Trojan.DownLoader11.17800

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Classes\goodPic\shell\open\command] '' = '"%PROGRAM_FILES%\goodPic\goodPicAp.exe" "%1"'

Вредоносные функции:

Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\goodPic\goodPic.exe' = '%PROGRAM_FILES%\goodPic\goodPic.exe:*:Enabled:Е®Йс»Іб Player'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\goodPic\goodPicAp.exe' = '%PROGRAM_FILES%\goodPic\goodPicAp.exe:*:Enabled:Е®Йс»Іб App'

Создает и запускает на исполнение:

'%TEMP%\is-OEDKA.tmp\goodPic_setup_612.tmp' /SL5="$100EC,2481881,117760,%TEMP%\nsw3.tmp\goodPic_setup_612.exe" /verysilent
'%PROGRAM_FILES%\goodPic\goodPicAp.exe' /setup_s
'%TEMP%\nsw3.tmp\goodPic_setup_612.exe' /verysilent
'%TEMP%\nsw3.tmp\goodpic_dae_612.exe'
'%TEMP%\nsw3.tmp\gode.exe'

Изменения в файловой системе:

Создает следующие файлы:

%ALLUSERSPROFILE%\Start Menu\Programs\goodPic\goodPic Player.lnk
%PROGRAM_FILES%\goodPic\plugins\is-OBCL3.tmp
%PROGRAM_FILES%\goodPic\plugins\is-KGMTR.tmp
%PROGRAM_FILES%\goodPic\config\config.ini
%PROGRAM_FILES%\goodPic\unins000.dat
%ALLUSERSPROFILE%\Start Menu\Programs\goodPic\Uninstall їН»§¶Л.lnk
%PROGRAM_FILES%\goodPic\is-0T1VA.tmp
%PROGRAM_FILES%\goodPic\is-2D1DU.tmp
%PROGRAM_FILES%\goodPic\is-HVN23.tmp
%PROGRAM_FILES%\goodPic\config\is-TDP51.tmp
%PROGRAM_FILES%\goodPic\is-M2CGH.tmp
%PROGRAM_FILES%\goodPic\is-UEC5F.tmp
%HOMEPATH%\Desktop\goodPic Player.lnk
%PROGRAM_FILES%\goodPic\config\hlib_pcrc.db-journal
%PROGRAM_FILES%\goodPic\config\hlib_block.db
%PROGRAM_FILES%\goodPic\config\hlib_block.db-journal
%PROGRAM_FILES%\goodPic\config\CfgTmp.zip
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\cfgPicture[1].zip
%PROGRAM_FILES%\goodPic\config\hlib_pcrc.db
%PROGRAM_FILES%\goodPic\meinvGo.url
%PROGRAM_FILES%\goodPic\config\profile.cfg
%PROGRAM_FILES%\goodPic\config\partner.ini
%PROGRAM_FILES%\goodPic\config\hlib_index.db
%PROGRAM_FILES%\goodPic\config\hlib_index.db-journal
%PROGRAM_FILES%\goodPic\top_box.bmp
%PROGRAM_FILES%\goodPic\is-2D736.tmp
%TEMP%\is-Q8E56.tmp\jpg2bmp.dll
%TEMP%\is-Q8E56.tmp\_isetup\_shfoldr.dll
%TEMP%\is-Q8E56.tmp\_isetup\_RegDLL.tmp
%TEMP%\is-Q8E56.tmp\left_box.bmp
%TEMP%\is-Q8E56.tmp\setup.jpg
%TEMP%\is-Q8E56.tmp\MgRecommend.dll
%TEMP%\nsw3.tmp\gode.exe
%TEMP%\nsw3.tmp\NSISdl.dll
%TEMP%\nsr2.tmp
%TEMP%\is-OEDKA.tmp\goodPic_setup_612.tmp
%TEMP%\nsw3.tmp\goodPic_setup_612.exe
%TEMP%\nsw3.tmp\goodpic_dae_612.exe
%TEMP%\is-Q8E56.tmp\top_box.jpg
%PROGRAM_FILES%\goodPic\is-EI25F.tmp
%PROGRAM_FILES%\goodPic\is-32P5A.tmp
%PROGRAM_FILES%\goodPic\is-S8HGA.tmp
%PROGRAM_FILES%\goodPic\is-Q2QD2.tmp
%PROGRAM_FILES%\goodPic\is-I9699.tmp
%PROGRAM_FILES%\goodPic\is-4Q4QI.tmp
%PROGRAM_FILES%\goodPic\is-37QGB.tmp
%TEMP%\is-Q8E56.tmp\top_box.bmp
%TEMP%\is-Q8E56.tmp\setup.bmp
%PROGRAM_FILES%\goodPic\is-AISI6.tmp
%PROGRAM_FILES%\goodPic\is-9VMNJ.tmp
%PROGRAM_FILES%\goodPic\is-31RAB.tmp

Удаляет следующие файлы:

%TEMP%\nsw3.tmp\gode.exe
%TEMP%\nsw3.tmp\goodpic_dae_612.exe
%TEMP%\is-OEDKA.tmp\goodPic_setup_612.tmp
%TEMP%\nsw3.tmp\goodPic_setup_612.exe
%TEMP%\nsw3.tmp\NSISdl.dll
%PROGRAM_FILES%\goodPic\config\hlib_block.db-journal
%PROGRAM_FILES%\goodPic\config\hlib_pcrc.db-journal
%PROGRAM_FILES%\goodPic\config\profile.cfg
%PROGRAM_FILES%\goodPic\config\hlib_index.db-journal
%TEMP%\is-Q8E56.tmp\_isetup\_shfoldr.dll
%TEMP%\is-Q8E56.tmp\left_box.bmp
%TEMP%\is-Q8E56.tmp\MgRecommend.dll
%PROGRAM_FILES%\goodPic\goodPic.exe
%TEMP%\is-Q8E56.tmp\jpg2bmp.dll
%TEMP%\is-Q8E56.tmp\setup.bmp
%TEMP%\is-Q8E56.tmp\top_box.jpg
%TEMP%\is-Q8E56.tmp\_isetup\_RegDLL.tmp
%TEMP%\is-Q8E56.tmp\setup.jpg
%TEMP%\is-Q8E56.tmp\top_box.bmp

Перемещает следующие файлы:

%PROGRAM_FILES%\goodPic\is-0T1VA.tmp в %PROGRAM_FILES%\goodPic\msvcr71.dll
%PROGRAM_FILES%\goodPic\is-UEC5F.tmp в %PROGRAM_FILES%\goodPic\ppxa.dll
%PROGRAM_FILES%\goodPic\is-2D1DU.tmp в %PROGRAM_FILES%\goodPic\msvcr110.dll
%PROGRAM_FILES%\goodPic\is-2D736.tmp в %PROGRAM_FILES%\goodPic\msvcp110.dll
%PROGRAM_FILES%\goodPic\is-HVN23.tmp в %PROGRAM_FILES%\goodPic\msvcp71.dll
%PROGRAM_FILES%\goodPic\plugins\is-OBCL3.tmp в %PROGRAM_FILES%\goodPic\plugins\TransmitLayer.dll
%PROGRAM_FILES%\goodPic\config\profile.cfg.new в %PROGRAM_FILES%\goodPic\config\profile.cfg
%PROGRAM_FILES%\goodPic\plugins\is-KGMTR.tmp в %PROGRAM_FILES%\goodPic\plugins\mnGLnk.dll
%PROGRAM_FILES%\goodPic\is-M2CGH.tmp в %PROGRAM_FILES%\goodPic\sqlite3.dll
%PROGRAM_FILES%\goodPic\config\is-TDP51.tmp в %PROGRAM_FILES%\goodPic\config\init.config.ini
%PROGRAM_FILES%\goodPic\is-AISI6.tmp в %PROGRAM_FILES%\goodPic\goodPicAp.exe
%PROGRAM_FILES%\goodPic\is-S8HGA.tmp в %PROGRAM_FILES%\goodPic\jpg2bmp.dll
%PROGRAM_FILES%\goodPic\is-9VMNJ.tmp в %PROGRAM_FILES%\goodPic\goodPic.exe
%PROGRAM_FILES%\goodPic\is-37QGB.tmp в %PROGRAM_FILES%\goodPic\unins000.exe
%PROGRAM_FILES%\goodPic\is-31RAB.tmp в %PROGRAM_FILES%\goodPic\goodPic.exe
%PROGRAM_FILES%\goodPic\is-I9699.tmp в %PROGRAM_FILES%\goodPic\MGIconLib.dll
%PROGRAM_FILES%\goodPic\is-Q2QD2.tmp в %PROGRAM_FILES%\goodPic\MgRecommend.dll
%PROGRAM_FILES%\goodPic\is-4Q4QI.tmp в %PROGRAM_FILES%\goodPic\MFC71.dll
%PROGRAM_FILES%\goodPic\is-32P5A.tmp в %PROGRAM_FILES%\goodPic\meinvGo.ico
%PROGRAM_FILES%\goodPic\is-EI25F.tmp в %PROGRAM_FILES%\goodPic\meinvGo.url