Trojan.DownLoader9.33686

Техническая информация

Для обеспечения автозапуска и распространения:

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\CM1AES Client Services] 'Start' = '00000002'

Вредоносные функции:

Создает и запускает на исполнение:

'C:\ts\dat\CLICM1AES.exe'
'C:\ts\dat\CLICM1AESexec.exe'
'C:\ts\dat\CLICM1AESService.exe' -i
'C:\ts\dat\CLICM1AESService.exe'

Запускает на исполнение:

'<SYSTEM32>\net1.exe' start "cm1aes client services"
'<SYSTEM32>\taskkill.exe' /im AmadeusLauncher.exe
'<SYSTEM32>\taskkill.exe' /im iexplore.exe
'<SYSTEM32>\taskkill.exe' /F /IM Fastcli.exe
'<SYSTEM32>\reg.exe' IMPORT "C:\ts\dat\MOD.reg"
'<SYSTEM32>\cacls.exe' c:\ts\dat /T /E /G BUILTIN\Usuarios:F

Изменяет следующие настройки браузера Windows Internet Explorer:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2201' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2300' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2102' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2200' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2000' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2107' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2708' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'PMDisplayName' = 'Trusted sites [Protected Mode]'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'LowIcon' = 'inetcpl.cpl#005424'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1A05' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1A06' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1A03' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1A04' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1A10' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2100' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2101' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1C00' = '00010000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1E05' = '00020000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2709' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2106' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2301' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2104' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2105' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2400' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2600' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2700' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2401' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2402' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '120A' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '120B' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1208' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1209' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1408' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2005' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2103' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1409' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '160A' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1A02' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1201' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1206' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1004' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1200' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1207' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1405' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1406' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1400' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1402' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Description' = 'Esta zona contiene sitios web que sabe no van a perjudicar el equipo o su información.'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Icon' = 'inetcpl.cpl#00004480'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '' = ''
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'DisplayName' = 'Sitios de confianza'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'CurrentLevel' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Flags' = '00000043'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1001' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'MinLevel' = '00010000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'RecommendedLevel' = '00010000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1407' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1805' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1806' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1803' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1804' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1807' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '180D' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1A00' = '00020000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1808' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1809' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1605' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1606' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1601' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1604' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1607' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1800' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1802' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1608' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1609' = '00000001'

Изменения в файловой системе:

Создает следующие файлы:

C:\ts\dat\cmdapps.data
C:\ts\dat\cmdapps.data-journal
C:\ts\dat\cmdmacDB.data-journal
C:\ts\dat\log\CLICM1AESexec.log
C:\ts\dat\cmdpacks.data
C:\ts\dat\CLICM1AESService.log
C:\ts\dat\lib\DBClientcmdsendpack.dll
C:\ts\dat\cmdpacks.data-journal
C:\ts\dat\log\CLICM1AES.log
C:\ts\dat\cmdmacDB.data
C:\ts\dat\log\CMDSENDPACK.log
C:\ts\dat\cfgupd.data
C:\ts\dat\uninst.exe
C:\ts\dat\log\CMDFRAG.log
C:\ts\dat\cfgupd.data-journal
C:\ts\dat\clicm1aes.dll.log
C:\ts\dat\log\CMDMAC.log
C:\ts\dat\log\CMDTRANSAC.log
C:\ts\dat\log\CMDSENDRVR.log
C:\ts\dat\lib\cmdsendrvr.dll
C:\ts\dat\CLICM1AES.ini
C:\ts\dat\CLICM1AESexec.exe
C:\ts\dat\restCM.exe
C:\ts\dat\CLICM1AES.exe
C:\ts\dat\CLICM1AESService.exe
C:\ts\dat\MOD.reg
C:\ts\dat\logger.dll
C:\ts\dat\CLICM1AESService.ini
C:\ts\dat\control.dll
%HOMEPATH%\Start Menu\Centro mensajes\restCM.lnk
C:\ts\dat\lib\DBClientcmdmac.dll
C:\ts\dat\lib\cmdsendpack.dll
C:\ts\dat\lib\cmdfrag.dll
C:\ts\dat\lib\transac0.dll
C:\ts\dat\lib\CLICM1AESexecDll.dll
C:\ts\dat\lib\cmdmac.dll
C:\ts\dat\lib\clicm1aes.dll
C:\ts\dat\lib\DBCLIENTDLL.dll
C:\ts\dat\lib\DBClientcfgupd.dll

Удаляет следующие файлы:

C:\ts\dat\cmdmacDB.data-journal
C:\ts\dat\cfgupd.data-journal
C:\ts\dat\cmdapps.data-journal
C:\ts\dat\MOD.reg
C:\ts\dat\cmdpacks.data-journal

Сетевая активность:

Подключается к:

'94.##2.200.153':80

UDP:

DNS ASK 1.###.##1.111.in-addr.arpa
DNS ASK am####svista.com

Другое:

Ищет следующие окна:

ClassName: '(null)' WindowName: 'WINDOWS_CLICM1AES_DLL6525058163238502003682623870002'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
ClassName: '(null)' WindowName: '(null)'
ClassName: '(null)' WindowName: 'AMADEUS - Cliente centro mensajes 1AES'

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней