Trojan.DownLoader11.5279

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\katmain.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrogAgent.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ahnsd.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvprescan.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SnipeSword.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcrmon.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstray.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acasp.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msconfig.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TBMon.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.kxp] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxtray.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] 'debugger' = '<SYSTEM32>\wscntfy.exe'

Вредоносные функции:

Создает и запускает на исполнение:

'%TEMP%\wulala.exe' 1652
'%TEMP%\wulala.exe' 1744

Запускает на исполнение:

'<SYSTEM32>\cmd.exe' /c <Текущая директория>\kill.bat

Изменения в файловой системе:

Создает следующие файлы:

%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\qx[1].txt
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\xz[1].txt
<Текущая директория>\kill.bat
%TEMP%\wulala.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\tz[1].htm
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\xozzc[1].txt

Удаляет следующие файлы:

%TEMP%\wulala.exe

Самоудаляется.

Сетевая активность:

Подключается к:

'qq##.vicp.net':80
'www.xh##y.cn':80
'localhost':1036

TCP:

Запросы HTTP GET:

qq##.vicp.net/qx.txt
qq##.vicp.net/xz.txt
www.xh##y.cn/tz.htm
www.xh##y.cn/xozzc.txt

UDP:

DNS ASK qq##.vicp.net
DNS ASK www.xh##y.cn

Другое:

Ищет следующие окна:

ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней