Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Classes\DSAZip.File\Shell\open\Command] '' = '"%PROGRAM_FILES%\2020\DSA\DSA.exe" /dsazip "%1"'
Вредоносные функции:
Создает и запускает на исполнение:
- '%PROGRAM_FILES%\2020\DSA\DSA.exe' /rootpath "<Текущая директория>" ""
Запускает на исполнение:
- '<SYSTEM32>\msiexec.exe' -Embedding CEB6DB290524A43286DCDC897D545E5C
- '<SYSTEM32>\msiexec.exe' /V
- '<SYSTEM32>\msiexec.exe' /i "%TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\DSABootstrapper.msi" /qb! SETUPEXEDIR="<Текущая директория>" SETUPEXENAME="<Имя вируса>.exe"
Изменения в файловой системе:
Создает следующие файлы:
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\domain.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\drivetable.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\ComDb.Dat
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SYSTEM
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SAM
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.BTR
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP15\drivetable.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\$WinMgmt.CFG
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SOFTWARE
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\rp.log
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_.DEFAULT
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SECURITY
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2052111302-484763869-725345543-1003
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2052111302-484763869-725345543-1003
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING.VER
- %WINDIR%\assembly\tmp\HDAR3AOK\2020.Base.dll
- %ALLUSERSPROFILE%\Start Menu\Programs\20-20 Technologies\Catalog Maintenance....lnk
- %WINDIR%\Fonts\CALIBRIZ.TTF
- %WINDIR%\Fonts\CALIBRIB.TTF
- %WINDIR%\Fonts\CALIBRII.TTF
- %WINDIR%\Installer\{abf0cf74-27b8-475e-b78e-fc8c2ee5cdf7}\NewShortcut11_4E76F696043D4F7F87C1F1F0802974E2.exe
- %ALLUSERSPROFILE%\Application Data\2020\DSA\2020Catalogs-2014-02-27-001-DSALOG.txt
- %WINDIR%\Installer\{abf0cf74-27b8-475e-b78e-fc8c2ee5cdf7}\NewShortcut23_4074F135FCEB4D48B4C83AC690531416.exe
- %ALLUSERSPROFILE%\Start Menu\Programs\20-20 Technologies\Catalog Diagnostics....lnk
- %WINDIR%\Installer\{abf0cf74-27b8-475e-b78e-fc8c2ee5cdf7}\ARPPRODUCTICON.exe
- %WINDIR%\Fonts\CALIBRI.TTF
- %WINDIR%\Installer\MSI17.tmp
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.DATA
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING1.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING2.MAP
- %PROGRAM_FILES%\2020\DSA\DSA.chm
- %PROGRAM_FILES%\2020\DSA\License.rtf
- %PROGRAM_FILES%\2020\DSA\DSA.exe
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\RestorePointSize
- C:\Config.Msi\2d932.rbs
- %WINDIR%\Installer\MSI16.tmp
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Server 2008 (x86).prq
- %TEMP%\_is9.tmp
- %TEMP%\_is8.tmp
- %TEMP%\_is7.tmp
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Server 2003 SP1 and later (x86).prq
- %TEMP%\_isB.tmp
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Vista (x64).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Server 2003 and XP (x64).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Vista and Server 2008 (x86).prq
- %TEMP%\_isA.tmp
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Vista (x86).prq
- %TEMP%\_is2.tmp
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\0x0409.ini
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\_ISMSIDEL.INI
- %TEMP%\_is1.tmp
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Setup.INI
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows XP SP2 and later (x86).prq
- %TEMP%\_is6.tmp
- %TEMP%\_is5.tmp
- %TEMP%\_is4.tmp
- %TEMP%\~3.tmp
- %TEMP%\_isC.tmp
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 3.1 for Windows XP (x64).prq
- %TEMP%\_is14.tmp
- %TEMP%\_is13.tmp
- %TEMP%\_is12.tmp
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 3.1 for Windows Server 2003 SP1 (x64).prq
- %TEMP%\MSI2cfe8.LOG
- %WINDIR%\Installer\2d92f.msi
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\DSABootstrapper.msi
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Microsoft .NET Framework 4.0 Full.prq
- %TEMP%\_is15.tmp
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Imaging Component (x64).prq
- %TEMP%\_isE.tmp
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 3.1 (x86).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Vista and Server 2008 (x64).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Server 2008 (x64).prq
- %TEMP%\_isD.tmp
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 3.1 for Windows Server 2003 SP1 (x86).prq
- %TEMP%\_is11.tmp
- %TEMP%\_is10.tmp
- %TEMP%\_isF.tmp
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Imaging Component (x86).prq
Удаляет следующие файлы:
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Imaging Component (x64).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Setup.INI
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Imaging Component (x86).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 3.1 for Windows Server 2003 SP1 (x64).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 3.1 (x86).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Microsoft .NET Framework 4.0 Full.prq
- %WINDIR%\Installer\2d92f.msi
- C:\Config.Msi\2d932.rbs
- %WINDIR%\Installer\2d931.ipi
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\DSABootstrapper.msi
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\0x0409.ini
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 3.1 for Windows Server 2003 SP1 (x86).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Vista and Server 2008 (x64).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Vista (x86).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Vista and Server 2008 (x86).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\_ISMSIDEL.INI
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows XP SP2 and later (x86).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Vista (x64).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Server 2003 and XP (x64).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 3.1 for Windows XP (x64).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Server 2003 SP1 and later (x86).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Server 2008 (x86).prq
- %TEMP%\{BA8CB26A-1F99-4119-9534-EA1CCAB755FF}\Windows Installer 4.5 for Windows Server 2008 (x64).prq
- %TEMP%\_is8.tmp
- %TEMP%\_is7.tmp
- %TEMP%\_is9.tmp
- %TEMP%\_isB.tmp
- %TEMP%\_isA.tmp
- %TEMP%\_is6.tmp
- %TEMP%\_is2.tmp
- %TEMP%\_is1.tmp
- %TEMP%\_is4.tmp
- %TEMP%\_is5.tmp
- %TEMP%\~3.tmp
- %TEMP%\_isC.tmp
- %TEMP%\_is14.tmp
- %TEMP%\_is13.tmp
- %TEMP%\_is15.tmp
- %WINDIR%\Installer\MSI17.tmp
- %WINDIR%\Installer\MSI16.tmp
- %TEMP%\_is12.tmp
- %TEMP%\_isE.tmp
- %TEMP%\_isD.tmp
- %TEMP%\_isF.tmp
- %TEMP%\_is11.tmp
- %TEMP%\_is10.tmp
Другое:
Ищет следующие окна:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
