Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Classes\CLSID\{ad762173-ccd3-4711-9d99-944b9da73373}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\pserv3.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{fdb6ff72-88cc-4324-9d2a-b4fbbb6497be}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\WhatInStartup.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{2d805cd4-85e6-44ad-bb3c-4711941d0ec8}\Shell\Open\command] '' = 'regedt32.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{3978d214-c68d-468a-81c7-9454b188ba4f}\Shell\Open\command] '' = 'msconfig.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{662546eb-4737-4f6d-b8ba-cd4e6f390702}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\msicuu.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{a02f63a1-5571-41bc-b2a2-207c1b4677ed}\Shell\Open\command] '' = 'taskmgr.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{B13AEA52-5B36-4474-BA29-70F66DCABECB}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\vcdrom.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{170D3C69-2B3B-43e9-984D-ECC3174C0AA5}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\wul.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{18646F66-8C25-0000-BEE4-C2CE1298969D}\Shell\Open\command] '' = 'Control Userpasswords2'
- [<HKLM>\SOFTWARE\Classes\CLSID\{9BE8C477-34EC-4a66-814D-E0A1984E6B47}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\timezone.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{76c07ea7-2317-4ea0-8c8d-fbbf4f93da7f}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\tweakui.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{09751c19-8b51-4c09-984b-944e7bd3e8a4}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\BlueScreenView.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{4DE05BC9-69F6-4BFC-8094-5E1069F2F51F}\Shell\Open\command] '' = 'clipbrd.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{73D5BB05-7810-4f11-8677-8DBE16758384}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\bootvis.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{87E19709-B25D-426e-83F9-AAB1732ECD82}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\AutoFix.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{422BD191-5E37-4155-B76B-C1A471FD39F6}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\bootsafe.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{4b580a54-0c73-4a05-af1d-3953daef2004}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\cpuz.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{D14ED2E1-C75B-443c-BD7C-FC03B2F08C17}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\rufus.EXE'
- [<HKLM>\SOFTWARE\Classes\CLSID\{b87ea05c-a92e-48c1-83e8-cddf07244afe}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\memtest.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{6736cc00-9852-4a6e-a59a-875f36d7b262}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\HWMonitor.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{07b3a01f-c33d-4824-9755-bbbd2f8aa809}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\gpu-z.exe'
- [<HKLM>\SOFTWARE\Classes\CLSID\{b09dbd5e-5f80-4f99-91a8-d232e8badd08}\Shell\Open\command] '' = '%PROGRAM_FILES%\System\CPL\x32\hdtune.exe'
Вредоносные функции:
Запускает на исполнение:
- '<SYSTEM32>\rundll32.exe' advpack.dll,LaunchINFSection CPLbonus.inf,defaultinstall,3
Изменения в файловой системе:
Создает следующие файлы:
- %PROGRAM_FILES%\System\CPL\x32\SETE.tmp
- %PROGRAM_FILES%\System\CPL\x32\SETD.tmp
- %PROGRAM_FILES%\System\CPL\x32\SETC.tmp
- %PROGRAM_FILES%\System\CPL\x32\SETF.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET12.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET11.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET10.tmp
- %PROGRAM_FILES%\System\CPL\x32\SETB.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET6.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET5.tmp
- <SYSTEM32>\SET4.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET7.tmp
- %PROGRAM_FILES%\System\CPL\x32\SETA.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET9.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET8.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET13.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET1E.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET1D.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET1C.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET1F.tmp
- %WINDIR%\inf\SET24.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET21.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET20.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET1B.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET16.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET15.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET14.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET17.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET1A.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET19.tmp
- %PROGRAM_FILES%\System\CPL\x32\SET18.tmp
- %WINDIR%\Help\SET3.tmp
- %TEMP%\RarSFX0\HDTune.exe
- %TEMP%\RarSFX0\GPU-Z.exe
- %TEMP%\RarSFX0\cpuz.exe
- %TEMP%\RarSFX0\HWMonitor.exe
- %TEMP%\RarSFX0\Msizap.exe
- %TEMP%\RarSFX0\Msicuu.exe
- %TEMP%\RarSFX0\Memtest.exe
- %TEMP%\RarSFX0\Bootvis.exe
- %TEMP%\RarSFX0\Eula.rtf
- %TEMP%\RarSFX0\cpuz.ini
- %TEMP%\RarSFX0\cpuz.txt
- %TEMP%\RarSFX0\CPLBonus.inf
- %TEMP%\RarSFX0\Bootsafe.exe
- %TEMP%\RarSFX0\BlueScreenView.exe
- %TEMP%\RarSFX0\AutoFix.exe
- %TEMP%\RarSFX0\pserv3.exe
- %TEMP%\RarSFX0\Timezone.dll
- %TEMP%\RarSFX0\GSharpTools.dll
- %TEMP%\RarSFX0\GSharpSQLite.dll
- %TEMP%\RarSFX0\Vcdrom.sys
- %TEMP%\RarSFX0\Cttune.chm
- %TEMP%\RarSFX0\bootvis.chm
- %TEMP%\RarSFX0\Cttune.cpl
- %TEMP%\RarSFX0\GPrint.dll
- %TEMP%\RarSFX0\Tweakui.exe
- %TEMP%\RarSFX0\Timezone.exe
- %TEMP%\RarSFX0\rufus.exe
- %TEMP%\RarSFX0\Vcdrom.exe
- %TEMP%\RarSFX0\CPLbonus.dll
- %TEMP%\RarSFX0\wul.exe
- %TEMP%\RarSFX0\WhatInStartup.exe
Удаляет следующие файлы:
- %TEMP%\RarSFX0\Msizap.exe
- %TEMP%\RarSFX0\Msicuu.exe
- %TEMP%\RarSFX0\pserv3.exe.config
- %TEMP%\RarSFX0\pserv3.exe
- %TEMP%\RarSFX0\HDTune.exe
- %TEMP%\RarSFX0\GSharpTools.dll
- %TEMP%\RarSFX0\Memtest.exe
- %TEMP%\RarSFX0\HWMonitor.exe
- %TEMP%\RarSFX0\Vcdrom.sys
- %TEMP%\RarSFX0\Vcdrom.exe
- %TEMP%\RarSFX0\wul.exe
- %TEMP%\RarSFX0\WhatInStartup.exe
- %TEMP%\RarSFX0\Timezone.dll
- %TEMP%\RarSFX0\rufus.exe
- %TEMP%\RarSFX0\Tweakui.exe
- %TEMP%\RarSFX0\Timezone.exe
- %TEMP%\RarSFX0\CPLbonus.dll
- %TEMP%\RarSFX0\Bootvis.exe
- %TEMP%\RarSFX0\cpuz.exe
- %TEMP%\RarSFX0\CPLBonus.inf
- %TEMP%\RarSFX0\BlueScreenView.exe
- %TEMP%\RarSFX0\AutoFix.exe
- %TEMP%\RarSFX0\bootvis.chm
- %TEMP%\RarSFX0\Bootsafe.exe
- %TEMP%\RarSFX0\GPrint.dll
- %TEMP%\RarSFX0\Eula.rtf
- %TEMP%\RarSFX0\GSharpSQLite.dll
- %TEMP%\RarSFX0\GPU-Z.exe
- %TEMP%\RarSFX0\cpuz.txt
- %TEMP%\RarSFX0\cpuz.ini
- %TEMP%\RarSFX0\Cttune.cpl
- %TEMP%\RarSFX0\Cttune.chm
Перемещает следующие файлы:
- %PROGRAM_FILES%\System\CPL\x32\SET18.tmp в %PROGRAM_FILES%\System\CPL\x32\pserv3.exe
- %PROGRAM_FILES%\System\CPL\x32\SET17.tmp в %PROGRAM_FILES%\System\CPL\x32\GSharpTools.dll
- %PROGRAM_FILES%\System\CPL\x32\SET1A.tmp в %PROGRAM_FILES%\System\CPL\x32\eula.rtf
- %PROGRAM_FILES%\System\CPL\x32\SET19.tmp в %PROGRAM_FILES%\System\CPL\x32\pserv3.exe.config
- %PROGRAM_FILES%\System\CPL\x32\SET14.tmp в %PROGRAM_FILES%\System\CPL\x32\MsiZap.exe
- %PROGRAM_FILES%\System\CPL\x32\SET13.tmp в %PROGRAM_FILES%\System\CPL\x32\msicuu.exe
- %PROGRAM_FILES%\System\CPL\x32\SET16.tmp в %PROGRAM_FILES%\System\CPL\x32\GSharpSQLite.dll
- %PROGRAM_FILES%\System\CPL\x32\SET15.tmp в %PROGRAM_FILES%\System\CPL\x32\GPrint.dll
- %PROGRAM_FILES%\System\CPL\x32\SET20.tmp в %PROGRAM_FILES%\System\CPL\x32\WhatInStartup.exe
- %PROGRAM_FILES%\System\CPL\x32\SET1F.tmp в %PROGRAM_FILES%\System\CPL\x32\vcdrom.sys
- %WINDIR%\inf\SET24.tmp в %WINDIR%\inf\CPLBonus.inf
- %PROGRAM_FILES%\System\CPL\x32\SET21.tmp в %PROGRAM_FILES%\System\CPL\x32\wul.exe
- %PROGRAM_FILES%\System\CPL\x32\SET1C.tmp в %PROGRAM_FILES%\System\CPL\x32\Timezone.exe.manifest
- %PROGRAM_FILES%\System\CPL\x32\SET1B.tmp в %PROGRAM_FILES%\System\CPL\x32\TimeZone.exe
- %PROGRAM_FILES%\System\CPL\x32\SET1E.tmp в %PROGRAM_FILES%\System\CPL\x32\vcdrom.exe
- %PROGRAM_FILES%\System\CPL\x32\SET1D.tmp в %PROGRAM_FILES%\System\CPL\x32\TweakUI.exe
- %PROGRAM_FILES%\System\CPL\x32\SET8.tmp в %PROGRAM_FILES%\System\CPL\x32\bootvis.chm
- %PROGRAM_FILES%\System\CPL\x32\SET7.tmp в %PROGRAM_FILES%\System\CPL\x32\BootVis.exe
- %PROGRAM_FILES%\System\CPL\x32\SETA.tmp в %PROGRAM_FILES%\System\CPL\x32\cplbonus.dll
- %PROGRAM_FILES%\System\CPL\x32\SET9.tmp в %PROGRAM_FILES%\System\CPL\x32\BlueScreenView.exe
- <SYSTEM32>\SET4.tmp в <SYSTEM32>\cttune.cpl
- %WINDIR%\Help\SET3.tmp в %WINDIR%\Help\cttune.chm
- %PROGRAM_FILES%\System\CPL\x32\SET6.tmp в %PROGRAM_FILES%\System\CPL\x32\BootSafe.exe
- %PROGRAM_FILES%\System\CPL\x32\SET5.tmp в %PROGRAM_FILES%\System\CPL\x32\AutoFix.exe
- %PROGRAM_FILES%\System\CPL\x32\SET10.tmp в %PROGRAM_FILES%\System\CPL\x32\rufus.exe
- %PROGRAM_FILES%\System\CPL\x32\SETF.tmp в %PROGRAM_FILES%\System\CPL\x32\HDTune.exe
- %PROGRAM_FILES%\System\CPL\x32\SET12.tmp в %PROGRAM_FILES%\System\CPL\x32\MemTest.exe
- %PROGRAM_FILES%\System\CPL\x32\SET11.tmp в %PROGRAM_FILES%\System\CPL\x32\HWMonitor.exe
- %PROGRAM_FILES%\System\CPL\x32\SETC.tmp в %PROGRAM_FILES%\System\CPL\x32\cpuz.ini
- %PROGRAM_FILES%\System\CPL\x32\SETB.tmp в %PROGRAM_FILES%\System\CPL\x32\cpuz.exe
- %PROGRAM_FILES%\System\CPL\x32\SETE.tmp в %PROGRAM_FILES%\System\CPL\x32\GPU-Z.exe
- %PROGRAM_FILES%\System\CPL\x32\SETD.tmp в %PROGRAM_FILES%\System\CPL\x32\cpuz.txt
Другое:
Ищет следующие окна:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
