Trojan.DownLoader6.1047

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = '%SystemRoot%\System32\mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004] 'LibraryPath' = '%PROGRAM_FILES%\Bonjour\mdnsNSP.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = '%SystemRoot%\System32\mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002] 'LibraryPath' = '%SystemRoot%\System32\winrnr.dll'

Вредоносные функции:

Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\tm\iTouch-Server-Win.exe' = '%WINDIR%\tm\iTouch-Server-Win.exe:*:Enabled:Logitech'

Создает и запускает на исполнение:

%WINDIR%\tm\iTouch-Server-Win.exe -autostart
%TEMP%\BonjourSetup.exe /q
<Текущая директория>\tm.exe /NCRC /S /D=%WINDIR%\tm\

Запускает на исполнение:

<SYSTEM32>\msiexec.exe -Embedding A3C12753BADCA481869D71F487D91C91
<SYSTEM32>\msiexec.exe /Y "%PROGRAM_FILES%\Bonjour\mdnsNSP.dll"
<SYSTEM32>\msiexec.exe -Embedding 2905DF15C0B6DB624DC1DBAA1C3449C7 M Global\MSI0000
<SYSTEM32>\msiexec.exe /V
<SYSTEM32>\cmd.exe /c ""%TEMP%\1.tmp\Back.bat" "
<SYSTEM32>\attrib.exe +r +a +s +h back.exe
<SYSTEM32>\msiexec.exe /i "%TEMP%\IXP162.TMP\Bonjour.msi" /q

Изменяет следующие настройки браузера Windows Internet Explorer:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyOverride' = '*.local'

Изменения в файловой системе:

Создает следующие файлы:

%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\ko.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\nb.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\it.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\ja.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\zh_CN.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\zh_TW.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\nl.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\sv.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\fr.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\ExplorerPluginResources.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\da.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\dns_sd.jar
%PROGRAM_FILES%\Bonjour\About Bonjour.rtf
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\es.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\fi.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\de.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.Resources\en.lproj\ExplorerPluginLocalized.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\PrinterWizardResources.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\sv.lproj\PrinterWizardLocalized.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\zh_CN.lproj\PrinterWizardLocalized.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\nb.lproj\PrinterWizardLocalized.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\nl.lproj\PrinterWizardLocalized.dll
%ALLUSERSPROFILE%\Start Menu\Programs\Bonjour\About Bonjour.lnk
%WINDIR%\Installer\MSI9.tmp
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\zh_TW.lproj\PrinterWizardLocalized.dll
%ALLUSERSPROFILE%\Start Menu\Programs\Bonjour\Bonjour Printer Wizard.lnk
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\ko.lproj\PrinterWizardLocalized.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\en.lproj\PrinterWizardLocalized.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\es.lproj\PrinterWizardLocalized.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\da.lproj\PrinterWizardLocalized.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\de.lproj\PrinterWizardLocalized.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\it.lproj\PrinterWizardLocalized.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\ja.lproj\PrinterWizardLocalized.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\fi.lproj\PrinterWizardLocalized.dll
%PROGRAM_FILES%\Bonjour\PrinterWizard.Resources\fr.lproj\PrinterWizardLocalized.dll
%TEMP%\IXP162.TMP\AppleSoftwareUpdate.msi
%TEMP%\IXP162.TMP\SetupAdmin.exe
%TEMP%\BonjourSetupB40.log
%TEMP%\IXP162.TMP\Bonjour.msi
%WINDIR%\tm\uninst.exe
%WINDIR%\Installer\27313.msi
%HOMEPATH%\Start Menu\Programs\Logitech Touch Mouse Server\Logitech Touch Mouse Server.lnk
%HOMEPATH%\Start Menu\Programs\Logitech Touch Mouse Server\Uninstall.lnk
%TEMP%\nsp3.tmp\nsisFirewall.dll
<SYSTEM32>\k.bat
<SYSTEM32>\s.bat
%TEMP%\1.tmp\Back.bat
<Текущая директория>\tm.exe
%TEMP%\BonjourSetup.exe
%WINDIR%\tm\iTouch-Server-Win.exe
<SYSTEM32>\r.bat
%TEMP%\nsp3.tmp\System.dll
%APPDATA%\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
%PROGRAM_FILES%\Bonjour\mdnsNSP.dll
<SYSTEM32>\dnssd.dll
%ALLUSERSPROFILE%\Application Data\Apple\Installer Cache\Bonjour 1.0.106\Bonjour.msi
<SYSTEM32>\dns-sd.exe
%PROGRAM_FILES%\Bonjour\PrinterWizard.exe
%PROGRAM_FILES%\Bonjour\ExplorerPlugin.dll
<SYSTEM32>\jdns_sd.dll
%PROGRAM_FILES%\Bonjour\mDNSResponder.exe
C:\Config.Msi\27316.rbs
%APPDATA%\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
%WINDIR%\Installer\MSI4.tmp
%APPDATA%\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
%APPDATA%\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
%WINDIR%\Installer\MSI6.tmp
%WINDIR%\Installer\MSI7.tmp
%WINDIR%\Installer\MSI5.tmp