Trojan.Packed.30336

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb-900-win.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb-900-win-space.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PandaCloudAntivirus.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-SecureNetworkInstallerUpg.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast_internet_security_setup_online.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast_free_antivirus_setup_online.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UnThreatProSetup.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HousecallLauncher.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieInstall.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-SecureNetworkInstaller_IS-ESTORE-TRIAL-GLOBAL_.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavPro_Setup_Mini_GL.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\md_setup_en.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wireshark.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\registry-life-setup.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EmsisoftEmergencyKit.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McAfeeSetup.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftonicDownloader_for_panda-antivirus-pro.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardDownloaderBPP.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamAVSetup.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avira_family_protection_suite_ru.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast_internet_security_setup.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cispremium_installer.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OutpostSecuritySuiteProInstall_x64.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EmsisoftInternetSecuritySetup.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Adaware_Installer.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avira_ultimate_protection_suite_ru.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cureit.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OutpostSecuritySuiteProInstall.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] 'AppInit_DLLs' = ''
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] '1' = ''
[<HKLM>\SYSTEM\ControlSet002\Control\Session Manager] 'BootExecute' = ''
[<HKLM>\SYSTEM\ControlSet001\Control\Session Manager] 'BootExecute' = ''
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityScan_Release.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SpyShelter.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OnlineArmorSetup.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast_premier_antivirus_setup_online.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup-vipre-internet-security-en-us-trial.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitdefender_tsecurity.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stop-sign_install.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7UltimateSecurity_installer.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32.Vista.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PadvishAntivirusFree.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSafeAntivirusSetup.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanHunterSetup.exe] 'debugger' = 'msiexec.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ess_trial32_rus.exe] 'debugger' = 'msiexec.exe'

Вредоносные функции:

Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'

Для затруднения выявления своего присутствия в системе

блокирует:

Средство контроля пользовательских учетных записей (UAC)
Центр обеспечения безопасности (Security Center)

Принудительно разрешает автозапуск со съемных носителей.

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\rdpinst.exe

Изменяет файл HOSTS.

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней