Trojan.Siggen9.48343

To ensure autorun and distribution

Creates the following services

[<HKLM>\System\CurrentControlSet\Services\9BA6C18F] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\9BA6C18F] 'ImagePath' = '<SYSTEM32>\svchost.exe -k LocalService'
[<HKLM>\SYSTEM\ControlSet001\services\9BA6C18F] 'ImagePath' = '<SYSTEM32>\svchost.exe -k LocalService�'
[<HKLM>\SYSTEM\ControlSet001\services\9BA6C18F\Parameters] 'ServiceDll' = '%PROGRAMDATA%\9BA6C18F\AAA64E16.dll�'
[<HKLM>\SYSTEM\ControlSet001\services\9BA6C18F] 'Start' = '00000002'

Malicious functions

Injects code into

the following system processes:

Terminates or attempts to terminate

the following system processes:

Searches for registry branches where third party applications store passwords

[<HKCU>\SOFTWARE\Mirabilis\ICQ\NewOwners]
[<HKCU>\Software\Microsoft\MSNMessenger]
[<HKCU>\Software\Yahoo\Pager]
[<HKCU>\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users]
[<HKCU>\Software\Google\Google Talk\Accounts]
[<HKCU>\Software\Paltalk]
[<HKCU>\Software\AIM\AIMPro]
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
[<HKCU>\Software\RimArts\B2\Settings]
[<HKCU>\SOFTWARE\RIT\The Bat!]
[<HKCU>\SOFTWARE\RIT\The Bat!\Users depot]
[<HKCU>\Software\Microsoft\Internet Account Manager\Accounts]
[<HKLM>\Software\Wow6432Node\Microsoft\Internet Account Manager]
[<HKCU>\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
[<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings]
[<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]

Reads files which store third party applications passwords

Modifies file system

Creates the following files

Sets the 'hidden' attribute to the following files

Deletes the following files

Substitutes the following files

Network activity

TCP

Miscellaneous

Searches for the following windows

Creates and executes the following

'%WINDIR%\syswow64\regsvr32.exe' -s <Full path to file> f1 <Full path to file>@2616' (with hidden window)
'%WINDIR%\syswow64\rundll32.exe' <Full path to file>,f0' (with hidden window)
'%WINDIR%\syswow64\rundll32.exe' %ProgramFiles%\9BA6C18F\AAA64E16.dll,f1 <Full path to file>@3036' (with hidden window)

Executes the following

'%WINDIR%\syswow64\regsvr32.exe' -s <Full path to file> f1 <Full path to file>@2616
'%WINDIR%\syswow64\rundll32.exe' <Full path to file>,f0
'%WINDIR%\syswow64\rundll32.exe' %ProgramFiles%\9BA6C18F\AAA64E16.dll,f1 <Full path to file>@3036
'<SYSTEM32>\rundll32.exe' %ProgramFiles%\9BA6C18F\AAA64E16.dll,f1 <Full path to file>@3036
'<SYSTEM32>\rundll32.exe' %PROGRAMDATA%\9BA6C18F\AAA64E16.dll,f2 1FCAAAC36182D72B5B244331A7421701
'<SYSTEM32>\svchost.exe' -k LocalService
'%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\9BA6C18F\942DBF25.dll,f3
'%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\9BA6C18F\942DBF25.dll,f7
'%WINDIR%\syswow64\rundll32.exe' %PROGRAMDATA%\9BA6C18F\942DBF25.dll,f2 E48E292D52AA1264BCBA6B30A9CB2113
'%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\wininet.dll",DispatchAPICall 1

Выдаётся при установке

Завантажте
Dr.Web для Android