Техническая информация
Для обеспечения автозапуска и распространения:
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\APC-Host] 'Start' = '00000002'
Вредоносные функции:
Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Winconfig\apc_host.exe' = '%PROGRAM_FILES%\Winconfig\apc_host.exe:*:Enabled:WinConfig - Host Module'
Создает и запускает на исполнение:
- '%PROGRAM_FILES%\Winconfig\hcs.exe' "/effects=onC:\Program?Files\Winconfig\apc-settings.ini"
- '%PROGRAM_FILES%\Winconfig\apc_host.exe' /service
- '%PROGRAM_FILES%\Winconfig\hcs.exe' "/wallpaper=on"
- '%PROGRAM_FILES%\Winconfig\hcs.exe' "/theme=onC:\Program?Files\Winconfig\apc-settings.ini"
- '%PROGRAM_FILES%\Winconfig\apc_host.exe' /install /silent
- '%TEMP%\Win\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter.exe'
- '%TEMP%\Win\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter.exe' /password=azerty
- '%PROGRAM_FILES%\Winconfig\apc_host.exe' /uninstall /silent
- '%PROGRAM_FILES%\Winconfig\apc_hostconfig.exe' /setup /password=azerty
Изменения в файловой системе:
Создает следующие файлы:
- %ALLUSERSPROFILE%\Winconfig\installerpath.txt
- %PROGRAM_FILES%\Winconfig\installerpath.txt
- %ALLUSERSPROFILE%\Winconfig\anyplace-control.ini
- %APPDATA%\Winconfig\anyplace-control.ini
- %PROGRAM_FILES%\Winconfig\Languages\apc_hostConfig.ntv.lng
- %PROGRAM_FILES%\Winconfig\apc_host.exe
- %PROGRAM_FILES%\Winconfig\apc_hostconfig.exe
- %PROGRAM_FILES%\Winconfig\anyplace-control.ini
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\maintenance.bmp
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\unwatermark.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\maindb
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\plugins\0\CustomUI.dll
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\maindb
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\languages
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\packagedb
- %PROGRAM_FILES%\Winconfig\Languages\apc_hostConfig.DEU.lng
- %PROGRAM_FILES%\Winconfig\INSTALL.LOG
- %PROGRAM_FILES%\Winconfig\license.txt
- %PROGRAM_FILES%\Winconfig\history.txt
- %PROGRAM_FILES%\Winconfig\hostaccount.ini
- %PROGRAM_FILES%\Winconfig\hoststate.dat
- %PROGRAM_FILES%\Winconfig\apc-host.log
- %PROGRAM_FILES%\Winconfig\apc-settings.ini
- %PROGRAM_FILES%\Winconfig\file_id.diz
- %PROGRAM_FILES%\Winconfig\Languages\apc_hostConfig.ESN.lng
- %PROGRAM_FILES%\Winconfig\Languages\apc_hostConfig.FRA.lng
- %PROGRAM_FILES%\Winconfig\Languages\apc_hostConfig.RUS.lng
- %PROGRAM_FILES%\Winconfig\Languages\apc_hostConfig.ITA.lng
- %PROGRAM_FILES%\Winconfig\Anyplace Control.chm
- %PROGRAM_FILES%\Winconfig\hcs.exe
- %PROGRAM_FILES%\Winconfig\Languages\apc_hostConfig.PTB.lng
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\unbanner.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\banner.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\license.txt
- %TEMP%\1IK6FBNO\Resume.exe
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\watermark.bmp
- %TEMP%\1IK6FBTA\unpack.dll
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\butt_cancel.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\butt_warn.bmp
- %TEMP%\1IK6FBNO\unpack.dll
- %TEMP%\Win\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\6097_6097_2.jpg
- %TEMP%\Win\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\503542_Y7NJ6GGROKM2TGAHM7TF8DP7ZYC3HH_2762-2_H200205_L.jpg
- %TEMP%\Win\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\210408_164955_ORIGINALE_MODE_ykQXP5.jpg
- %TEMP%\Win\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\ba2noir.jpg
- %TEMP%\Win\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter.exe
- %TEMP%\Win\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\escarpin-plateau-fashion-et-sexy-avec-talon-haut-et-strass-blanc-vetement-femme-fashion.jpg
- %TEMP%\Win\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\blazer-femme-fashion-et-jupe-fashion-sexy-vetements-tendance-blanc.jpg
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\butt_inf.bmp
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\butt_cancel.bmp
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\butt_warn.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\plugins\0\CustomUI.dll
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\packagedb
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\languages
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\butt_que.bmp
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\butt_inf.bmp
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\watermark.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\unbanner.bmp
- %TEMP%\1IK6FBTA\Resume.exe
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\butt_que.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\unwatermark.bmp
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\banner.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\maintenance.bmp
- %TEMP%\1IK6FBTA\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\license.txt
Удаляет следующие файлы:
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\butt_warn.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\license.txt
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\butt_inf.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\butt_que.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\unwatermark.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\watermark.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\maintenance.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\unbanner.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\languages
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\maindb
- %TEMP%\1IK6FBNO\Resume.exe
- %TEMP%\1IK6FBNO\unpack.dll
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\banner.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\presetup\butt_cancel.bmp
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\packagedb
- %TEMP%\1IK6FBNO\photos_women_sexy_tendences_modes_styles_models_manequins_stars_peoples_design_fashions_lycra_satins_jeans_pret_a_porter\plugins\0\CustomUI.dll
Сетевая активность:
Подключается к:
- 'me#######fig.dyndns-server.com':443
UDP:
- DNS ASK me#######fig.dyndns-server.com
Другое:
Ищет следующие окна:
- ClassName: 'APC_HOST_HandlerWindow' WindowName: '(null)'
- ClassName: 'MS_WINHELP' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
