Техническая информация
Вредоносные функции:
Создает и запускает на исполнение:
- '%PROGRAM_FILES%\adt\tpn\AVpnSrv.exe' -regserver
- '%PROGRAM_FILES%\adt\tpn\install.exe' 1
Запускает на исполнение:
- '<SYSTEM32>\runonce.exe' -r
- '<SYSTEM32>\regsvr32.exe' "%PROGRAM_FILES%\adt\tpn\USBProxy.dll" /s
- '<SYSTEM32>\regsvr32.exe' "%PROGRAM_FILES%\adt\tpn\USBCtrl.dll" /s
Изменения в файловой системе:
Создает следующие файлы:
- %PROGRAM_FILES%\adt\tpn\AdtTsc.oc_
- %PROGRAM_FILES%\adt\tpn\AdtRdp.oc_
- %PROGRAM_FILES%\adt\tpn\ver.ver
- <DRIVERS>\eps1k.sys
- %WINDIR%\inf\eps1k.INF
- %PROGRAM_FILES%\adt\tpn\TpnMangr.ex_
- %PROGRAM_FILES%\adt\tpn\USBCtrl.dl_
- %PROGRAM_FILES%\adt\tpn\socksclient.dl_
- %PROGRAM_FILES%\adt\tpn\UsbProxy.dl_
- %PROGRAM_FILES%\adt\tpn\ChkTrust.ex_
- %PROGRAM_FILES%\adt\tpn\AVpnSrv.ex_
- <DRIVERS>\usbic1k.SYS
- %WINDIR%\Temp\OLD4.tmp
- %WINDIR%\LastGood\TMP3.tmp
- <DRIVERS>\SET5.tmp
- %WINDIR%\inf\netwsfm.PNF
- %WINDIR%\inf\SET8.tmp
- %WINDIR%\inf\INFCACHE.0
- <DRIVERS>\adtipsec.sys
- <DRIVERS>\netwsfm.inf
- %WINDIR%\inf\oem3.inf
- %WINDIR%\inf\eps1k.PNF
- %WINDIR%\inf\oem3.PNF
- %PROGRAM_FILES%\adt\tpn\driver\netwsf.inf
- %PROGRAM_FILES%\adt\tpn\usbdriver\eps1k.INF
- %PROGRAM_FILES%\adt\tpn\driver\netwsfm.inf
- %PROGRAM_FILES%\adt\tpn\driver\setupDev.exe
- %PROGRAM_FILES%\adt\tpn\install.exe
- %PROGRAM_FILES%\adt\tpn\driver\DevFilterSafeMode.inf
- %PROGRAM_FILES%\adt\tpn\driver\Uninstall.cmd
- %PROGRAM_FILES%\adt\tpn\driver\Install.cmd
- %PROGRAM_FILES%\adt\tpn\driver\AdtFileFilter.inf
- %PROGRAM_FILES%\adt\tpn\driver\ADTVNIC.inf
- %PROGRAM_FILES%\adt\tpn\driver\AdtFileFilterW2K.inf
- %PROGRAM_FILES%\adt\tpn\usbdriver\ep1kdl20.dll
- %PROGRAM_FILES%\adt\tpn\adtcore.dl_
- %PROGRAM_FILES%\adt\tpn\usbdriver\usbic1k.SYS
- %PROGRAM_FILES%\adt\tpn\disacert.dl_
- %PROGRAM_FILES%\adt\tpn\disacert_1kND.dl_
- %PROGRAM_FILES%\adt\tpn\disacert_1k.dl_
- %PROGRAM_FILES%\adt\tpn\usbdriver\eps1k.sys
- %PROGRAM_FILES%\adt\tpn\driver\AdtFileFilter.sys
- %PROGRAM_FILES%\adt\tpn\usbdriver\FT_ND_API.dll
- %PROGRAM_FILES%\adt\tpn\driver\adtipsec.sys
- %PROGRAM_FILES%\adt\tpn\driver\DevFilter.sys
- %PROGRAM_FILES%\adt\tpn\driver\ADTVNIC.sys
Удаляет следующие файлы:
- <DRIVERS>\netwsfm.inf
- %WINDIR%\Temp\OLD4.tmp
- <DRIVERS>\adtipsec.sys
Перемещает следующие системные файлы:
- %WINDIR%\inf\INFCACHE.2 в %WINDIR%\inf\OLDCACHE.000
- %WINDIR%\inf\INFCACHE.1 в %WINDIR%\inf\INFCACHE.2
Перемещает следующие файлы:
- %PROGRAM_FILES%\adt\tpn\socksclient.dl_ в %PROGRAM_FILES%\adt\tpn\socksclient.dll
- %PROGRAM_FILES%\adt\tpn\AVpnSrv.ex_ в %PROGRAM_FILES%\adt\tpn\AVpnSrv.exe
- %PROGRAM_FILES%\adt\tpn\TpnMangr.ex_ в %PROGRAM_FILES%\adt\tpn\TpnMangr.exe
- %PROGRAM_FILES%\adt\tpn\adtcore.dl_ в %PROGRAM_FILES%\adt\tpn\adtcore.dll
- %WINDIR%\inf\SET8.tmp в %WINDIR%\inf\netwsfm.inf
- %WINDIR%\inf\INFCACHE.0 в %WINDIR%\inf\INFCACHE.1
- %WINDIR%\LastGood\TMP3.tmp в %WINDIR%\LastGood\system32\DRIVERS\adtipsec.sys
- <DRIVERS>\SET5.tmp в <DRIVERS>\adtipsec.sys
- %PROGRAM_FILES%\adt\tpn\disacert_1kND.dl_ в %PROGRAM_FILES%\adt\tpn\disacert_1kND.dll
- %PROGRAM_FILES%\adt\tpn\ChkTrust.ex_ в %PROGRAM_FILES%\adt\tpn\ChkTrust.exe
- %PROGRAM_FILES%\adt\tpn\disacert.dl_ в %PROGRAM_FILES%\adt\tpn\disacert.dll
- %PROGRAM_FILES%\adt\tpn\disacert_1k.dl_ в %PROGRAM_FILES%\adt\tpn\disacert_1k.dll
- %PROGRAM_FILES%\adt\tpn\UsbProxy.dl_ в %PROGRAM_FILES%\adt\tpn\USBProxy.dll
- %PROGRAM_FILES%\adt\tpn\USBCtrl.dl_ в %PROGRAM_FILES%\adt\tpn\USBCtrl.dll
- %PROGRAM_FILES%\adt\tpn\usbdriver\ep1kdl20.dll в <SYSTEM32>\ep1kdl20.dll
- %PROGRAM_FILES%\adt\tpn\usbdriver\FT_ND_API.dll в <SYSTEM32>\FT_ND_API.dll
Сетевая активность:
UDP:
- 'localhost':1045
- '23#.#55.255.250':1900
Другое:
Ищет следующие окна:
- ClassName: '(null)' WindowName: '????????'
- ClassName: '(null)' WindowName: 'Hardware Installation'
- ClassName: 'TpnMangr' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
