Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'drvsyskit' = '%APPDATA%\drivers\winupgro.exe'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\srosa] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\srosa] 'ImagePath' = '<SYSTEM32>\wfsintwq.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\sK9Ou0s] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\sK9Ou0s] 'ImagePath' = '<SYSTEM32>\srosa2.sys'
Вредоносные функции:
Для затруднения выявления своего присутствия в системе
блокирует запуск следующих системных утилит:
- Обновления системы (Windows Update)
- Центр обеспечения безопасности (Security Center)
блокирует:
- Средство контроля пользовательских учетных записей (UAC)
Запускает на исполнение:
- '%APPDATA%\drivers\winupgro.exe'
Завершает или пытается завершить
большое количество пользовательских процессов.
Ищет следующие окна с целью
обнаружения утилит для анализа:
- ClassName: '' WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: ''
- ClassName: '' WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass' WindowName: ''
- ClassName: '' WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'GBDYLLO' WindowName: ''
- ClassName: 'OLLYDBG' WindowName: ''
- ClassName: 'FilemonClass' WindowName: ''
- ClassName: 'pediy06' WindowName: ''
Устраняет перехваты фукнций в SSDT (System Service Descriptor Table).
Скрывает следующие процессы:
- %APPDATA%\drivers\winupgro.exe
Изменения в файловой системе:
Создает следующие файлы:
- %APPDATA%\drivers\downld\209500.exe
- %APPDATA%\drivers\downld\211328.exe
- %APPDATA%\drivers\downld\207078.exe
- %APPDATA%\drivers\downld\207453.exe
- %APPDATA%\drivers\downld\215531.exe
- %APPDATA%\drivers\downld\216468.exe
- %APPDATA%\drivers\downld\213078.exe
- %APPDATA%\drivers\downld\213828.exe
- %APPDATA%\drivers\downld\205718.exe
- %APPDATA%\drivers\downld\198718.exe
- %APPDATA%\drivers\downld\200406.exe
- %APPDATA%\drivers\downld\196468.exe
- %APPDATA%\drivers\downld\197687.exe
- %APPDATA%\drivers\downld\204093.exe
- %APPDATA%\drivers\downld\205359.exe
- %APPDATA%\drivers\downld\201125.exe
- %APPDATA%\drivers\downld\203406.exe
- %APPDATA%\drivers\downld\231406.exe
- %APPDATA%\drivers\downld\234000.exe
- %APPDATA%\drivers\downld\227968.exe
- %APPDATA%\drivers\downld\229718.exe
- %APPDATA%\drivers\downld\236328.exe
- %APPDATA%\drivers\downld\238031.exe
- %APPDATA%\drivers\downld\234718.exe
- %APPDATA%\drivers\downld\235968.exe
- %APPDATA%\drivers\downld\227515.exe
- %APPDATA%\drivers\downld\220484.exe
- %APPDATA%\drivers\downld\221562.exe
- %APPDATA%\drivers\downld\218531.exe
- %APPDATA%\drivers\downld\219203.exe
- %APPDATA%\drivers\downld\225468.exe
- %APPDATA%\drivers\downld\226187.exe
- %APPDATA%\drivers\downld\222968.exe
- %APPDATA%\drivers\downld\223390.exe
- %APPDATA%\drivers\downld\195468.exe
- %APPDATA%\drivers\downld\166093.exe
- %APPDATA%\drivers\downld\167406.exe
- %APPDATA%\drivers\downld\162375.exe
- %APPDATA%\drivers\downld\164437.exe
- %APPDATA%\drivers\downld\169546.exe
- %APPDATA%\drivers\downld\171765.exe
- %APPDATA%\drivers\downld\167859.exe
- %APPDATA%\drivers\downld\169046.exe
- %APPDATA%\drivers\downld\162031.exe
- <SYSTEM32>\wfsintwq.sys
- %APPDATA%\drivers\downld\156515.exe
- %APPDATA%\drivers\winupgro.exe
- <SYSTEM32>\srosa2.sys
- %APPDATA%\drivers\downld\160328.exe
- %APPDATA%\drivers\downld\160687.exe
- %APPDATA%\drivers\downld\158890.exe
- %APPDATA%\drivers\downld\159218.exe
- %APPDATA%\drivers\downld\186359.exe
- %APPDATA%\drivers\downld\188281.exe
- %APPDATA%\drivers\downld\183671.exe
- %APPDATA%\drivers\downld\184093.exe
- %APPDATA%\drivers\downld\192500.exe
- %APPDATA%\drivers\downld\192890.exe
- %APPDATA%\drivers\downld\190343.exe
- %APPDATA%\drivers\downld\191125.exe
- %APPDATA%\drivers\downld\182578.exe
- %APPDATA%\drivers\downld\174375.exe
- %APPDATA%\drivers\downld\175593.exe
- %APPDATA%\drivers\downld\172812.exe
- %APPDATA%\drivers\downld\174062.exe
- %APPDATA%\drivers\downld\180187.exe
- %APPDATA%\drivers\downld\181921.exe
- %APPDATA%\drivers\downld\176718.exe
- %APPDATA%\drivers\downld\178906.exe
Сетевая активность:
Подключается к:
- 'www.gr#####rcadao.com.br':80
- 'www.pi###tuvida.com':80
- 'an####siers.info':80
- 'fa#####ictimemachine.dk':80
- 'ap####tware.com.br':80
- 'so##ere.fr':80
- 'vd##uad.be':80
- 's2######72.onlinehome.fr':80
- 'fa###urner.org':80
- 'at######upetitprince.com':80
- 'do#####elsonjaque.cl':80
- 'vi####epastor.com':80
- 'ai###mms.com':80
- 'in#####tiongarraf.com':80
- 'bl####agicsoft.com':80
- 'te##me.org':80
- '2p###1.1h.pl':80
- 'es####emos.com.br':80
- 'tr####ardan.com.ar':80
- 'www.vi###aweb.ch':80
- 'bi##pe.dk':80
- 'ne###zone.com':80
- '74.##5.232.51':80
- 'www.si###chland.net':80
- 'www.ge##elp.gr':80
- 'sa####guros.com.br':80
- 'www.di#####nline-world.com':80
- 'ca#####edeibcn.com.br':80
- 'www.vi#####ioilgabbiano.com':80
- 'www.re####aoyc.com.ar':80
- 'in######astodoflex.com.ar':80
- 'ge###t.com.br':80
- 'ht###.com.br':80
- 'el####ng.aab-net.dk':80
TCP:
Запросы HTTP GET:
- http://fa#####ictimemachine.dk/images/abcm.php?cr#####
- http://www.gr#####rcadao.com.br/images/abcm.php?cr#####
- http://fa###urner.org/images/abcm.php?cr#####
- http://an####siers.info/images/abcm.php?cr#####
- http://s2######72.onlinehome.fr/images/abcm.php?cr#####
- http://ap####tware.com.br/images/abcm.php?cr#####
- http://www.pi###tuvida.com/images/abcm.php?cr#####
- http://vd##uad.be/images/abcm.php?cr#####
- http://at######upetitprince.com/images/abcm.php?cr#####
- http://do#####elsonjaque.cl/images/abcm.php?cr#####
- http://vi####epastor.com/images/abcm.php?cr#####
- http://ai###mms.com/images/abcm.php?cr#####
- http://in#####tiongarraf.com/images/abcm.php?cr#####
- http://bl####agicsoft.com/images/abcm.php?cr#####
- http://te##me.org/images/abcm.php?cr#####
- http://2p###1.1h.pl/images/abcm.php?cr#####
- http://so##ere.fr/images/abcm.php?cr#####
- http://bi##pe.dk/images/abcm.php?cr#####
- http://es####emos.com.br/images/abcm.php?cr#####
- http://sa####guros.com.br/images/abcm.php?cr#####
- http://www.vi###aweb.ch/images/abcm.php?cr#####
- http://www.ge##elp.gr/images/abcm.php?cr#####
- http://ne###zone.com/images/abcm.php?cr#####
- http://tr####ardan.com.ar/images/abcm.php?cr#####
- http://www.si###chland.net/images/abcm.php?cr#####
- http://www.di#####nline-world.com/images/abcm.php?cr#####
- http://ca#####edeibcn.com.br/images/abcm.php?cr#####
- http://www.vi#####ioilgabbiano.com/images/abcm.php?cr#####
- http://www.re####aoyc.com.ar/images/abcm.php?cr#####
- http://in######astodoflex.com.ar/images/abcm.php?cr#####
- http://ge###t.com.br/images/abcm.php?cr#####
- http://ht###.com.br/images/abcm.php?cr#####
- http://el####ng.aab-net.dk/images/abcm.php?cr#####
UDP:
- DNS ASK fa#####ictimemachine.dk
- DNS ASK www.gr#####rcadao.com.br
- DNS ASK fa###urner.org
- DNS ASK an####siers.info
- DNS ASK s2######72.onlinehome.fr
- DNS ASK ap####tware.com.br
- DNS ASK www.pi###tuvida.com
- DNS ASK vd##uad.be
- DNS ASK bl####agicsoft.com
- DNS ASK ai###mms.com
- DNS ASK at######upetitprince.com
- DNS ASK tr###147.com
- DNS ASK vi####epastor.com
- DNS ASK 2p###1.1h.pl
- DNS ASK in#####tiongarraf.com
- DNS ASK do#####elsonjaque.cl
- DNS ASK te##me.org
- DNS ASK so##ere.fr
- DNS ASK es####emos.com.br
- DNS ASK tr####ardan.com.ar
- DNS ASK www.vi###aweb.ch
- DNS ASK bi##pe.dk
- DNS ASK ne###zone.com
- DNS ASK google.com
- DNS ASK www.si###chland.net
- DNS ASK www.ge##elp.gr
- DNS ASK sa####guros.com.br
- DNS ASK www.di#####nline-world.com
- DNS ASK ca#####edeibcn.com.br
- DNS ASK www.vi#####ioilgabbiano.com
- DNS ASK www.re####aoyc.com.ar
- DNS ASK in######astodoflex.com.ar
- DNS ASK ge###t.com.br
- DNS ASK ht###.com.br
- DNS ASK el####ng.aab-net.dk
Другое:
Ищет следующие окна:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'AavmMessageClass' WindowName: ''
- ClassName: '18467-41' WindowName: ''
