Trojan.DownLoader12.5277

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Registry Helper' = '"%PROGRAM_FILES%\Registry Helper\RegistryHelper.Exe" /boot'

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\Registry Helper Service] 'Start' = '00000002'

Вредоносные функции:

Создает и запускает на исполнение:

'%PROGRAM_FILES%\Registry Helper\RegistryHelperService.exe'
'%PROGRAM_FILES%\Registry Helper\RegistryHelper.exe' /Install /Freeze /delay5
'%PROGRAM_FILES%\Registry Helper\RegistryHelperService.exe' /i
'%PROGRAM_FILES%\Registry Helper\Starter.exe'

Изменения в файловой системе:

Создает следующие файлы:

%PROGRAM_FILES%\Registry Helper\Help\images\activation_successful.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\activation_incorrect.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\ignore_list.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\background.gif
%PROGRAM_FILES%\Registry Helper\Help\images\about.jpg
%PROGRAM_FILES%\Registry Helper\Help\Updates.htm
%PROGRAM_FILES%\Registry Helper\Help\images\activate_now.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\activate.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\restore.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\program_settings.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\scan_options.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\scan_now.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\internet_speed_optimizer.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\index_16.gif
%PROGRAM_FILES%\Registry Helper\Help\images\logo.gif
%PROGRAM_FILES%\Registry Helper\Help\images\invalid_entries_detected.jpg
%PROGRAM_FILES%\Registry Helper\Help\Restore.htm
%PROGRAM_FILES%\Registry Helper\Help\Program Settings.htm
%PROGRAM_FILES%\Registry Helper\Help\Scan Now.htm
%PROGRAM_FILES%\Registry Helper\Help\Retrieve Lost Activation Key.htm
%PROGRAM_FILES%\Registry Helper\Help\Invalid Entries Detected.htm
%PROGRAM_FILES%\Registry Helper\Help\Internet Optimizer.htm
%PROGRAM_FILES%\Registry Helper\Help\Overview.htm
%PROGRAM_FILES%\Registry Helper\Help\License Agreement.htm
%PROGRAM_FILES%\Registry Helper\Help\System Requirements.htm
%PROGRAM_FILES%\Registry Helper\Help\Startup Manager.htm
%PROGRAM_FILES%\Registry Helper\Help\Uninstall.htm
%PROGRAM_FILES%\Registry Helper\Help\Technical Support.htm
%PROGRAM_FILES%\Registry Helper\Help\Scanning.htm
%PROGRAM_FILES%\Registry Helper\Help\Scan Options.htm
%PROGRAM_FILES%\Registry Helper\Help\Splash Screen.htm
%PROGRAM_FILES%\Registry Helper\Help\Scheduler.htm
%PROGRAM_FILES%\Registry Helper\Registry Helper.url
%ALLUSERSPROFILE%\Desktop\Registry Helper.lnk
%PROGRAM_FILES%\Registry Helper\uninst.exe
%ALLUSERSPROFILE%\Start Menu\Programs\Registry Helper\Visit our Website.lnk
<SYSTEM32>\msflxgrd.ocx
<SYSTEM32>\dhRichClient3.dll
%ALLUSERSPROFILE%\Start Menu\Programs\Registry Helper\Registry Helper.lnk
%ALLUSERSPROFILE%\Application Data\Registry Helper\Settings\BackupOptions.efs
%ALLUSERSPROFILE%\Application Data\Registry Helper\Settings\StatusInfo.efs
%ALLUSERSPROFILE%\Application Data\Registry Helper\Settings\RegistryHelper.ini
%ALLUSERSPROFILE%\Application Data\Registry Helper\Settings\Ignored.efs
%ALLUSERSPROFILE%\Application Data\Registry Helper\Service\Service Log.txt
%ALLUSERSPROFILE%\Application Data\Registry Helper\Service\SentData.dat
%ALLUSERSPROFILE%\Application Data\Registry Helper\Settings\Options.efs
%ALLUSERSPROFILE%\Application Data\Registry Helper\Settings\Settings.efs
%PROGRAM_FILES%\Registry Helper\Help\include\footer.js
%PROGRAM_FILES%\Registry Helper\Help\images\updates.jpg
<SYSTEM32>\mscomct2.ocx
%PROGRAM_FILES%\Registry Helper\Help\include\jsfunctions.js
%PROGRAM_FILES%\Registry Helper\Help\images\scheduler.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\scanning.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\startup_manager.jpg
%PROGRAM_FILES%\Registry Helper\Help\images\splash_screen.jpg
<SYSTEM32>\RegistryHelperLM.ocx
<SYSTEM32>\NTSVC.ocx
<SYSTEM32>\sqlite36_engine.dll
<SYSTEM32>\DirectCOM.dll
<SYSTEM32>\SYSINFO.OCX
<SYSTEM32>\mscomctl.ocx
<SYSTEM32>\MSINET.OCX
<SYSTEM32>\RICHTX32.OCX
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter9.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter8.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter11.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter10.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter5.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter4.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter7.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter6.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter17.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter16.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter19.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter18.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter13.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter12.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter15.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter14.htm
%PROGRAM_FILES%\Registry Helper\RegistryHelper.exe
%PROGRAM_FILES%\Registry Helper\ErrorFound.wav
%PROGRAM_FILES%\Registry Helper\Starter.exe
%PROGRAM_FILES%\Registry Helper\RegistryHelperService.exe
%TEMP%\nsc3.tmp\System.dll
%TEMP%\nsn2.tmp
%PROGRAM_FILES%\Registry Helper\msxml6.msi
%PROGRAM_FILES%\Registry Helper\RegistryHelperSetupTR.exe
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter1.htm
%PROGRAM_FILES%\Registry Helper\AdvisorLetters.exe
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter3.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter2.htm
%PROGRAM_FILES%\Registry Helper\vbrun60sp5.exe
%PROGRAM_FILES%\Registry Helper\RegistryHelperUninstaller.exe
%PROGRAM_FILES%\Registry Helper\Registry Helper Screen Saver Setup.exe
%PROGRAM_FILES%\Registry Helper\RegistryHelperSetupCB.exe
%PROGRAM_FILES%\Registry Helper\Advisor Letters\include\header.js
%PROGRAM_FILES%\Registry Helper\Advisor Letters\include\footer_short.js
%PROGRAM_FILES%\Registry Helper\logo.gif
%PROGRAM_FILES%\Registry Helper\Advisor Letters\include\jsfunctions.js
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\get_activation_key.gif
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\update_computer_grey.jpg
%PROGRAM_FILES%\Registry Helper\Advisor Letters\include\footer.js
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\index_16.gif
%PROGRAM_FILES%\Registry Helper\Help\Help_index.htm
%PROGRAM_FILES%\Registry Helper\Help\Help_header.htm
%PROGRAM_FILES%\Registry Helper\Help\Ignore List.htm
%PROGRAM_FILES%\Registry Helper\Help\How To Order.htm
%PROGRAM_FILES%\Registry Helper\Help\About.htm
%PROGRAM_FILES%\Registry Helper\background.gif
%PROGRAM_FILES%\Registry Helper\Help\Help.htm
%PROGRAM_FILES%\Registry Helper\Help\Activate Now.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\delete_invalid_entries_grey.jpg
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\computerupdater_box.jpg
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\diskcleaner_box.jpg
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\delete_junk_files_grey.jpg
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter21.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter20.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\00_Advisor Letters Index.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\Letter22.htm
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\print_16.gif
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\livedrive.gif
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\startup_manager.jpg
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\signature.jpg
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\header.gif
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\get_discount.gif
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\iPad_Video_Lessons.jpg
%PROGRAM_FILES%\Registry Helper\Advisor Letters\images\internet_speed_optimizer.jpg

Удаляет следующие файлы:

%ALLUSERSPROFILE%\Application Data\Registry Helper\Settings\BackupOptions.efs
%TEMP%\~DF1817.tmp
%ALLUSERSPROFILE%\Application Data\Registry Helper\Settings\StatusInfo.efs
%ALLUSERSPROFILE%\Application Data\Registry Helper\Settings\Options.efs
%TEMP%\nsc3.tmp\System.dll
%ALLUSERSPROFILE%\Application Data\Registry Helper\Service\SentData.dat
%ALLUSERSPROFILE%\Application Data\Registry Helper\Settings\Settings.efs

Сетевая активность:

Подключается к:

'www.re###lper.com':80
'www.sa####psoftware.com':80
'localhost':1036

TCP:

Запросы HTTP GET:

www.re###lper.com/rh/tr.asp?so#######################################################################################################################################################################################################################################################################################
www.sa####psoftware.com/sa/SIError.asp?ex#########################################################################################################

UDP:

DNS ASK www.re###lper.com
DNS ASK www.sa####psoftware.com

Другое:

Ищет следующие окна:

ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebcheckMonitor' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'ThunderRT6FormDC' WindowName: 'Registry Helper (SafeApp Software, LLC)'
ClassName: 'ThunderRT6FormDC' WindowName: 'Registry Helper Advisor'
ClassName: 'ThunderRT6FormDC' WindowName: 'Registry Helper Bundle Starter'

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней