Техническая информация
Для обеспечения автозапуска и распространения:
Подменяет следующие исполняемые системные файлы:
- <SYSTEM32>\setup.exe файлом <SYSTEM32>\Setup.exe
Вредоносные функции:
Создает и запускает на исполнение:
- '%PROGRAM_FILES%\Reg Organizer\RegOrganizer.exe'
- '%TEMP%\is-N3QO5.tmp\1.tmp' /SL5="$100E0,5005279,119296,<SYSTEM32>\1.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
- '<SYSTEM32>\1.exe' /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
- '<SYSTEM32>\Setup.exe' (загружен из сети Интернет)
Запускает на исполнение:
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '<SYSTEM32>\taskkill.exe' /f /im RegOrganizer.exe
Изменения в файловой системе:
Создает следующие файлы:
- %PROGRAM_FILES%\Reg Organizer\Documentation\English\is-896U9.tmp
- %PROGRAM_FILES%\Reg Organizer\is-QF9A5.tmp
- %PROGRAM_FILES%\Reg Organizer\is-BRJ9J.tmp
- %PROGRAM_FILES%\Reg Organizer\is-RE14F.tmp
- %PROGRAM_FILES%\Reg Organizer\is-VIME8.tmp
- %PROGRAM_FILES%\Reg Organizer\is-PPGP2.tmp
- %PROGRAM_FILES%\Reg Organizer\is-U3RJG.tmp
- %PROGRAM_FILES%\Reg Organizer\is-2LSJA.tmp
- %PROGRAM_FILES%\Reg Organizer\is-39CNU.tmp
- %PROGRAM_FILES%\Reg Organizer\is-L1RVU.tmp
- %PROGRAM_FILES%\Reg Organizer\is-PEUO8.tmp
- %PROGRAM_FILES%\Reg Organizer\is-QMD8O.tmp
- %PROGRAM_FILES%\Reg Organizer\Documentation\Russian\is-VU6GO.tmp
- %TEMP%\aut3.tmp
- <SYSTEM32>\rrr.lnk
- %PROGRAM_FILES%\Reg Organizer\unins000.dat
- %PROGRAM_FILES%\Reg Organizer\regkey.ini
- %TEMP%\aut4.tmp
- %PROGRAM_FILES%\Reg Organizer\UpdaterDll.dll
- %HOMEPATH%\Desktop\Reg Organizer.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\Reg Organizer\Reg Organizer.lnk
- %PROGRAM_FILES%\Reg Organizer\Languages\is-LPP0F.tmp
- %PROGRAM_FILES%\Reg Organizer\unins000.msg
- %ALLUSERSPROFILE%\Start Menu\Programs\Reg Organizer\User's Manual.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\Reg Organizer\Uninstall .lnk
- %PROGRAM_FILES%\Reg Organizer\is-824OG.tmp
- %TEMP%\is-GRH5H.tmp\QuickRegEditorLaunch.dll
- %TEMP%\is-GRH5H.tmp\InstallerTracingAgent.dll
- %TEMP%\is-GRH5H.tmp\CloseApplication.dll
- %PROGRAM_FILES%\Reg Organizer\is-PSM70.tmp
- %PROGRAM_FILES%\Reg Organizer\is-6U94L.tmp
- %PROGRAM_FILES%\Reg Organizer\is-47QJR.tmp
- %TEMP%\aut2.tmp
- %TEMP%\bxopnsz
- %TEMP%\aut1.tmp
- %TEMP%\is-GRH5H.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-N3QO5.tmp\1.tmp
- <SYSTEM32>\1.exe
- %PROGRAM_FILES%\Reg Organizer\is-AHLPV.tmp
- %PROGRAM_FILES%\Reg Organizer\is-HR0LK.tmp
- %PROGRAM_FILES%\Reg Organizer\is-MJ6K3.tmp
- %PROGRAM_FILES%\Reg Organizer\is-34SCK.tmp
- %PROGRAM_FILES%\Reg Organizer\is-7K5N8.tmp
- %PROGRAM_FILES%\Reg Organizer\is-JL8LF.tmp
- %PROGRAM_FILES%\Reg Organizer\is-37DAI.tmp
- %PROGRAM_FILES%\Reg Organizer\is-08C32.tmp
- %PROGRAM_FILES%\Reg Organizer\is-MJ81M.tmp
- %PROGRAM_FILES%\Reg Organizer\is-GQIT2.tmp
- %PROGRAM_FILES%\Reg Organizer\is-J84HC.tmp
- %PROGRAM_FILES%\Reg Organizer\is-JID0C.tmp
- %PROGRAM_FILES%\Reg Organizer\is-P5BT8.tmp
Присваивает атрибут 'скрытый' для следующих файлов:
- <SYSTEM32>\1.exe
Удаляет следующие файлы:
- %TEMP%\aut3.tmp
- <SYSTEM32>\1.exe
- %TEMP%\is-N3QO5.tmp\1.tmp
- %TEMP%\aut4.tmp
- <SYSTEM32>\PerfStringBackup.TMP
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini
- <SYSTEM32>\setup.exe
- %TEMP%\aut2.tmp
- %TEMP%\bxopnsz
- %TEMP%\aut1.tmp
- %TEMP%\is-GRH5H.tmp\CloseApplication.dll
- %TEMP%\is-GRH5H.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-GRH5H.tmp\QuickRegEditorLaunch.dll
- %TEMP%\is-GRH5H.tmp\InstallerTracingAgent.dll
Перемещает следующие файлы:
- %PROGRAM_FILES%\Reg Organizer\is-QMD8O.tmp в %PROGRAM_FILES%\Reg Organizer\Updater.exe
- %PROGRAM_FILES%\Reg Organizer\is-PEUO8.tmp в %PROGRAM_FILES%\Reg Organizer\UpdaterDll.dll
- %PROGRAM_FILES%\Reg Organizer\is-L1RVU.tmp в %PROGRAM_FILES%\Reg Organizer\License.txt
- %PROGRAM_FILES%\Reg Organizer\is-U3RJG.tmp в %PROGRAM_FILES%\Reg Organizer\UndoingChangesCenterUnit.const
- %PROGRAM_FILES%\Reg Organizer\is-824OG.tmp в %PROGRAM_FILES%\Reg Organizer\RegOrganizerAgent.exe
- %PROGRAM_FILES%\Reg Organizer\is-39CNU.tmp в %PROGRAM_FILES%\Reg Organizer\SetSecurity64Call.exe
- %PROGRAM_FILES%\Reg Organizer\is-2LSJA.tmp в %PROGRAM_FILES%\Reg Organizer\tweaks.bkp.xml
- %PROGRAM_FILES%\Reg Organizer\is-BRJ9J.tmp в %PROGRAM_FILES%\Reg Organizer\Readme.txt
- %PROGRAM_FILES%\Reg Organizer\is-RE14F.tmp в %PROGRAM_FILES%\Reg Organizer\WhatsNew-Russian.txt
- %PROGRAM_FILES%\Reg Organizer\Documentation\Russian\is-VU6GO.tmp в %PROGRAM_FILES%\Reg Organizer\Documentation\Russian\Documentation.chm
- %PROGRAM_FILES%\Reg Organizer\Languages\is-LPP0F.tmp в %PROGRAM_FILES%\Reg Organizer\Languages\russian.sib
- %PROGRAM_FILES%\Reg Organizer\is-VIME8.tmp в %PROGRAM_FILES%\Reg Organizer\Readme-Russian.txt
- %PROGRAM_FILES%\Reg Organizer\is-QF9A5.tmp в %PROGRAM_FILES%\Reg Organizer\WhatsNew.txt
- %PROGRAM_FILES%\Reg Organizer\Documentation\English\is-896U9.tmp в %PROGRAM_FILES%\Reg Organizer\Documentation\English\Documentation.chm
- %PROGRAM_FILES%\Reg Organizer\is-PPGP2.tmp в %PROGRAM_FILES%\Reg Organizer\License-Russian.txt
- %PROGRAM_FILES%\Reg Organizer\is-7K5N8.tmp в %PROGRAM_FILES%\Reg Organizer\RegOrganizer.exe
- %PROGRAM_FILES%\Reg Organizer\is-GQIT2.tmp в %PROGRAM_FILES%\Reg Organizer\CleanFolders.bkp.xml
- %PROGRAM_FILES%\Reg Organizer\is-MJ81M.tmp в %PROGRAM_FILES%\Reg Organizer\CloseApplication.dll
- %PROGRAM_FILES%\Reg Organizer\is-08C32.tmp в %PROGRAM_FILES%\Reg Organizer\DiskCleanerMasks.bkp.xml
- %PROGRAM_FILES%\Reg Organizer\is-AHLPV.tmp в %PROGRAM_FILES%\Reg Organizer\ChemtableStartupChecker.exe
- %PROGRAM_FILES%\Reg Organizer\is-47QJR.tmp в %PROGRAM_FILES%\Reg Organizer\unins000.exe
- %PROGRAM_FILES%\Reg Organizer\is-6U94L.tmp в %PROGRAM_FILES%\Reg Organizer\links.xml
- %PROGRAM_FILES%\Reg Organizer\is-PSM70.tmp в %PROGRAM_FILES%\Reg Organizer\AppUninstIgnore.bkp.xml
- %PROGRAM_FILES%\Reg Organizer\is-P5BT8.tmp в %PROGRAM_FILES%\Reg Organizer\IgnoreDiskCleaner.bkp.xml
- %PROGRAM_FILES%\Reg Organizer\is-HR0LK.tmp в %PROGRAM_FILES%\Reg Organizer\QuickRegEditorLaunch.dll
- %PROGRAM_FILES%\Reg Organizer\is-37DAI.tmp в %PROGRAM_FILES%\Reg Organizer\Reg64Call.exe
- %PROGRAM_FILES%\Reg Organizer\is-JL8LF.tmp в %PROGRAM_FILES%\Reg Organizer\RegKeysV3to5.dll
- %PROGRAM_FILES%\Reg Organizer\is-MJ6K3.tmp в %PROGRAM_FILES%\Reg Organizer\ProgramDataStorage.const
- %PROGRAM_FILES%\Reg Organizer\is-JID0C.tmp в %PROGRAM_FILES%\Reg Organizer\IgnoreRegCleaner.bkp.xml
- %PROGRAM_FILES%\Reg Organizer\is-J84HC.tmp в %PROGRAM_FILES%\Reg Organizer\InstallerTracingAgent.dll
- %PROGRAM_FILES%\Reg Organizer\is-34SCK.tmp в %PROGRAM_FILES%\Reg Organizer\OptimizationAnimation.avi
Сетевая активность:
Подключается к:
- 'www.ka###imsiz.com':80
TCP:
Запросы HTTP GET:
- www.ka###imsiz.com/Setup.rar
UDP:
- DNS ASK www.ka###imsiz.com
- DNS ASK www.google.com
Другое:
Ищет следующие окна:
- ClassName: 'BUTTON' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
