Техническая информация
Вредоносные функции:
Создает и запускает на исполнение:
- '%PROGRAM_FILES%\TcSohbet\mIRC.exe'
Запускает на исполнение:
- '%WINDIR%\regedit.exe' /S %PROGRAM_FILES%\TcSohbet\ kayit.reg
- '%WINDIR%\regedit.exe' /S %PROGRAM_FILES%\TcSohbet\ mirc.dll
- '%WINDIR%\msagent\agentsvr.exe' -Embedding
Изменения в файловой системе:
Создает следующие файлы:
- %PROGRAM_FILES%\TcSohbet\popups.ini
- %PROGRAM_FILES%\TcSohbet\ns.txt
- %PROGRAM_FILES%\TcSohbet\script.txt
- %PROGRAM_FILES%\TcSohbet\remote.ini
- %PROGRAM_FILES%\TcSohbet\mirc.ini
- %PROGRAM_FILES%\TcSohbet\kayit.reg
- %PROGRAM_FILES%\TcSohbet\imgmirc.mrc
- %PROGRAM_FILES%\TcSohbet\mIRC.exe
- %PROGRAM_FILES%\TcSohbet\mIRC.dll
- %PROGRAM_FILES%\TcSohbet\script1.txt
- %PROGRAM_FILES%\TcSohbet\sounds\mirc.ico
- %PROGRAM_FILES%\TcSohbet\sounds\ao.wav
- %PROGRAM_FILES%\TcSohbet\src\common_storage.h
- %PROGRAM_FILES%\TcSohbet\sounds\Thumbs.db
- %PROGRAM_FILES%\TcSohbet\servers.ini
- %PROGRAM_FILES%\TcSohbet\script3.txt
- %PROGRAM_FILES%\TcSohbet\script2.txt
- %PROGRAM_FILES%\TcSohbet\script5.txt
- %PROGRAM_FILES%\TcSohbet\script4.txt
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\Жcicex.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\Жborinx.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\Жkalx.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\Жdancx.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\ї3.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\¦_¦.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\¦qu¦.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\ї2.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\¦д¦.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\Жkux.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\quit_msgs.txt
- %PROGRAM_FILES%\TcSohbet\imgmirc\nHTMLn_2.95.dll
- %PROGRAM_FILES%\TcSohbet\imgmirc.ini
- %PROGRAM_FILES%\TcSohbet\imgmirc.dll
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\Я!;.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\Жyumrux.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\Жopucux1.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\нґk.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\н1x.bmp
- %PROGRAM_FILES%\TcSohbet\src\pcre.h
- %PROGRAM_FILES%\TcSohbet\src\my_funcs.h
- %PROGRAM_FILES%\TcSohbet\src\replstorage.cpp
- %PROGRAM_FILES%\TcSohbet\src\ReadMe.txt
- %PROGRAM_FILES%\TcSohbet\src\my_funcs.cpp
- %PROGRAM_FILES%\TcSohbet\src\list_manage.h
- %PROGRAM_FILES%\TcSohbet\src\list_manage.cpp
- %PROGRAM_FILES%\TcSohbet\src\msgs_hook.h
- %PROGRAM_FILES%\TcSohbet\src\msgs_hook.cpp
- %PROGRAM_FILES%\TcSohbet\src\replstorage.h
- %HOMEPATH%\Start Menu\mIRCHit mIRC.lnk
- %HOMEPATH%\Desktop\TurkcemIRC Sohbet.lnk
- %PROGRAM_FILES%\TcSohbet\Uninstall.ini
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\mIRCHit.lnk
- %PROGRAM_FILES%\TcSohbet\Uninstall.exe
- %PROGRAM_FILES%\TcSohbet\src\resource.rc
- %PROGRAM_FILES%\TcSohbet\src\resource.h
- %PROGRAM_FILES%\TcSohbet\src\StdAfx.h
- %PROGRAM_FILES%\TcSohbet\src\StdAfx.cpp
- %PROGRAM_FILES%\TcSohbet\src\highlights.cpp
- %PROGRAM_FILES%\TcSohbet\src\flags.h
- %PROGRAM_FILES%\TcSohbet\src\imgmirc.cpp
- %PROGRAM_FILES%\TcSohbet\src\highlights.h
- %PROGRAM_FILES%\TcSohbet\src\flags.cpp
- %PROGRAM_FILES%\TcSohbet\src\configure_dlg.h
- %PROGRAM_FILES%\TcSohbet\src\configure_dlg.cpp
- %PROGRAM_FILES%\TcSohbet\src\convthread.h
- %PROGRAM_FILES%\TcSohbet\src\convthread.cpp
- %PROGRAM_FILES%\TcSohbet\src\imgmirc.def
- %PROGRAM_FILES%\TcSohbet\src\lesser.txt
- %PROGRAM_FILES%\TcSohbet\src\kbd_hook.h
- %PROGRAM_FILES%\TcSohbet\src\license_pcre.txt
- %PROGRAM_FILES%\TcSohbet\src\libpcre.lib
- %PROGRAM_FILES%\TcSohbet\src\kbd_hook.cpp
- %PROGRAM_FILES%\TcSohbet\src\imgmirc.h
- %PROGRAM_FILES%\TcSohbet\src\imgmirc.dsp
- %PROGRAM_FILES%\TcSohbet\src\imgstorage.h
- %PROGRAM_FILES%\TcSohbet\src\imgstorage.cpp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-Р.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-¦.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\=-).bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;1.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-~.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-R.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-P.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-u.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-s.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\=-x.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\cip.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\cikis.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\giris.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\error.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\cerva.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\a.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\=-¦.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\brokenheart.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\beyedguy.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\&-(.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\&-$.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\&-D.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\&-@.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\highlights.txt
- %TEMP%\$inst\temp_0.tmp
- %TEMP%\$inst\2.tmp
- %PROGRAM_FILES%\TcSohbet\Ayarlar.ico
- %PROGRAM_FILES%\TcSohbet\aliases.ini
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\&^.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-I.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-G.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-o.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-m.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-f.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-@.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-).bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-D.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\;-B.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\[I;DI].bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\[I(].bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\[r].bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\[o0].bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\[g].bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\[;DI].bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\xdx.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\[gr].bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\[grr].bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\[s2].bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\¦k¦.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\¦j¦.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\¦p¦.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\¦m¦.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\¦g¦.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\¦-D.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\¦+¦.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\¦-¦.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\¦-L.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\quit.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\opucuk.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\replacements.txt
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\raw.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\nick.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\kalp.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\I¬¬.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\mercek.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\kick.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\rotate.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\umode.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\topic.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\wat.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\usul.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\Thumbs.db
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\star.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\s.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\stryel.bmp
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\strred.bmp
Присваивает атрибут 'скрытый' для следующих файлов:
- %PROGRAM_FILES%\TcSohbet\sounds\Thumbs.db
- %PROGRAM_FILES%\TcSohbet\imgmirc\imgs\Thumbs.db
Удаляет следующие файлы:
- %TEMP%\$inst\temp_0.tmp
Сетевая активность:
Подключается к:
- 'www.tc###bet.com':80
TCP:
Запросы HTTP GET:
- www.tc###bet.com/acilis.txt
UDP:
- DNS ASK www.tc###bet.com
Другое:
Ищет следующие окна:
- ClassName: 'RegEdit_RegEdit' WindowName: '(null)'
- ClassName: 'NDDEAgnt' WindowName: 'NetDDE Agent'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
