Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Classes\HttpWatchStudio.HTTPArchive\shell\open\command] '' = '%ProgramFiles%\HttpWatch\HTTPWA~1.EXE /dde'
- [<HKLM>\SOFTWARE\Classes\HttpWatchStudio.Document\shell\open\command] '' = '%ProgramFiles%\HttpWatch\HTTPWA~1.EXE /dde'
Создает или изменяет следующие файлы:
- %WINDIR%\Tasks\User_Feed_Synchronization-{6E428F9A-9591-461A-84A8-319B5ABE8AE1}.job
- %WINDIR%\Tasks\User_Feed_Synchronization-{D5079C9F-377D-4151-806E-6498B01C08A5}.job
- %WINDIR%\Tasks\User_Feed_Synchronization-{DA918C3F-30A8-4D23-BA5F-AE1B106BAE1A}.job
- %WINDIR%\Tasks\User_Feed_Synchronization-{21867A25-5139-4CBF-8C5E-97536E549E64}.job
- %WINDIR%\Tasks\User_Feed_Synchronization-{5E9AD8E4-3211-489C-A05E-9644967B7F0E}.job
- %WINDIR%\Tasks\User_Feed_Synchronization-{6622D24D-4BEE-4EA8-87A6-A9F44308305D}.job
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\PrismXL] 'ImagePath' = '%CommonProgramFiles%\New Boundary\PrismXL\PRISMXL.SYS'
- [<HKLM>\SYSTEM\ControlSet001\Services\PrismXL] 'Start' = '00000002'
Вредоносные функции:
Запускает на исполнение:
- '%CommonProgramFiles%\New Boundary\PrismXL\PRISMXL.SYS'
Изменения в файловой системе:
Создает следующие файлы:
- %ProgramFiles%\HttpWatch\images\boxbottomedge.gif
- %ProgramFiles%\HttpWatch\images\boxtopedge.gif
- %ProgramFiles%\HttpWatch\images\arrows2.gif
- %ProgramFiles%\HttpWatch\httpwatchsc.dll
- %ProgramFiles%\HttpWatch\httpwatchstudio.exe
- %ProgramFiles%\HttpWatch\images\ie7_basic_move_up.png
- %ProgramFiles%\HttpWatch\images\ie7_customize.png
- %ProgramFiles%\HttpWatch\images\httpwatch_select.png
- %ProgramFiles%\HttpWatch\images\ff_httpwatch_menu.png
- %ProgramFiles%\HttpWatch\images\httpwatch_menu.png
- %ProgramFiles%\HttpWatch\Firefox\chrome.manifest
- %ProgramFiles%\HttpWatch\Firefox\components\httpwatchff.dll
- %ProgramFiles%\HttpWatch\Firefox\chrome\httpwatch.jar
- %ProgramFiles%\HttpWatch\api_examples\ie\site_spider\ruby\site_spider.rb
- %ProgramFiles%\HttpWatch\api_examples\ie\site_spider\ruby\url_ops.rb
- %ProgramFiles%\HttpWatch\httpwatch.chm
- %ProgramFiles%\HttpWatch\httpwatch.dll
- %ProgramFiles%\HttpWatch\gettingstarted.htm
- %ProgramFiles%\HttpWatch\Firefox\components\httpwatchff.xpt
- %ProgramFiles%\HttpWatch\Firefox\install.rdf
- %ProgramFiles%\HttpWatch\images\ie7_menu.png
- %ProgramFiles%\Symantec\Symantec Endpoint Protection\SerState.dat
- %ProgramFiles%\Symantec\Symantec Endpoint Protection\SerState.dat.bak
- %ProgramFiles%\HttpWatch\uninstall.exe
- %ProgramFiles%\HttpWatch\styles\busi1011.css
- %ProgramFiles%\HttpWatch\styles\styles.css
- %ALLUSERSPROFILE%\Start Menu\Programs\HttpWatch Basic Edition\HttpWatch Studio.lnk
- %WINDIR%\PICTAKER.LOG
- %ALLUSERSPROFILE%\Start Menu\Programs\HttpWatch Basic Edition\HttpWatch Online Help.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\HttpWatch Basic Edition\Automation Examples.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\HttpWatch Basic Edition\Getting Started.lnk
- %ProgramFiles%\HttpWatch\images\ie7_select_professional.png
- %ProgramFiles%\HttpWatch\images\roundarrow-blue.gif
- %ProgramFiles%\HttpWatch\images\ie7_select_basic.png
- %ProgramFiles%\HttpWatch\images\ie7_moved_button.png
- %ProgramFiles%\HttpWatch\images\ie7_professional_move_up.png
- %ProgramFiles%\HttpWatch\images\squarearrow-red.gif
- %ProgramFiles%\HttpWatch\log.xsd
- %ProgramFiles%\HttpWatch\images\spacer.gif
- %ProgramFiles%\HttpWatch\images\shleft.gif
- %ProgramFiles%\HttpWatch\images\shright.gif
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\csharp\readme.txt
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\javascript\page_check.js
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\csharp\pagechecker.cs
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\csharp\page_check.csproj
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\csharp\page_check.sln
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\ruby\page_check.rb
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\ruby\page_check_firewatir.rb
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\readme.txt
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\javascript\readme.txt
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\javascript\run.cmd
- %ALLUSERSPROFILE%\Application Data\Prism Pack\UNAPPLY\<Имя вируса> 1.PWR
- %ProgramFiles%\Altiris\Altiris Agent\AeXAMDiscovery.txt
- %ALLUSERSPROFILE%\Application Data\Prism Pack\UNAPPLY\<Имя вируса>.PWR
- %TEMP%\PRISMXL.SYS
- %CommonProgramFiles%\New Boundary\PrismXL\PRISMXL.SYS
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\csharp\App.ico
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\csharp\AssemblyInfo.cs
- %ProgramFiles%\Altiris\Altiris Agent\Logs\Agent.log
- %ProgramFiles%\Altiris\Altiris Agent\AeXAMInventory.txt
- %ProgramFiles%\Altiris\Altiris Agent\AeXProcessList.txt
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\ruby\readme.txt
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\ruby\page_check.rb
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\ruby\page_check_watir.rb
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\readme.txt
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\javascript\readme.txt
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\javascript\run.cmd
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\VBScript\run.cmd
- %ProgramFiles%\HttpWatch\api_examples\ie\site_spider\ruby\readme.txt
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\VBScript\readme.txt
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\ruby\readme.txt
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\VBScript\page_check.vbs
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\csharp\App.ico
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\csharp\AssemblyInfo.cs
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\VBScript\run.cmd
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\VBScript\page_check.vbs
- %ProgramFiles%\HttpWatch\api_examples\firefox\page_check\VBScript\readme.txt
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\csharp\readme.txt
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\javascript\page_check.js
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\csharp\pagechecker.cs
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\csharp\page_check.csproj
- %ProgramFiles%\HttpWatch\api_examples\ie\page_check\csharp\page_check.sln
Присваивает атрибут 'скрытый' для следующих файлов:
- %WINDIR%\Tasks\User_Feed_Synchronization-{6E428F9A-9591-461A-84A8-319B5ABE8AE1}.job
- %WINDIR%\Tasks\User_Feed_Synchronization-{D5079C9F-377D-4151-806E-6498B01C08A5}.job
- %WINDIR%\Tasks\User_Feed_Synchronization-{DA918C3F-30A8-4D23-BA5F-AE1B106BAE1A}.job
- %WINDIR%\Tasks\User_Feed_Synchronization-{21867A25-5139-4CBF-8C5E-97536E549E64}.job
- %WINDIR%\Tasks\User_Feed_Synchronization-{5E9AD8E4-3211-489C-A05E-9644967B7F0E}.job
- %WINDIR%\Tasks\User_Feed_Synchronization-{6622D24D-4BEE-4EA8-87A6-A9F44308305D}.job
Удаляет следующие файлы:
- %ALLUSERSPROFILE%\Application Data\Prism Pack\UNAPPLY\<Имя вируса> 1.PWR
- %ALLUSERSPROFILE%\Application Data\Prism Pack\UNAPPLY\<Имя вируса>.PWR
- %TEMP%\PRISMXL.SYS
Другое:
Ищет следующие окна:
- ClassName: 'Shell_TrayWnd' WindowName: ''
