Техническая информация
Для обеспечения автозапуска и распространения:
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\kxescore] 'Start' = '00000002'
Вредоносные функции:
Создает и запускает на исполнение:
- '%TEMP%\kingsoft antivirus\kingsoft antivirus\kxescore.exe' /start kxescore
- '%TEMP%\kingsoft antivirus\kingsoft antivirus\kxescore.exe' /service kxescore
- '%TEMP%\kingsoft antivirus\kingsoft antivirus\ksetupwiz.exe' /r auto
- '%TEMP%\kingsoft antivirus\kingsoft antivirus\kismain.exe' /cloudidentifymgr
- '%TEMP%\kingsoft antivirus\kingsoft antivirus\kxetray.exe' /kismain /cloudidentifymgr
Запускает на исполнение:
- '<SYSTEM32>\mode.com' con: COLS=79 LINES=25
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\kingsoft antivirus\kingsoft antivirus\自动清理.bat" "
Изменения в файловой системе:
Создает следующие файлы:
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kxeksgpid.kid
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kxeksapid.kid
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kavpid.kid
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\uplive.svr
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\sp3a.nlb
- %TEMP%\kingsoft antivirus\kingsoft antivirus\data\rule.krf
- %TEMP%\kingsoft antivirus\kingsoft antivirus\wgsites.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\wd.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\TrustyPath.DAT
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kantihackerpid.kid
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\unknown.fsg
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\data.fsg
- %TEMP%\kingsoft antivirus\kingsoft antivirus\jsonv6.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\bkrescan.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\uninst.exe
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\ksde\kislog.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kis.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kavevent.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kismain.exe
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kiscall.exe
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kscan_sp.xcf
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kxetray.exe
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kxescore.exe
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ksetupwiz.exe
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kis2.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kis.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\khandler.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ksais.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kislive.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kiscommon.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kae\kaextend.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kae\kaext2.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kae\kaevname.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kdh.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\data\kcloudUprecord.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kae\karchive.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\data\protect.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\ksde\progrule.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\data\NoScanPop.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\TrustyExt.DAT
- %TEMP%\kingsoft antivirus\kingsoft antivirus\data\rule_bak.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\data\rule.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kwsadr.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kwnp.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\config\ksesysfiles.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\data\netbank.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kse_wfsdata\kxescore_wfsa1.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kse_wfsdata\kxescore_wfsa0.dat
- <DRIVERS>\ksapi.sys
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ksetupwiz.log
- %TEMP%\kxetray.xml
- %WINDIR%\Temp\kxeexp.xml
- %ALLUSERSPROFILE%\Application Data\Kingsoft\KXEngine\Data\kxescore.log
- %TEMP%\kingsoft antivirus\kingsoft antivirus\log\kxescore.exe.log
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ksapi.sys
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kavsafe.sys
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kavbootc64.sys
- %ALLUSERSPROFILE%\Application Data\Kingsoft\KXEngine\Data\kxetray.log
- %TEMP%\kingsoft antivirus\kingsoft antivirus\log\kxetray.exe.log
- %ALLUSERSPROFILE%\Application Data\Kingsoft\ksbw\ksbwbase.dat
- %ALLUSERSPROFILE%\Application Data\Kingsoft\ksbw\ksbwbase.dat-journal
- %ALLUSERSPROFILE%\Application Data\Kingsoft\ksbw\ksbwfile.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\ksde\ksblog.db-journal
- %TEMP%\kingsoft antivirus\kingsoft antivirus\tmplib.dat
- %ALLUSERSPROFILE%\Application Data\Kingsoft\ksbw\temp\fsg1.tmp
- %ALLUSERSPROFILE%\Application Data\Kingsoft\KIS\hg.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\log\kselog.txt
- %WINDIR%\Temp\kxesansp.xml
- %ALLUSERSPROFILE%\Application Data\Kingsoft\ksbw\ksbwfile.dat-journal
- %ALLUSERSPROFILE%\Application Data\Kingsoft\ksbw\ksbwlog.dat
- %ALLUSERSPROFILE%\Application Data\Kingsoft\ksbw\ksbwlog.dat-journal
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\ksecorex.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ksdectrl.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\ksde\ksdecs.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kxebase.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kstools.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kskinmgr.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\knitrpt.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\ksde\kmctrl.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kismain.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\ksbwdet2.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ksapi.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kpopclt.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\scom.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\msvcr80.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\msvcp80.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kavbootc.sys
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\wfs.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\sqlite.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxeexp.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kxecore\kxecore.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kxebscsp.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kxecore\kxestat.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kxesansp.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kxecore\kxelog.dll
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kae\kaeolea.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\clear.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\自动清理.bat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\microsoft.vc80.mfc.manifest
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kavmenu.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\install.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\game.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\kws_safe_no.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\kws_safe.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\kws_danger_no.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\microsoft.vc80.crt.manifest
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\kws_unknown_no.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\kws_unknown.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\config\kse.stat_fac_cfg.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kisuptray.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kisuplib.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\config\ksecore.sln.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\config\ksecore.netdetcfg.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\config\ksecore.addon.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kavvipcfg.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kavstart.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kavpe.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kislivx.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kislive.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kisaddin.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgsafeltb.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgdangertrs.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgdangertrb.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgsafetrs.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgsafetrb.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgsafelts.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgadulttrb.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgadultlts.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgadultltb.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgdangerlts.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgdangerltb.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgadulttrs.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\kwsupicon1.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\kwsupicon.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\kwsdownicon1.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\kws_danger.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\kws_adult_no.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\kws_adult.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgunkowntrb.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgunkownlts.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgunkownltb.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\kwsdownicon.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbt.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kws\icon\commentbgunkowntrs.gif
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\ksde\ksblog.db
- %TEMP%\kingsoft antivirus\kingsoft antivirus\fdsdcache.db
- %TEMP%\kingsoft antivirus\kingsoft antivirus\vinfo.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\bkrsdb.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\bro.cfg
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\ksde\ksuset.db
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\productidinfo.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\module.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\ksbwdt.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\validatecfg.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\signs.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\quarantine.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kae\kaecore.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kae\kaearchb.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kae\kaearcha.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kae\kaecorem.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kae\kaecoref.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kae\kaecorea.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\config3a.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\config3.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\data\cache.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\data\fnsign.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\data\expand_rule.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\data\expand_protect.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\scom.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kxeupchk.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kxetray.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\web\kingsoft_duba.htm
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\web\kingsoft_blog.htm
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\web\kingsoft_bbs.htm
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\config\kspfeng.pwlcfg.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\config\kspfeng.polman.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\config\kspfeng.filemonfilter.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kxesansp.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kxeexp.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\ktaskbar.xml
- %TEMP%\kingsoft antivirus\kingsoft antivirus\kavstart.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kavcfg.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kav32plugin.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kismain.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kdock2.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\kdock.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\readme.txt
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\privacypolicy.txt
- %TEMP%\kingsoft antivirus\kingsoft antivirus\ressrc\chs\web\kingsoft_main.htm
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\kxescan\kae\kaecore.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\desktop.ini
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\ksde\deconfig.ini
Удаляет следующие файлы:
- %ALLUSERSPROFILE%\Application Data\Kingsoft\ksbw\temp\fsg1.tmp
- %ALLUSERSPROFILE%\Application Data\Kingsoft\ksbw\ksbwbase.dat-journal
- %TEMP%\kingsoft antivirus\kingsoft antivirus\tmplib.dat
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\ksde\ksblog.db-journal
- %TEMP%\kingsoft antivirus\kingsoft antivirus\security\ksde\ksblog.db
- %WINDIR%\Temp\kxeexp.xml
- %TEMP%\kxetray.xml
- %WINDIR%\Temp\kxesansp.xml
- %ALLUSERSPROFILE%\Application Data\Kingsoft\ksbw\ksbwfile.dat-journal
- %ALLUSERSPROFILE%\Application Data\Kingsoft\ksbw\ksbwlog.dat-journal
Сетевая активность:
Подключается к:
- 'cu###.www.duba.net':80
TCP:
Запросы HTTP GET:
- cu###.www.duba.net/kcs/kfsg/fsgs/kswfsign
UDP:
- DNS ASK cu###.www.duba.net
Другое:
Ищет следующие окна:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
