
%HOMEPATH%\zyiej\78774.iya
%HOMEPATH%\zyiej\69017.tbq
%HOMEPATH%\zyiej\91132.bmh
%HOMEPATH%\zyiej\94443.cmx
%HOMEPATH%\zyiej\79250.hxj
%HOMEPATH%\zyiej\45032.wet
%HOMEPATH%\zyiej\67302.rcr
%HOMEPATH%\zyiej\78216.rlk
%HOMEPATH%\zyiej\66288.vkf
%HOMEPATH%\zyiej\24638.hax
%HOMEPATH%\zyiej\56532.jsb
%HOMEPATH%\zyiej\76913.zmu
%HOMEPATH%\zyiej\95544.cbf
%HOMEPATH%\zyiej\95351.uno
%HOMEPATH%\zyiej\23213.wmn
%HOMEPATH%\zyiej\wmhx.exe
%HOMEPATH%\zyiej\27092.NEC
%HOMEPATH%\zyiej\1107559.vbs
%HOMEPATH%\zyiej\83732.tnw
%HOMEPATH%\zyiej\8666088.ZIV
%HOMEPATH%\zyiej\55439.tfv
%HOMEPATH%\zyiej\58553.eaj
%HOMEPATH%\zyiej\40172.mxw
%HOMEPATH%\zyiej\85566.ylo
%HOMEPATH%\zyiej\69451.cjb
%HOMEPATH%\zyiej\17160.ueu
%HOMEPATH%\zyiej\86371.wgk
%HOMEPATH%\zyiej\90592.ifj
%HOMEPATH%\zyiej\89043.kxf
%HOMEPATH%\zyiej\73313.tgm
%HOMEPATH%\zyiej\56495.rkt
%HOMEPATH%\zyiej\79551.lea
%HOMEPATH%\zyiej\7474.cke
%HOMEPATH%\zyiej\30132.hqq
%HOMEPATH%\zyiej\1088.spu
%HOMEPATH%\zyiej\94546.lrj
%HOMEPATH%\zyiej\55915.rmp
%HOMEPATH%\zyiej\52261.ncz
%HOMEPATH%\zyiej\18118.hnn
%HOMEPATH%\zyiej\97311.gfm
%HOMEPATH%\zyiej\24603.fjx
%HOMEPATH%\zyiej\52281.yko
%HOMEPATH%\zyiej\16574.cri
%HOMEPATH%\zyiej\14191.blz
%HOMEPATH%\zyiej\66577.cit
%HOMEPATH%\zyiej\95544.dci
%HOMEPATH%\zyiej\77005.dhu
%HOMEPATH%\zyiej\81757.bha
%HOMEPATH%\zyiej\6225.zof
%HOMEPATH%\zyiej\42484.uof
%HOMEPATH%\zyiej\55527.zlg
%HOMEPATH%\zyiej\46214.ghk
%HOMEPATH%\zyiej\17891.bil
%HOMEPATH%\zyiej\19268.xaf
%HOMEPATH%\zyiej\46060.bnd
%HOMEPATH%\zyiej\26548.qdn
%HOMEPATH%\zyiej\56154.guj
%HOMEPATH%\zyiej\28745.cts
%HOMEPATH%\zyiej\52926.dkl
%HOMEPATH%\zyiej\28732.biq
%HOMEPATH%\zyiej\23707.ygd
%HOMEPATH%\zyiej\76101.fzn
%HOMEPATH%\zyiej\74493.enq
%HOMEPATH%\zyiej\94297.jnt
%HOMEPATH%\zyiej\39814.pze
%HOMEPATH%\zyiej\34418.uxk
%HOMEPATH%\zyiej\60146.fib
%HOMEPATH%\zyiej\72360.gwq
%HOMEPATH%\zyiej\91918.iap
%HOMEPATH%\zyiej\1608.efj

Удаляет следующие файлы:

%APPDATA%\Microsoft\Windows\Cm0nRmndlD\Cm0nRmndlD.svr

Сетевая активность:

Подключается к:

'pe#####mene.zapto.org':999
'localhost':1035

UDP:

DNS ASK pe#####mene.zapto.org

Другое:

Ищет следующие окна:

ClassName: '(null)' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
ClassName: 'EDIT' WindowName: '(null)'

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней