Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'KKTANG' = '%PROGRAM_FILES%\kktang\KKTStart.exe'
- [<HKLM>\SOFTWARE\Classes\YYD\shell\open\command] '' = '"%PROGRAM_FILES%\kktang\KKTStart.exe" "%1"'
Вредоносные функции:
Создает и запускает на исполнение:
- %PROGRAM_FILES%\kktang\KKTStart.exe
Запускает на исполнение:
- <SYSTEM32>\regsvr32.exe /s "%PROGRAM_FILES%\kktang\YYDActiveX.dll"
Изменения в файловой системе:
Создает следующие файлы:
- %PROGRAM_FILES%\kktang\Skin\w_bottomcenter.png
- %PROGRAM_FILES%\kktang\Skin\view.png
- %PROGRAM_FILES%\kktang\Skin\w_bottomleft.png
- %PROGRAM_FILES%\kktang\Skin\w_center.png
- %PROGRAM_FILES%\kktang\Skin\w_bottomright.png
- %PROGRAM_FILES%\kktang\Skin\treeright.png
- %PROGRAM_FILES%\kktang\Skin\treeleft.png
- %PROGRAM_FILES%\kktang\Skin\treetop.png
- %PROGRAM_FILES%\kktang\Skin\upgrader.png
- %PROGRAM_FILES%\kktang\Skin\up.png
- %PROGRAM_FILES%\kktang\Skin\webgame.png
- %PROGRAM_FILES%\kktang\Skin\w_titleright.png
- %PROGRAM_FILES%\kktang\static\1-11030R204220-L.jpg
- %PROGRAM_FILES%\kktang\static\2.ico
- %PROGRAM_FILES%\kktang\static\1.ico
- %PROGRAM_FILES%\kktang\Skin\w_left.png
- %PROGRAM_FILES%\kktang\Skin\w_close.png
- %PROGRAM_FILES%\kktang\Skin\w_right.png
- %PROGRAM_FILES%\kktang\Skin\w_titleleft.png
- %PROGRAM_FILES%\kktang\Skin\w_titlecenter.png
- %PROGRAM_FILES%\kktang\Skin\treeicon.png
- %PROGRAM_FILES%\kktang\Skin\start.png
- %PROGRAM_FILES%\kktang\Skin\split2.png
- %PROGRAM_FILES%\kktang\Skin\stop.png
- %PROGRAM_FILES%\kktang\Skin\tab.png
- %PROGRAM_FILES%\kktang\Skin\sys.png
- %PROGRAM_FILES%\kktang\Skin\setupdate.png
- %PROGRAM_FILES%\kktang\Skin\setlist.png
- %PROGRAM_FILES%\kktang\Skin\singlegame.png
- %PROGRAM_FILES%\kktang\Skin\split.png
- %PROGRAM_FILES%\kktang\Skin\smallgame.png
- %PROGRAM_FILES%\kktang\Skin\titlename.png
- %PROGRAM_FILES%\kktang\Skin\titleleft.png
- %PROGRAM_FILES%\kktang\Skin\titleright.png
- %PROGRAM_FILES%\kktang\Skin\treebottom.png
- %PROGRAM_FILES%\kktang\Skin\titletexture.png
- %PROGRAM_FILES%\kktang\Skin\tabclose.png
- %PROGRAM_FILES%\kktang\Skin\tabbk.png
- %PROGRAM_FILES%\kktang\Skin\tipbg.png
- %PROGRAM_FILES%\kktang\Skin\titlecloud.png
- %PROGRAM_FILES%\kktang\Skin\titlecenter.png
- %PROGRAM_FILES%\kktang\static\3.ico
- %PROGRAM_FILES%\kktang\Games.db
- %PROGRAM_FILES%\kktang\Games.db-journal
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\index[1].php
- %TEMP%\TMP4.tmp
- %TEMP%\TMP3.tmp
- %PROGRAM_FILES%\kktang\KKМГУОП·єРЧУ.url
- %PROGRAM_FILES%\kktang\xml\version.txt
- %HOMEPATH%\Start Menu\Programs\KKМГУОП·єРЧУ\KKМГ№Щ·ЅНшХѕ.lnk
- %PROGRAM_FILES%\kktang\uninst.exe
- %HOMEPATH%\Start Menu\Programs\KKМГУОП·єРЧУ\Р¶ФШKKМГУОП·єРЧУ.lnk
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\version[1].txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\update_ini[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\bottomad[1].php
- %PROGRAM_FILES%\kktang\User\update.info
- %PROGRAM_FILES%\kktang\bottomad.html
- %TEMP%\TMP6.tmp
- %TEMP%\TMP5.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\recom_list[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\guide[1].html
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\index1[1].html
- %PROGRAM_FILES%\kktang\xml\local_groups.xml
- %PROGRAM_FILES%\kktang\static\close_hover.jpg
- %PROGRAM_FILES%\kktang\static\close.jpg
- %PROGRAM_FILES%\kktang\static\download_s.png
- %PROGRAM_FILES%\kktang\static\jquery.drag.js
- %PROGRAM_FILES%\kktang\static\jquery-1.4.2.min.js
- %PROGRAM_FILES%\kktang\static\base.js
- %PROGRAM_FILES%\kktang\static\base.css
- %PROGRAM_FILES%\kktang\static\bg_hover.jpg
- %PROGRAM_FILES%\kktang\static\bg_nohover.jpg
- %PROGRAM_FILES%\kktang\static\bg_hover.png
- %PROGRAM_FILES%\kktang\xml\OnLineGames.xml
- %PROGRAM_FILES%\kktang\xml\HotCommend.xml
- %PROGRAM_FILES%\kktang\xml\SingleGame.xml
- %PROGRAM_FILES%\kktang\xml\WebGames.xml
- %PROGRAM_FILES%\kktang\xml\ToolPatch.xml
- %PROGRAM_FILES%\kktang\static\search_class_bg.png
- %PROGRAM_FILES%\kktang\static\menubg.jpg
- %PROGRAM_FILES%\kktang\static\space.gif
- %PROGRAM_FILES%\kktang\xml\FlashGame.xml
- %PROGRAM_FILES%\kktang\static\tool_bar.jpg
- %PROGRAM_FILES%\kktang\Skin\setinstall.png
- %PROGRAM_FILES%\kktang\Skin\SearchGo.png
- %PROGRAM_FILES%\kktang\Skin\SearchBarRight.png
- %PROGRAM_FILES%\kktang\Skin\Thumbs.db
- %PROGRAM_FILES%\kktang\Skin\adclose.png
- %PROGRAM_FILES%\kktang\Skin\about.png
- %PROGRAM_FILES%\kktang\Skin\D2.bmp
- %PROGRAM_FILES%\kktang\Skin\D1.bmp
- %PROGRAM_FILES%\kktang\Skin\D3.bmp
- %PROGRAM_FILES%\kktang\Skin\SearchBarMid.png
- %PROGRAM_FILES%\kktang\Skin\SearchBarLeft.png
- %PROGRAM_FILES%\kktang\Skin\cancelinstall_button.png
- %PROGRAM_FILES%\kktang\Skin\cancelextra_button.png
- %PROGRAM_FILES%\kktang\Skin\cancelupgrader.png
- %PROGRAM_FILES%\kktang\Skin\centertop.png
- %PROGRAM_FILES%\kktang\Skin\centerbottom.png
- %PROGRAM_FILES%\kktang\Skin\bbs.png
- %PROGRAM_FILES%\kktang\Skin\addtask.png
- %PROGRAM_FILES%\kktang\Skin\botton.png
- %PROGRAM_FILES%\kktang\Skin\cancel.png
- %PROGRAM_FILES%\kktang\Skin\browser.png
- %PROGRAM_FILES%\kktang\Skin\C3.bmp
- %PROGRAM_FILES%\kktang\demo.htm
- %PROGRAM_FILES%\kktang\YYDActiveX.dll
- %PROGRAM_FILES%\kktang\setup.ini
- %PROGRAM_FILES%\kktang\unrar.dll
- %PROGRAM_FILES%\kktang\sqlite3.dll
- %PROGRAM_FILES%\kktang\KKTStart.exe
- %TEMP%\nsc2.tmp\KillProcDLL.dll
- %HOMEPATH%\Start Menu\Programs\KKМГУОП·єРЧУ\KKМГУОП·єРЧУ.lnk
- %PROGRAM_FILES%\kktang\CrashReport.exe
- %HOMEPATH%\Desktop\KKМГУОП·єРЧУ.lnk
- %PROGRAM_FILES%\kktang\Skin\B3.bmp
- %PROGRAM_FILES%\kktang\Skin\B2.png
- %PROGRAM_FILES%\kktang\Skin\C1.bmp
- %PROGRAM_FILES%\kktang\Skin\C2.png
- %PROGRAM_FILES%\kktang\Skin\C2.bmp
- %PROGRAM_FILES%\kktang\Skin\A2.bmp
- %PROGRAM_FILES%\kktang\Skin\A1.bmp
- %PROGRAM_FILES%\kktang\Skin\A3.bmp
- %PROGRAM_FILES%\kktang\Skin\B2.bmp
- %PROGRAM_FILES%\kktang\Skin\B1.bmp
- %PROGRAM_FILES%\kktang\Skin\checkupgrader.png
- %PROGRAM_FILES%\kktang\Skin\openbrowser.png
- %PROGRAM_FILES%\kktang\Skin\open_button.png
- %PROGRAM_FILES%\kktang\Skin\pause.png
- %PROGRAM_FILES%\kktang\Skin\refresh.png
- %PROGRAM_FILES%\kktang\Skin\poweroff.png
- %PROGRAM_FILES%\kktang\Skin\mygame.png
- %PROGRAM_FILES%\kktang\Skin\mydown.png
- %PROGRAM_FILES%\kktang\Skin\netgame.png
- %PROGRAM_FILES%\kktang\Skin\open.png
- %PROGRAM_FILES%\kktang\Skin\ok.png
- %PROGRAM_FILES%\kktang\Skin\rungame_button.png
- %PROGRAM_FILES%\kktang\Skin\righttop.png
- %PROGRAM_FILES%\kktang\Skin\search_ico.png
- %PROGRAM_FILES%\kktang\Skin\setdownload.png
- %PROGRAM_FILES%\kktang\Skin\set.png
- %PROGRAM_FILES%\kktang\Skin\right.png
- %PROGRAM_FILES%\kktang\Skin\restore.png
- %PROGRAM_FILES%\kktang\Skin\rightbottom.png
- %PROGRAM_FILES%\kktang\Skin\rightright.png
- %PROGRAM_FILES%\kktang\Skin\rightright..png
- %PROGRAM_FILES%\kktang\Skin\minmaxbox.png
- %PROGRAM_FILES%\kktang\Skin\download.png
- %PROGRAM_FILES%\kktang\Skin\down.png
- %PROGRAM_FILES%\kktang\Skin\extra_button.png
- %PROGRAM_FILES%\kktang\Skin\hot.png
- %PROGRAM_FILES%\kktang\Skin\feedback.png
- %PROGRAM_FILES%\kktang\Skin\close_button.png
- %PROGRAM_FILES%\kktang\Skin\close.png
- %PROGRAM_FILES%\kktang\Skin\d1ownload.png
- %PROGRAM_FILES%\kktang\Skin\delete.png
- %PROGRAM_FILES%\kktang\Skin\defaultset.png
- %PROGRAM_FILES%\kktang\Skin\logo.png
- %PROGRAM_FILES%\kktang\Skin\lefttop.png
- %PROGRAM_FILES%\kktang\Skin\max.png
- %PROGRAM_FILES%\kktang\Skin\min.png
- %PROGRAM_FILES%\kktang\Skin\menu.png
- %PROGRAM_FILES%\kktang\Skin\install.png
- %PROGRAM_FILES%\kktang\Skin\hotgame.png
- %PROGRAM_FILES%\kktang\Skin\install_button.png
- %PROGRAM_FILES%\kktang\Skin\leftbottom.png
- %PROGRAM_FILES%\kktang\Skin\left.png
Удаляет следующие файлы:
- %TEMP%\TMP4.tmp
- %TEMP%\TMP5.tmp
- %TEMP%\TMP6.tmp
- %TEMP%\nsc2.tmp\KillProcDLL.dll
- %PROGRAM_FILES%\kktang\Games.db-journal
- %TEMP%\TMP3.tmp
Сетевая активность:
Подключается к:
- 'www.kk##ng.com':80
- 'gx.##tang.com':80
- 'tj#.#ktang.com':80
- 'localhost':1044
TCP:
Запросы HTTP GET:
- www.kk##ng.com/xmlmenu/version.txt
- gx.##tang.com/update/update_ini.php
- gx.##tang.com/update/hideup_ini.php
- tj#.#ktang.com/pop/bottomad.php
- www.kk##ng.com/recom_list.php
- tj#.#ktang.com/tj/index.php?m=################################################################
- www.kk##ng.com/guide.html
- www.kk##ng.com/index1.html
UDP:
- DNS ASK tj#.#ktang.com
- DNS ASK ro####.utorrent.com
- DNS ASK www.kk##ng.com
- DNS ASK gx.##tang.com
- DNS ASK ro####.bittorrent.com
- DNS ASK ro####.bitcomet.com
- DNS ASK sa.###9house.net
- DNS ASK sb.###9house.net
- 'sb.###9house.net':6681
- 'localhost':6881
- '23#.#55.255.250':1900
- 'ro####.utorrent.com':6881
- 'any':5351
- 'sa.###9house.net':6681
- 'ro####.bittorrent.com':6881
Другое:
Ищет следующие окна:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'Internet Explorer_Server' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
