Trojan.Hosts.15419

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Classes\.exe] '' = 'WMAFile'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'Pwner' = '%WINDIR%\VIRUS.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PWNAGE' = '<DRIVERS>\VIRUS.exe'

Вредоносные функции:

Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'

Запускает на исполнение:

'<SYSTEM32>\attrib.exe' +h "VIRUS.exe"
'<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoUserNameInStartMenu" /d "1" /f
'<SYSTEM32>\attrib.exe' +r +a +s +h <SYSTEM32>
'<SYSTEM32>\msg.exe' * VIRUS ACTIV
'<SYSTEM32>\attrib.exe' +s "VIRUS.exe"
'<SYSTEM32>\attrib.exe' +r "VIRUS.exe"
'<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices /v Pwner /t REG_SZ /d %WINDIR%\VIRUS.exe /f
'<SYSTEM32>\rundll32.exe' user32,SwapMouseButton
'<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\VIRUS.bat""
'<SYSTEM32>\taskkill.exe' /f /im System.exe
'<SYSTEM32>\netsh.exe' firewall set opmode disable
'<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v PWNAGE /t REG_SZ /d <DRIVERS>\VIRUS.exe /f

Изменяет следующие настройки проводника Windows (Windows Explorer):

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoUserNameInStartMenu' = '1'

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\29024.16400
<SYSTEM32>\2983.6516
%WINDIR%\329.30847
<SYSTEM32>\340.25470
%WINDIR%\21378.8090
<SYSTEM32>\20705.11268
%WINDIR%\26249.12914
<SYSTEM32>\4017.7125
%WINDIR%\119.30195
<SYSTEM32>\32726.9520
%WINDIR%\17750.11401
<SYSTEM32>\2878.14734
%WINDIR%\27029.2169
<SYSTEM32>\31594.29180
%WINDIR%\19465.9811
<SYSTEM32>\2252.32523
%WINDIR%\20050.31810
<SYSTEM32>\8792.24973
<SYSTEM32>\17844.31545
<SYSTEM32>\17630.9507
%WINDIR%\13841.23984
<SYSTEM32>\2275.17740
%WINDIR%\29464.27738
<SYSTEM32>\26089.31881
%WINDIR%\27436.2812
<SYSTEM32>\11241.16281
%WINDIR%\12181.29277
<SYSTEM32>\164.10831
%WINDIR%\1515.984
<SYSTEM32>\3724.10661
%WINDIR%\20395.12902
<SYSTEM32>\16260.25373
%WINDIR%\8732.10627
<SYSTEM32>\17865.3559
%WINDIR%\6448.1178
<SYSTEM32>\3646.3121
%WINDIR%\4286.15378
%WINDIR%\19444.14643
%WINDIR%\26543.18986
<SYSTEM32>\2003.2159
%WINDIR%\19667.24352
<SYSTEM32>\30651.12013
%WINDIR%\21770.6973
<SYSTEM32>\16931.27207
%WINDIR%\9387.20734
<SYSTEM32>\24542.13211
%WINDIR%\9552.10054
<SYSTEM32>\3090.26379
%WINDIR%\21046.28283
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\own3d[1]
%WINDIR%\23061.22406
<SYSTEM32>\31627.8005
%WINDIR%\28316.9858
<SYSTEM32>\236.31587
%WINDIR%\21202.31431
<SYSTEM32>\24012.8169
<SYSTEM32>\3926.1036
<SYSTEM32>\30644.12566
%WINDIR%\12354.17379
<SYSTEM32>\7074.22841
%WINDIR%\25504.22628
<SYSTEM32>\7845.7174
%WINDIR%\2320.30128
<SYSTEM32>\20174.21990
%WINDIR%\18129.23044
<SYSTEM32>\16170.3996
%WINDIR%\25264.26871
<SYSTEM32>\2026.27757
%WINDIR%\2665.10915
<SYSTEM32>\23967.24862
%WINDIR%\15972.892
<SYSTEM32>\31109.15998
%WINDIR%\1713.5893
<SYSTEM32>\24944.12539
%WINDIR%\30038.7663
C:\26623.txt
C:\16420.txt
C:\20071.txt
C:\7437.txt
C:\6943.txt
C:\275.txt
C:\20234.txt
C:\1895.txt
C:\6483.txt
C:\5960.txt
C:\14198.txt
C:\9183.txt
C:\9731.txt
C:\4992.txt
C:\25103.txt
C:\9166.txt
C:\1434.txt
C:\27525.txt
C:\9997.txt
C:\27223.txt
C:\13496.txt
C:\3229.txt
C:\7430.txt
C:\20509.txt
C:\23519.txt
%TEMP%\1.tmp\VIRUS.bat
C:\30889.txt
C:\31104.txt
C:\5510.txt
C:\31982.txt
C:\21615.txt
C:\10206.txt
C:\11657.txt
C:\16873.txt
C:\26156.txt
C:\27134.txt
C:\12675.txt
C:\20215.txt
<SYSTEM32>\31599.30675
%WINDIR%\17171.11572
<SYSTEM32>\30446.14344
%WINDIR%\26265.25313
<SYSTEM32>\25149.32171
%WINDIR%\30308.26096
<SYSTEM32>\21971.15868
%WINDIR%\12977.17861
<SYSTEM32>\19123.18730
%WINDIR%\15794.14955
<SYSTEM32>\10019.23362
%WINDIR%\30932.11199
<SYSTEM32>\14040.3511
%WINDIR%\23288.31124
<SYSTEM32>\28408.19164
%WINDIR%\29994.5095
<SYSTEM32>\11162.15481
%WINDIR%\30488.23835
%WINDIR%\15010.25987
C:\9784.txt
C:\21895.txt
C:\15343.txt
C:\5251.txt
C:\6242.txt
C:\11777.txt
C:\21063.txt
C:\16044.txt
C:\27459.txt
<SYSTEM32>\22112.25707
%WINDIR%\2033.13066
<SYSTEM32>\5777.756
%WINDIR%\24656.4094
<SYSTEM32>\6653.30171
C:\11263.txt
C:\32412.txt
C:\16953.txt
C:\28347.txt