Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Netcafe Client' = '%PROGRAM_FILES%\Netcafe Client\\NetcafeClient.exe'
Вредоносные функции:
Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Netcafe Client\updater.exe' = '%PROGRAM_FILES%\Netcafe Client\updater.exe:*:Enabled:Netcafe Client Update'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Netcafe Client\rclient.exe' = '%PROGRAM_FILES%\Netcafe Client\rclient.exe:*:Enabled:Netcafe Remote'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Netcafe Client\NetcafeClient.exe' = '%PROGRAM_FILES%\Netcafe Client\NetcafeClient.exe:*:Enabled:NetcafeClient'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Netcafe Client\NcGame\NcGameClient.exe' = '%PROGRAM_FILES%\Netcafe Client\NcGame\NcGameClient.exe:*:Enabled:Netcafe games update'
Для затруднения выявления своего присутствия в системе
блокирует запуск следующих системных утилит:
- Диспетчера задач (Taskmgr)
- Редактора реестра (RegEdit)
Создает и запускает на исполнение:
- '%PROGRAM_FILES%\Netcafe Client\NetcafeClient.exe'
Запускает на исполнение:
- '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe' -UseCLSID {6770507D-6472-40B3-B647-8CF581538B56} -Comment "NGen Worker Process"
- '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ngen.exe' install "%PROGRAM_FILES%\Netcafe Client\NetcafeClient.exe" /ExeConfig:"%PROGRAM_FILES%\Netcafe Client\NetcafeClient.exe"
- '<SYSTEM32>\msiexec.exe' -Embedding F8C227CF85B28EDBA5D7549A71854203 M Global\MSI0000
- '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe' -UseCLSID {CE238E5F-C990-4ECF-8BB2-C996264CAAB7} -Comment "NGen Worker Process"
- '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe' -UseCLSID {B6C67236-E55E-460E-A05C-D009DBFAD3B4} -Comment "NGen Worker Process"
- '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe' -UseCLSID {F010076E-7F37-4180-A8FD-71F4470D7F2C} -Comment "NGen Worker Process"
- '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ngen.exe' install "%PROGRAM_FILES%\Netcafe Client\NcGame\NcGameClient.exe" /ExeConfig:"%PROGRAM_FILES%\Netcafe Client\NcGame\NcGameClient.exe"
- '<SYSTEM32>\msiexec.exe' -Embedding 63F5B63CDC6E6FA129760EA481179F17
- '<SYSTEM32>\msiexec.exe' /V
- '<SYSTEM32>\msiexec.exe'
- '<SYSTEM32>\msiexec.exe' /Y "<SYSTEM32>\bsFileClient.dll"
- '<SYSTEM32>\msiexec.exe' /Y "<SYSTEM32>\flash10\Flash10h.ocx"
- '<SYSTEM32>\msiexec.exe' /Y "<SYSTEM32>\bsFileServer.dll"
- '<SYSTEM32>\msiexec.exe' /Y "<SYSTEM32>\AutoItX3.dll"
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\winlogon.exe
Устанавливает процедуры перхвата сообщений
о нажатии клавиш клавиатуры:
- Библиотека-обработчик для всех процессов: %PROGRAM_FILES%\Netcafe Client\WinLockDll.dll
Изменяет следующие настройки проводника Windows (Windows Explorer):
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'DisAllowRun' = '00000001'
Без разрешения пользователя устанавливает новую стартовую страницу для Windows Internet Explorer.
Изменения в файловой системе:
Создает следующие файлы:
- %WINDIR%\assembly\tmp\KE35UR6A\Interop.bsFileClientSDK.dll
- %WINDIR%\assembly\tmp\1SWCVG07\Interop.SHDocVw.dll
- %WINDIR%\assembly\tmp\O1QOGSO0\ICSharpCode.SharpZipLib.dll
- %WINDIR%\assembly\tmp\UYTA0ZJG\AxInterop.ShockwaveFlashObjects.dll
- %PROGRAM_FILES%\Netcafe Client\DFM.exe
- %WINDIR%\assembly\tmp\YCPDEADO\Interop.ShockwaveFlashObjects.dll
- %PROGRAM_FILES%\Netcafe Client\WinLockDll.dll
- <SYSTEM32>\bsFileClient.dll
- %PROGRAM_FILES%\Netcafe Client\UpdateTool.exe
- %PROGRAM_FILES%\Netcafe Client\NcKall.exe
- %PROGRAM_FILES%\Netcafe Client\rclient.exe
- %WINDIR%\assembly\tmp\UC27GI1J\AxInterop.Microsoft.Vbe.Interop.Forms.dll
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING2.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.DATA
- %WINDIR%\Installer\MSI2.tmp
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING.VER
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING1.MAP
- %WINDIR%\Installer\MSI3.tmp
- C:\Config.Msi\2d9a0.rbs
- %PROGRAM_FILES%\Netcafe Client\NetcafeClient.exe
- %WINDIR%\Installer\MSI4.tmp
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\RestorePointSize
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA.tmp\NetcafeClient.exe
- %TEMP%\tmpB.tmp
- %TEMP%\tmp9.tmp
- %WINDIR%\Installer\MSI7.tmp
- %WINDIR%\Installer\MSI8.tmp
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC.tmp\NcGameClient.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\middle9[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\top9[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\intro[1].swf
- %PROGRAM_FILES%\Netcafe Client\Update.exe
- %APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx
- %WINDIR%\Installer\MSI6.tmp
- %PROGRAM_FILES%\Netcafe Client\updater.exe
- %WINDIR%\assembly\tmp\O1QW0B24\Interop.bsFileServerSDK.dll
- <SYSTEM32>\bsFileServer.dll
- %WINDIR%\assembly\tmp\GQ11WS7H\Interop.AutoItX3Lib.dll
- <SYSTEM32>\AutoItX3.dll
- %WINDIR%\assembly\tmp\RY00ZFYC\Interop.IWshRuntimeLibrary.dll
- %ALLUSERSPROFILE%\Desktop\Netcafe Client.lnk
- %PROGRAM_FILES%\Netcafe Client\updater.ini
- %ALLUSERSPROFILE%\Start Menu\Programs\Netcafe Client\Netcafe Client.lnk
- %PROGRAM_FILES%\Netcafe Client\NcGame\NcGameClient.exe
- <SYSTEM32>\flash10\Flash10h.ocx
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.MAP
- %APPDATA%\24h\Netcafe Client\install\C06C568\Interop.AutoItX3Lib.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\Interop.bsFileClientSDK.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\ICSharpCode.SharpZipLib.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\WindowsFolder\System32\bsFileClient.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\WindowsFolder\System32\bsFileServer.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\NcGame\Interop.bsFileServerSDK.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\WinLockDll.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\WindowsFolder\System32\flash10\Flash10h.ocx
- %APPDATA%\24h\Netcafe Client\install\C06C568\Interop.ShockwaveFlashObjects.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\NcGame\Interop.IWshRuntimeLibrary.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\Interop.SHDocVw.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\AxInterop.ShockwaveFlashObjects.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\NcGame\NcGameClient.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\NcKall.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\DFM.exe
- %APPDATA%\24h\Netcafe Client\install\decoder.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\WindowsFolder\System32\drivers\etc\hosts
- %APPDATA%\24h\Netcafe Client\install\C06C568\NetcafeClient.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\WindowsFolder\System32\AutoItX3.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\AxInterop.Microsoft.Vbe.Interop.Forms.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\UpdateTool.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\rclient.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\updater.exe
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SYSTEM
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SAM
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SOFTWARE
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_.DEFAULT
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SECURITY
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\ComDb.Dat
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\$WinMgmt.CFG
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.BTR
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP15\drivetable.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\domain.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\drivetable.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2052111302-484763869-725345543-1003
- %WINDIR%\Installer\MSI1.tmp
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\rp.log
- %WINDIR%\Installer\2d99d.msi
- %APPDATA%\24h\Netcafe Client\install\C06C568\Netcafe Client Path 9 - cache.msi
- %TEMP%\2c440.msi
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2052111302-484763869-725345543-1003
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
Удаляет следующие файлы:
- %APPDATA%\24h\Netcafe Client\install\C06C568\NcKall.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\NcGame\NcGameClient.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\rclient.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\NetcafeClient.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\NcGame\Interop.IWshRuntimeLibrary.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\Interop.SHDocVw.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\Interop.bsFileClientSDK.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\NcGame\Interop.bsFileServerSDK.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\Interop.ShockwaveFlashObjects.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\updater.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\WinLockDll.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\WindowsFolder\System32\flash10\Flash10h.ocx
- %APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
- %PROGRAM_FILES%\Netcafe Client\UpdateTool.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\WindowsFolder\System32\drivers\etc\hosts
- %APPDATA%\24h\Netcafe Client\install\C06C568\WindowsFolder\System32\AutoItX3.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\UpdateTool.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\WindowsFolder\System32\bsFileServer.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\WindowsFolder\System32\bsFileClient.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\Interop.AutoItX3Lib.dll
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\indexa6.dat
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\indexa5.dat
- %WINDIR%\Installer\MSI2.tmp
- %WINDIR%\Installer\MSI8.tmp
- %WINDIR%\Installer\MSI7.tmp
- %WINDIR%\Installer\MSI3.tmp
- %WINDIR%\Installer\MSI1.tmp
- %WINDIR%\Installer\MSI6.tmp
- %WINDIR%\Installer\MSI4.tmp
- C:\Config.Msi\2d9a1.rbf
- %APPDATA%\24h\Netcafe Client\install\C06C568\AxInterop.ShockwaveFlashObjects.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\AxInterop.Microsoft.Vbe.Interop.Forms.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\ICSharpCode.SharpZipLib.dll
- %APPDATA%\24h\Netcafe Client\install\C06C568\DFM.exe
- %APPDATA%\24h\Netcafe Client\install\C06C568\Netcafe Client Path 9 - cache.msi
- %WINDIR%\Installer\2d99d.msi
- C:\Config.Msi\2d9a0.rbs
- %APPDATA%\24h\Netcafe Client\install\decoder.dll
- %TEMP%\2c440.msi
Перемещает следующие системные файлы:
- <DRIVERS>\etc\hosts в C:\Config.Msi\2d9a1.rbf
Перемещает следующие файлы:
- %APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx в %APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC.tmp\NcGameClient.exe в %WINDIR%\assembly\NativeImages_v2.0.50727_32\NcGameClient\b8a6151775ea92e70f8fd62f031c3854\NcGameClient.ni.exe
- %WINDIR%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA.tmp\NetcafeClient.exe в %WINDIR%\assembly\NativeImages_v2.0.50727_32\NetcafeClient\f1770a39d9ea3c954fba3175db6b8927\NetcafeClient.ni.exe
Подменяет файл HOSTS.
Сетевая активность:
Подключается к:
- 'ne####e.24h.com.vn':80
- 'ne####e7.24h.com.vn':80
- '<IP-адрес в локальной сети>':2223
- 'localhost':1041
TCP:
Запросы HTTP GET:
- ne####e7.24h.com.vn/Netcafe9/ads/top9.php
- ne####e7.24h.com.vn/Netcafe9/ads/middle9.php
- ne####e.24h.com.vn/netcafe/banner/intro.swf
UDP:
- DNS ASK ne####e7.24h.com.vn
- DNS ASK ne####e.24h.com.vn
Другое:
Ищет следующие окна:
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'SAS Window class' WindowName: 'SAS window'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'MS_WINHELP' WindowName: '(null)'
