Trojan.DownLoader3.35096

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngPS.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syscheck.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartassistant.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ToolsUp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavCopy.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegEx.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStore.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoGuarder.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arvmon.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgaurd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killhidepid.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvfw.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findt2005.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IsHelp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] 'Debugger' = 'ntsd -d'

Вредоносные функции:

Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%CommonProgramFiles%\Beanfun.exe' = '%CommonProgramFiles%\Beanfun.exe:*:Enabled:@xpsp2res.dll,-22019'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'

Создает и запускает на исполнение:

%CommonProgramFiles%\Beanfun.exe -One

Запускает на исполнение:

<SYSTEM32>\svchost.exe
<SYSTEM32>\rundll32.exe "%HOMEPATH%\jglbc.drv",MyLove
<SYSTEM32>\rundll32.exe "%HOMEPATH%\rgpnh.drv",MyLove

Изменения в файловой системе:

Создает следующие файлы:

%HOMEPATH%\~pwg.tmp
%HOMEPATH%\jglbc.drv
%CommonProgramFiles%\Beanfun.exe
%TEMP%\Temporary Internet Files\Content.IE5\desktop.ini
%TEMP%\Temporary Internet Files\Content.IE5\SLOT6DY5\desktop.ini
%TEMP%\Temporary Internet Files\Content.IE5\C92VK9EV\desktop.ini
%TEMP%\Temporary Internet Files\Content.IE5\EJ234J6P\desktop.ini
\Device\HarddiskVolume1
%TEMP%\2.tmp
%TEMP%\1.tmp
%HOMEPATH%\rgpnh.drv
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\Count[1].htm
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\index[1].html
%HOMEPATH%\~nov.tmp

Присваивает атрибут 'скрытый' для следующих файлов:

%TEMP%\Temporary Internet Files\Content.IE5\C92VK9EV\desktop.ini
%TEMP%\Temporary Internet Files\Content.IE5\SLOT6DY5\desktop.ini
%TEMP%\Temporary Internet Files\Content.IE5\EJ234J6P\desktop.ini
%CommonProgramFiles%\Beanfun.exe
%TEMP%\Temporary Internet Files\Content.IE5\desktop.ini

Удаляет следующие файлы:

%HOMEPATH%\rgpnh.drv
%HOMEPATH%\~pwg.tmp
%HOMEPATH%\jglbc.drv
%HOMEPATH%\~nov.tmp
%TEMP%\1.tmp
%TEMP%\2.tmp
<DRIVERS>\etc\hosts

Подменяет файл HOSTS.

Сетевая активность:

Подключается к:

'www.fu###outw.com':80
'www.mi##ke.net':80
'localhost':1035

TCP:

Запросы HTTP GET:

www.mi##ke.net/small/index.html

Запросы HTTP POST:

www.fu###outw.com/k/Count.asp

UDP:

DNS ASK www.fu###outw.com
DNS ASK www.mi##ke.net

Другое:

Ищет следующие окна:

ClassName: 'MS_WebcheckMonitor' WindowName: ''
ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней