Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E5F5D008-DD2C-4D32-977D-1A0ADF03058B}\DownloadInformation] 'CODEBASE' = 'https://juniper.net/dana-cached/setup/JuniperSetupSP1.cab'
- [<HKLM>\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{F27237D7-93C8-44C2-AC6E-D6057B9A918F}\DownloadInformation] 'CODEBASE' = 'https://juniper.net/dana-cached/sc/JuniperSetupClient.cab'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\JuniperAccessService] 'Start' = '00000002'
Вредоносные функции:
Создает и запускает на исполнение:
- '%PROGRAM_FILES%\Juniper Networks\Installer Service\JuniperSetupOCX.exe'
- '%PROGRAM_FILES%\Juniper Networks\Installer Service\JuniperSetupClientOCX.exe'
- 'C:\temp\juniper\importpfx.exe' -f c:\temp\juniper\ypgclient-cert.p12 -p "YPG" -t USER -s MY
- 'C:\temp\juniper\pskill.exe' mDNSResponder.exe
- 'C:\temp\juniper\certmgr.exe' /add /all /c c:\temp\juniper\YPG-cacert.der /s /r localmachine Root
- '%CommonProgramFiles%\Juniper Networks\JUNS\dsAccessService.exe'
- '%PROGRAM_FILES%\Juniper Networks\Installer Service\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe' %CommonProgramFiles%\Juniper Networks\JUNS\
- 'C:\temp\juniper\install_cgi.exe'
- '%PROGRAM_FILES%\Juniper Networks\Installer Service\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe' %CommonProgramFiles%\Juniper Networks\JUNS\
- '%CommonProgramFiles%\Juniper Networks\JUNS\dsAccessService.exe' -regserver
- '%PROGRAM_FILES%\Juniper Networks\Installer Service\AccessServiceComponent.x86.exe' /S
Запускает на исполнение:
- '%WINDIR%\regedit.exe' /s c:\temp\juniper\zoneOK.reg
- '<SYSTEM32>\msiexec.exe' -Embedding 892753A4F55FB7E9339624B2D40F03BA M Global\MSI0000
- '<SYSTEM32>\sc.exe' config "Bonjour Service" start= disabled
- '%WINDIR%\regedit.exe' /s c:\temp\juniper\WarnOnbadCert.reg
- '<SYSTEM32>\msiexec.exe' /i "c:\temp\juniper\JuniperSetupServiceInstaller-6.4R4.1.msi" transforms="c:\temp\juniper\JuniperSetupServiceInstaller-6.4R4.1.mst" /QN
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\install_cgi.cmd""
- '<SYSTEM32>\msiexec.exe' -Embedding F1A814DD81C4241BC7855E008174A79B
- '<SYSTEM32>\msiexec.exe' /V
Изменяет следующие настройки браузера Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'WarnonBadCertRecving' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1A04' = '00000000'
Изменения в файловой системе:
Создает следующие файлы:
- %ALLUSERSPROFILE%\Application Data\Juniper Networks\Logging\debuglog.log
- %WINDIR%\Installer\MSI10.tmp
- %CommonProgramFiles%\Juniper Networks\JUNS\access.ini
- %CommonProgramFiles%\Juniper Networks\JUNS\Uninstall.exe
- %CommonProgramFiles%\Juniper Networks\JUNS\dsLogService.dll
- %WINDIR%\Downloaded Program Files\install.log
- %WINDIR%\Downloaded Program Files\JuniperSetupClientCtrlUninstaller.exe
- %WINDIR%\Downloaded Program Files\JuniperSetup.inf
- %WINDIR%\Downloaded Program Files\JuniperExt.exe
- %WINDIR%\Downloaded Program Files\JuniperSetupClient.inf
- %WINDIR%\Downloaded Program Files\JuniperSetupClient.ocx
- %CommonProgramFiles%\Juniper Networks\JUNS\Uninstall.exe.manifest
- %CommonProgramFiles%\Juniper Networks\JUNS\Microsoft.VC80.CRT\msvcp80.dll
- %CommonProgramFiles%\Juniper Networks\JUNS\install.log
- %TEMP%\nsoD.tmp\System.dll
- %CommonProgramFiles%\Juniper Networks\JUNS\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
- %CommonProgramFiles%\Juniper Networks\JUNS\Microsoft.VC80.CRT\msvcr80.dll
- %TEMP%\nsvF.tmp\System.dll
- %CommonProgramFiles%\Juniper Networks\JUNS\dsInstallerService.dll
- %CommonProgramFiles%\Juniper Networks\JUNS\versionInfo.ini
- %CommonProgramFiles%\Juniper Networks\JUNS\dsAccessService.exe
- %TEMP%\nsvF.tmp\FindProcDLL.dll
- %CommonProgramFiles%\Juniper Networks\JUNS\dcfLibrary.dll
- %WINDIR%\Installer\{4FE3451A-5ED0-4049-90F5-25FC0E830476}\JuniperSetupServiceInstaller-6.4R4.1.mst
- %WINDIR%\Installer\MSI17.tmp
- %WINDIR%\Installer\{4FE3451A-5ED0-4049-90F5-25FC0E830476}\Icon4FE3451A1.ICO
- %CommonProgramFiles%\Juniper Networks\JSCDT\jnprShare.tmp
- %WINDIR%\Installer\MSI15.tmp
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\13ff578a-a85c-4ffd-b546-6280ec2d640d
- %APPDATA%\Microsoft\SystemCertificates\My\Certificates\1547AB339320AD1EFA11028F9FD5DD6D327DE295
- %APPDATA%\Microsoft\SystemCertificates\My\Keys\440CA4D6F2E4F6313CFD8E1470E73616D28602A1
- %APPDATA%\Microsoft\SystemCertificates\My\Certificates\A5048C9155A5BD59A759BC6948CCAB241C98C176
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\Preferred
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\3aba3c1fd50ac99b2e40b0edf235969a_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %WINDIR%\Installer\MSI14.tmp
- %WINDIR%\Downloaded Program Files\string_es.properties
- %WINDIR%\Downloaded Program Files\string_fr.properties
- %WINDIR%\Downloaded Program Files\string_en.properties
- %WINDIR%\Downloaded Program Files\JuniperSetup.ocx
- %WINDIR%\Downloaded Program Files\string_de.properties
- %WINDIR%\Downloaded Program Files\string_ja.properties
- %WINDIR%\Installer\MSI13.tmp
- %PROGRAM_FILES%\Juniper Networks\Installer Service\JIS.dep
- %WINDIR%\Downloaded Program Files\string_zh_cn.properties
- %WINDIR%\Downloaded Program Files\string_ko.properties
- %WINDIR%\Downloaded Program Files\string_zh.properties
- %WINDIR%\Installer\2af31.msi
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
- %TEMP%\install_cgi.cmd
- C:\temp\juniper\install_cgi.exe
- C:\temp\juniper\certmgr.exe
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
- %WINDIR%\Installer\MSI1.tmp
- %WINDIR%\init.ini
- %WINDIR%\Installer\2af32.mst
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
- C:\temp\juniper\zoneOK.reg
- C:\temp\juniper\JuniperSetupServiceInstaller-6.4R4.1_WISETRFM_2.cab
- C:\temp\juniper\Nortel VPN Client.lnk
- C:\temp\juniper\JuniperSetupServiceInstaller-6.4R4.1.mst
- C:\temp\juniper\importpfx.exe
- C:\temp\juniper\JuniperSetupServiceInstaller-6.4R4.1.msi
- C:\temp\juniper\pskill.exe
- C:\temp\juniper\YPG-cacert.der
- C:\temp\juniper\ypgclient-cert.p12
- C:\temp\juniper\WarnOnbadCert.reg
- C:\temp\juniper\RSA SecurID Software Token.lnk
- C:\temp\juniper\stepbystep.txt
- %WINDIR%\Installer\MSI7.tmp
- %CommonProgramFiles%\Juniper Networks\JSCDT\jnprShare.log
- %PROGRAM_FILES%\Juniper Networks\Installer Service\VPN - Scarborough.url
- <SYSTEM32>\juniper networks logo[6]1.ICO
- %PROGRAM_FILES%\Juniper Networks\Installer Service\VPN - Montreal.url
- %ALLUSERSPROFILE%\Desktop\VPN - Scarborough.lnk
- %WINDIR%\Installer\MSI9.tmp
- %TEMP%\nshB.tmp\System.dll
- %WINDIR%\Installer\MSI8.tmp
- %ALLUSERSPROFILE%\Desktop\VPN - Montreal.lnk
- %PROGRAM_FILES%\Juniper Networks\Installer Service\versionInfo.ini
- %PROGRAM_FILES%\Juniper Networks\Installer Service\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
- %WINDIR%\Installer\MSI5.tmp
- %WINDIR%\Installer\MSI6.tmp
- C:\Config.Msi\2af35.rbs
- %WINDIR%\Installer\MSI2.tmp
- %WINDIR%\Installer\MSI3.tmp
- %TEMP%\jis.tmp
- %CommonProgramFiles%\Juniper Networks\JSCDT\jnprShare.dll
- %PROGRAM_FILES%\Juniper Networks\Installer Service\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
- %PROGRAM_FILES%\Juniper Networks\Installer Service\JuniperSetupOCX.exe
- %PROGRAM_FILES%\Juniper Networks\Installer Service\AccessServiceComponent.x86.exe
- %PROGRAM_FILES%\Juniper Networks\Installer Service\JuniperSetupClientOCX.exe
Удаляет следующие файлы:
- %WINDIR%\Installer\MSI15.tmp
- %WINDIR%\Installer\MSI3.tmp
- %WINDIR%\Installer\MSI14.tmp
- %WINDIR%\Installer\MSI10.tmp
- %WINDIR%\Installer\MSI13.tmp
- %WINDIR%\Installer\2af32.mst
- %TEMP%\install_cgi.cmd
- %WINDIR%\Installer\2af31.msi
- C:\Config.Msi\2af35.rbs
- %WINDIR%\Installer\MSI17.tmp
- %WINDIR%\Installer\MSI9.tmp
- %WINDIR%\Installer\MSI6.tmp
- %WINDIR%\Installer\MSI7.tmp
- %WINDIR%\Installer\MSI5.tmp
- %WINDIR%\Installer\MSI1.tmp
- %WINDIR%\Installer\MSI2.tmp
- %TEMP%\nsvF.tmp\FindProcDLL.dll
- %TEMP%\nsvF.tmp\System.dll
- %TEMP%\nsoD.tmp\System.dll
- %WINDIR%\Installer\MSI8.tmp
- %TEMP%\nshB.tmp\System.dll
Перемещает следующие файлы:
- %CommonProgramFiles%\Juniper Networks\JSCDT\jnprShare.tmp в %CommonProgramFiles%\Juniper Networks\JSCDT\jnprShare.txt
Сетевая активность:
Подключается к:
- 'cs######4-crl.verisign.com':80
- 'crl.verisign.com':80
- 'wp#d':80
TCP:
Запросы HTTP GET:
- cs######4-crl.verisign.com/CSC3-2004.crl
- crl.verisign.com/pca3.crl
- wp#d/wpad.dat
UDP:
- DNS ASK cs######4-crl.verisign.com
- DNS ASK crl.verisign.com
- DNS ASK wp#d
Другое:
Ищет следующие окна:
- ClassName: 'RegEdit_RegEdit' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
Добавляет корневой сертификат
