Trojan.MulDrop5.40706

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Classes\.exe] '' = 'jpegfile'
[<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = '<SYSTEM32>\hopelove.exe'
[<HKLM>\SOFTWARE\Classes\.exe] '' = 'exefile'
[<HKLM>\SOFTWARE\Classes\.bat] '' = 'jpegfile'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '<Имя вируса>.exe' = '<Полный путь к вирусу>'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'D5FD5496' = '%WINDIR%\D5FD5496\svchsot.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'svechost.exe' = '%WINDIR%\svechost.exe'

Создает или изменяет следующие файлы:

%WINDIR%\Tasks\At16.job
%WINDIR%\Tasks\At17.job
%WINDIR%\Tasks\At18.job
%WINDIR%\Tasks\At13.job
%WINDIR%\Tasks\At14.job
%WINDIR%\Tasks\At15.job
%WINDIR%\Tasks\At22.job
%WINDIR%\Tasks\At23.job
%WINDIR%\Tasks\At24.job
%WINDIR%\Tasks\At19.job
%WINDIR%\Tasks\At20.job
%WINDIR%\Tasks\At21.job
%WINDIR%\Tasks\At4.job
%WINDIR%\Tasks\At5.job
%WINDIR%\Tasks\At6.job
%WINDIR%\Tasks\At1.job
%WINDIR%\Tasks\At2.job
%WINDIR%\Tasks\At3.job
%WINDIR%\Tasks\At10.job
%WINDIR%\Tasks\At11.job
%WINDIR%\Tasks\At12.job
%WINDIR%\Tasks\At7.job
%WINDIR%\Tasks\At8.job
%WINDIR%\Tasks\At9.job

Подменяет следующие исполняемые системные файлы:

<SYSTEM32>\dllcache\explorer.exe файлом <SYSTEM32>\dllcache\explorer.exe
%WINDIR%\explorer.exe файлом %WINDIR%\explorer.exe

Заражает следующие исполняемые файлы:

<SYSTEM32>\dllcache\explorer.exe
%WINDIR%\explorer.exe

Создает следующие файлы на съемном носителе:

<Имя диска съемного носителя>:\autorun.inf
<Имя диска съемного носителя>:\hopelove.exe

Модифицирует главную загрузочную запись (MBR).

Вредоносные функции:

Создает и запускает на исполнение:

'<SYSTEM32>\hopelove.exe'
'<Имя диска съемного носителя>:\hopelove.exe'
'%WINDIR%\system\explorer.exe'
'%WINDIR%\system\svchost.exe'
'C:\hopelove.exe'
'%WINDIR%\svechost.exe'
'%WINDIR%\kylin.exe'
'%WINDIR%\Gh0stkylin.exe'
'%WINDIR%\server.exe'

Запускает на исполнение:

'<SYSTEM32>\fsutil.exe' fsinfo drives
'<SYSTEM32>\findstr.exe' /i d
'%WINDIR%\regedit.exe' /s reg.reg
'<SYSTEM32>\wscript.exe'
'<SYSTEM32>\attrib.exe'
'<SYSTEM32>\findstr.exe' /i e
'<SYSTEM32>\attrib.exe' +r +s +h <Имя диска съемного носителя>:\autorun.inf
'<SYSTEM32>\attrib.exe' /c %WINDIR%\bat.bat
'<SYSTEM32>\cmd.exe' /c %WINDIR%\17mt.bat
'<SYSTEM32>\ntvdm.exe' -f -i1
'<SYSTEM32>\cmd.exe' /c %WINDIR%\bat.bat
'<SYSTEM32>\attrib.exe' -r -s -h <SYSTEM32>\ server.exe
'%WINDIR%\regedit.exe'
'<SYSTEM32>\ntvdm.exe' -f -i2
'<SYSTEM32>\attrib.exe' -r -s -h <SYSTEM32>\ autorun.inf
'<SYSTEM32>\net1.exe' start "Task Scheduler"

Внедряет код в

следующие системные процессы:

<SYSTEM32>\net.exe
<SYSTEM32>\attrib.exe

Изменяет следующие настройки проводника Windows (Windows Explorer):

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoDrives' = 'FFFFFFFF'

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\175.love
%WINDIR%\176.love
%WINDIR%\173.love
%WINDIR%\174.love
%WINDIR%\177.love
%WINDIR%\180.love
%WINDIR%\181.love
%WINDIR%\178.love
%WINDIR%\179.love
%WINDIR%\166.love
%WINDIR%\167.love
%WINDIR%\164.love
%WINDIR%\165.love
%WINDIR%\168.love
%WINDIR%\171.love
%WINDIR%\172.love
%WINDIR%\169.love
%WINDIR%\170.love
%WINDIR%\182.love
%WINDIR%\194.love
%WINDIR%\195.love
%WINDIR%\192.love
%WINDIR%\193.love
%WINDIR%\196.love
%WINDIR%\199.love
%WINDIR%\200.love
%WINDIR%\197.love
%WINDIR%\198.love
%WINDIR%\185.love
%WINDIR%\186.love
%WINDIR%\183.love
%WINDIR%\184.love
%WINDIR%\187.love
%WINDIR%\190.love
%WINDIR%\191.love
%WINDIR%\188.love
%WINDIR%\189.love
%WINDIR%\163.love
%WINDIR%\137.love
%WINDIR%\138.love
%WINDIR%\135.love
%WINDIR%\136.love
%WINDIR%\139.love
%WINDIR%\142.love
%WINDIR%\143.love
%WINDIR%\140.love
%WINDIR%\141.love
%WINDIR%\128.love
%WINDIR%\129.love
%WINDIR%\126.love
%WINDIR%\127.love
%WINDIR%\130.love
%WINDIR%\133.love
%WINDIR%\134.love
%WINDIR%\131.love
%WINDIR%\132.love
%WINDIR%\144.love
%WINDIR%\156.love
%WINDIR%\157.love
%WINDIR%\154.love
%WINDIR%\155.love
%WINDIR%\158.love
%WINDIR%\161.love
%WINDIR%\162.love
%WINDIR%\159.love
%WINDIR%\160.love
%WINDIR%\147.love
%WINDIR%\148.love
%WINDIR%\145.love
%WINDIR%\146.love
%WINDIR%\149.love
%WINDIR%\152.love
%WINDIR%\153.love
%WINDIR%\150.love
%WINDIR%\151.love
%WINDIR%\250.love
%WINDIR%\251.love
%WINDIR%\248.love
%WINDIR%\249.love
%WINDIR%\252.love
%WINDIR%\255.love
%WINDIR%\256.love
%WINDIR%\253.love
%WINDIR%\254.love
%WINDIR%\241.love
%WINDIR%\242.love
%WINDIR%\239.love
%WINDIR%\240.love
%WINDIR%\243.love
%WINDIR%\246.love
%WINDIR%\247.love
%WINDIR%\244.love
%WINDIR%\245.love
%WINDIR%\257.love
%WINDIR%\269.love
%WINDIR%\270.love
%WINDIR%\267.love
%WINDIR%\268.love
%WINDIR%\271.love
%WINDIR%\274.love
%WINDIR%\275.love
%WINDIR%\272.love
%WINDIR%\273.love
%WINDIR%\260.love
%WINDIR%\261.love
%WINDIR%\258.love
%WINDIR%\259.love
%WINDIR%\262.love
%WINDIR%\265.love
%WINDIR%\266.love
%WINDIR%\263.love
%WINDIR%\264.love
%WINDIR%\238.love
%WINDIR%\212.love
%WINDIR%\213.love
%WINDIR%\210.love
%WINDIR%\211.love
%WINDIR%\214.love
%WINDIR%\217.love
%WINDIR%\218.love
%WINDIR%\215.love
%WINDIR%\216.love
%WINDIR%\203.love
%WINDIR%\204.love
%WINDIR%\201.love
%WINDIR%\202.love
%WINDIR%\205.love
%WINDIR%\208.love
%WINDIR%\209.love
%WINDIR%\206.love
%WINDIR%\207.love
%WINDIR%\219.love
%WINDIR%\231.love
%WINDIR%\232.love
%WINDIR%\229.love
%WINDIR%\230.love
%WINDIR%\233.love
%WINDIR%\236.love
%WINDIR%\237.love
%WINDIR%\234.love
%WINDIR%\235.love
%WINDIR%\222.love
%WINDIR%\223.love
%WINDIR%\220.love
%WINDIR%\221.love
%WINDIR%\224.love
%WINDIR%\227.love
%WINDIR%\228.love
%WINDIR%\225.love
%WINDIR%\226.love
%WINDIR%\125.love
%WINDIR%\Temp\scs3.tmp
%WINDIR%\27.love
%WINDIR%\Temp\scs2.tmp
%WINDIR%\26.love
%WINDIR%\28.love
%WINDIR%\31.love
C:\autorun.inf
%WINDIR%\29.love
%WINDIR%\30.love
%WINDIR%\20.love
%WINDIR%\reg.reg
%WINDIR%\18.love
%WINDIR%\19.love
%WINDIR%\21.love
%WINDIR%\24.love
%WINDIR%\25.love
%WINDIR%\22.love
%WINDIR%\23.love
%WINDIR%\32.love
%WINDIR%\44.love
%WINDIR%\45.love
%WINDIR%\42.love
%WINDIR%\43.love
%WINDIR%\46.love
%WINDIR%\49.love
%WINDIR%\50.love
%WINDIR%\47.love
%WINDIR%\48.love
%WINDIR%\35.love
%WINDIR%\36.love
%WINDIR%\33.love
%WINDIR%\34.love
%WINDIR%\37.love
%WINDIR%\40.love
%WINDIR%\41.love
%WINDIR%\38.love
%WINDIR%\39.love
%WINDIR%\17.love
%WINDIR%\igbw.reg
C:\17mt.ico
<SYSTEM32>\їмІҐ.ico
%WINDIR%\system\explorer.exe
%WINDIR%\17mt.bat
%WINDIR%\Temp\scs1.tmp
C:\hopelove.exe
%WINDIR%\є®Бъ№нУ°.exe
%WINDIR%\reg_love.reg
%WINDIR%\svechost.exe
%WINDIR%\Hook.dll
<Текущая директория>\Hook.dll
%WINDIR%\kylin.exe
%WINDIR%\server.exe
%WINDIR%\Gh0stkylin.exe
%WINDIR%\system\svchost.exe
%WINDIR%\bat.bat
%WINDIR%\hk.vbs
<SYSTEM32>\hopelove.exe
%WINDIR%\10.love
%WINDIR%\11.love
%WINDIR%\8.love
%WINDIR%\9.love
%WINDIR%\12.love
%WINDIR%\15.love
%WINDIR%\16.love
%WINDIR%\13.love
%WINDIR%\14.love
%WINDIR%\1.love
%WINDIR%\2.love
%WINDIR%\love.vbs
%WINDIR%\0.love
%WINDIR%\3.love
%WINDIR%\6.love
%WINDIR%\7.love
%WINDIR%\4.love
%WINDIR%\5.love
%WINDIR%\99.love
%WINDIR%\100.love
%WINDIR%\97.love
%WINDIR%\98.love
%WINDIR%\101.love
%WINDIR%\104.love
%WINDIR%\105.love
%WINDIR%\102.love
%WINDIR%\103.love
%WINDIR%\90.love
%WINDIR%\91.love
%WINDIR%\88.love
%WINDIR%\89.love
%WINDIR%\92.love
%WINDIR%\95.love
%WINDIR%\96.love
%WINDIR%\93.love
%WINDIR%\94.love
%WINDIR%\106.love
%WINDIR%\118.love
%WINDIR%\119.love
%WINDIR%\116.love
%WINDIR%\117.love
%WINDIR%\120.love
%WINDIR%\123.love
%WINDIR%\124.love
%WINDIR%\121.love
%WINDIR%\122.love
%WINDIR%\109.love
%WINDIR%\110.love
%WINDIR%\107.love
%WINDIR%\108.love
%WINDIR%\111.love
%WINDIR%\114.love
%WINDIR%\115.love
%WINDIR%\112.love
%WINDIR%\113.love
%WINDIR%\87.love
%WINDIR%\62.love
%WINDIR%\63.love
%WINDIR%\60.love
%WINDIR%\61.love
%WINDIR%\64.love
%WINDIR%\66.love
%WINDIR%\67.love
%WINDIR%\65.love
%WINDIR%\Temp\scs4.tmp
%WINDIR%\53.love
%WINDIR%\54.love
%WINDIR%\51.love
%WINDIR%\52.love
%WINDIR%\55.love
%WINDIR%\58.love
%WINDIR%\59.love
%WINDIR%\56.love
%WINDIR%\57.love
%WINDIR%\68.love
%WINDIR%\80.love
%WINDIR%\81.love
%WINDIR%\78.love
%WINDIR%\79.love
%WINDIR%\82.love
%WINDIR%\85.love
%WINDIR%\86.love
%WINDIR%\83.love
%WINDIR%\84.love
%WINDIR%\71.love
%WINDIR%\72.love
%WINDIR%\69.love
%WINDIR%\70.love
%WINDIR%\73.love
%WINDIR%\76.love
%WINDIR%\77.love
%WINDIR%\74.love
%WINDIR%\75.love

Присваивает атрибут 'скрытый' для следующих файлов:

%WINDIR%\Hook.dll

Удаляет следующие файлы:

%WINDIR%\Temp\scs2.tmp
%WINDIR%\Temp\scs4.tmp
%WINDIR%\Temp\scs1.tmp
%WINDIR%\Temp\scs3.tmp

Перемещает следующие системные файлы:

<SYSTEM32>\dllcache\explorer.exe в <SYSTEM32>\dllcache\$temp$
%WINDIR%\explorer.exe в %WINDIR%\$temp$

Перемещает следующие файлы:

%WINDIR%\server.exe в %WINDIR%\D5FD5496\svchsot.exe

Сетевая активность:

Подключается к:

'localhost':1058
'localhost':1059
'localhost':1060
'localhost':1055
'localhost':1056
'localhost':1057
'localhost':1061
'localhost':1065
'localhost':1066
'localhost':1067
'localhost':1062
'localhost':1063
'localhost':1064
'localhost':1054
'localhost':1042
'localhost':1044
'localhost':1045
'localhost':1036
'localhost':1038
'localhost':1040
'localhost':1046
'localhost':1051
'localhost':1052
'localhost':1053
'localhost':1047
'localhost':2012
'localhost':1049

UDP:

DNS ASK mi#####lin.f3322.org
DNS ASK www.ha####schina.org
DNS ASK gb#.#licdn.com

Другое:

Ищет следующие окна:

ClassName: 'RegEdit_RegEdit' WindowName: ''
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-df0.dfc.40000d'
ClassName: '' WindowName: ''
ClassName: '' WindowName: 'ИрРЗіМРтЙэј¶ЦР'
ClassName: '' WindowName: '??????????????'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-cc4.cc8.3c0009'
ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'MS_WebcheckMonitor' WindowName: ''
ClassName: '' WindowName: 'Microsoft Internet Explorer'
ClassName: 'Indicator' WindowName: ''

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней