Trojan.MulDrop.58970

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qutmserv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UfSeAgnt.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfCtlCom.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] '{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}' = 'sthile.dll'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] '{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}' = 'csiddll'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\РЮёґ№¤ѕЯ.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcagent.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcods.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe] 'Debugger' = 'ntsd -d'

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\AppMgmt] 'Start' = '00000002'

Изменяет следующие исполняемые системные файлы:

<SYSTEM32>\appmgmts.dll

Вредоносные функции:

Для затруднения выявления своего присутствия в системе

блокирует отображение:

скрытых файлов
расширений файлов

Создает и запускает на исполнение:

'%PROGRAM_FILES%\Internet Explorer\mstcs.exe' Explorer\mstcs.exe %TEMP%\Qvod.exe
'%TEMP%\small.exe'
'<SYSTEM32>\Dofake.exe'
'%PROGRAM_FILES%\Microsoft Office\SYSTEM\sysbar.exe'
'%TEMP%\dl_205423.exe'
'%TEMP%\Qvod.exe'
'%TEMP%\88.exe'
'%TEMP%\yoyo1182.exe'
'%TEMP%\2004.exe'

Запускает на исполнение:

'<SYSTEM32>\cmd.exe' /c 375519961O57540.bat
'<SYSTEM32>\cmd.exe' /c <SYSTEM32>\mpiabinfh.bat
'<SYSTEM32>\ping.exe' -n 3 127.0.0.1
'<SYSTEM32>\regsvr32.exe' /s <SYSTEM32>\sthile.dll
'<SYSTEM32>\rundll32.exe' kml1893.dll , InstallMyDll
'<SYSTEM32>\regsvr32.exe' /s %WINDIR%\PPLAYE~1.DLL

Устраняет перехваты фукнций в SSDT (System Service Descriptor Table).

Изменения в файловой системе:

Создает следующие файлы:

<SYSTEM32>\cryptcom.dll
<SYSTEM32>\c_30110.nls
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C95IJSZY\desktop.ini
%HOMEPATH%\Desktop\Internet Explorer.lnk
<SYSTEM32>\sthile.dll
%HOMEPATH%\Local Settings\Temporary Internet Files\_inimac
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8RKRQJMV\desktop.ini
%TEMP%\57540.aqq
<SYSTEM32>\omarpv.bat
<SYSTEM32>\mpiabinfh.bat
%TEMP%\375519961O57540.bat
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XVD8FUSQ\desktop.ini
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0PQFKTYZ\desktop.ini
<SYSTEM32>\Dofake.exe
%PROGRAM_FILES%\Microsoft Office\SYSTEM\31.exe
%TEMP%\yoyo1182.exe
%TEMP%\88.exe
C:\DelInfo.bin
%TEMP%\small.exe
%TEMP%\2004.exe
%TEMP%\dl_205423.exe
%TEMP%\Qvod.exe
%WINDIR%\PPlayer.2.1.58130.251.(508).dll
<SYSTEM32>\Windows.ime
<SYSTEM32>\kml1893.dll
<SYSTEM32>\dllcache\kml1893.dll
%WINDIR%\Temp\Oraber.sys
%PROGRAM_FILES%\Internet Explorer\mstcs.exe
%APPDATA%\d43sdf.dat
<SYSTEM32>\s3s4312.dat

Присваивает атрибут 'скрытый' для следующих файлов:

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XVD8FUSQ\desktop.ini
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0PQFKTYZ\desktop.ini
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C95IJSZY\desktop.ini
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8RKRQJMV\desktop.ini

Удаляет следующие файлы:

%TEMP%\57540.aqq
<SYSTEM32>\Dofake.exe
%TEMP%\small.exe
<SYSTEM32>\drklpioqcc.bat
%TEMP%\dl_205423.exe
%PROGRAM_FILES%\Microsoft Office\SYSTEM\sysbar.exe
C:\DelInfo.bin
%TEMP%\88.exe
%APPDATA%\d43sdf.dat
%TEMP%\Qvod.exe
%WINDIR%\Temp\Oraber.sys

Перемещает следующие файлы:

<SYSTEM32>\omarpv.bat в <SYSTEM32>\drklpioqcc.bat
%PROGRAM_FILES%\Microsoft Office\SYSTEM\31.exe в %PROGRAM_FILES%\Microsoft Office\SYSTEM\sysbar.exe

Сетевая активность:

Подключается к:

'localhost':1043
'www.de####ll-wz.com.cn':8080

UDP:

DNS ASK 88.##22down.com
DNS ASK ro####.utorrent.com
DNS ASK d.###1001.com
DNS ASK 88.##11down.com
DNS ASK c.###1001.com
DNS ASK www.su###qqface.com
DNS ASK ro####.bittorrent.com
DNS ASK g.###1001.com
DNS ASK i.###1001.com
DNS ASK j.###1001.com
DNS ASK e.###1001.com
DNS ASK h.###1001.com
DNS ASK f.###1001.com
DNS ASK a2.##4736.com
DNS ASK a.####ase.51edm.net
DNS ASK d.###736.com
DNS ASK www.EE######-9BCC-43a6-BE3.com
DNS ASK www.de####ll-wz.com.cn
DNS ASK www.xu##ei.com
DNS ASK ro####.bitcomet.net
DNS ASK a.###1001.com
DNS ASK 88.##00down.com
DNS ASK ro####.bitcomet.com
DNS ASK b.###1001.com
'89.##3.188.11':8957
'62.##.208.112':9342
'23#.#55.255.250':1900
'65.#.163.4':50144
'90.##.108.231':58856
'21#.#7.13.11':22137
'85.#1.66.73':38338
'72.##2.20.73':16306
'77.##.224.30':30478
'58.##.39.204':40139
'90.##1.190.208':25439

Другое:

Ищет следующие окна:

ClassName: 'CicLoaderWndClass' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
ClassName: 'EDIT' WindowName: '(null)'

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней