Trojan.MulDrop3.50825

Техническая информация

Для обеспечения автозапуска и распространения:

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\TimerWorks] 'Start' = '00000001'
[<HKLM>\SYSTEM\ControlSet001\Services\DpSvrLookup] 'Start' = '00000002'

Вредоносные функции:

Создает и запускает на исполнение:

%TEMP%\nsx2.tmp\ns24.tmp ipseccmd -p Pass114 -r Pass114 -f 125.39.85.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass114 -r Pass114 -f 125.39.85.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass113 -r Pass113 -f 125.39.78.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass112 -r Pass112 -f 125.39.39.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns23.tmp ipseccmd -p Pass113 -r Pass113 -f 125.39.78.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass115 -r Pass115 -f 125.39.87.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns27.tmp ipseccmd -p Pass1155 -r Pass1155 -f 125.39.88.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns26.tmp ipseccmd -p Pass115 -r Pass115 -f 125.39.87.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns25.tmp ipseccmd -p Pass1144 -r Pass1144 -f 125.39.86.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass1144 -r Pass1144 -f 125.39.86.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns1F.tmp ipseccmd -p Pass19 -r Pass19 -f 125.39.123.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass19 -r Pass19 -f 125.39.123.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass18 -r Pass18 -f 122.70.142.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass17 -r Pass17 -f 119.147.9.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns1E.tmp ipseccmd -p Pass18 -r Pass18 -f 122.70.142.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass111 -r Pass111 -f 125.39.185.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns22.tmp ipseccmd -p Pass112 -r Pass112 -f 125.39.39.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns21.tmp ipseccmd -p Pass111 -r Pass111 -f 125.39.185.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns20.tmp ipseccmd -p Pass110 -r Pass110 -f 125.39.127.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass110 -r Pass110 -f 125.39.127.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass1155 -r Pass1155 -f 125.39.88.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass117 -r Pass117 -f 220.181.105.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns2F.tmp ipseccmd -p Pass118 -r Pass118 -f 220.181.111.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns2E.tmp ipseccmd -p Pass117 -r Pass117 -f 220.181.105.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns2D.tmp ipseccmd -p Pass1171 -r Pass1171 -f 220.181.104.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass1171 -r Pass1171 -f 220.181.104.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns31.tmp ipseccmd -p Pass1182 -r Pass1182 -f 220.181.113.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass1182 -r Pass1182 -f 220.181.113.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass1181 -r Pass1181 -f 220.181.112.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass118 -r Pass118 -f 220.181.111.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns30.tmp ipseccmd -p Pass1181 -r Pass1181 -f 220.181.112.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass116 -r Pass116 -f 220.181.100.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns2A.tmp ipseccmd -p Pass1161 -r Pass1161 -f 220.181.101.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns29.tmp ipseccmd -p Pass116 -r Pass116 -f 220.181.100.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns28.tmp ipseccmd -p Pass1151 -r Pass1151 -f 125.39.89.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass1151 -r Pass1151 -f 125.39.89.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns2C.tmp ipseccmd -p Pass1163 -r Pass1163 -f 220.181.103.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass1163 -r Pass1163 -f 220.181.103.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass1162 -r Pass1162 -f 220.181.102.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass1161 -r Pass1161 -f 220.181.101.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns2B.tmp ipseccmd -p Pass1162 -r Pass1162 -f 220.181.102.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns1D.tmp ipseccmd -p Pass17 -r Pass17 -f 119.147.9.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Block8 -r Block8 -f 220.181.*.*+0 -n BLOCK -x
%TEMP%\nsx2.tmp\nsC.tmp ipseccmd -p Block9 -r Block9 -f 221.194.*.*+0 -n BLOCK -x
%TEMP%\nsx2.tmp\nsB.tmp ipseccmd -p Block8 -r Block8 -f 220.181.*.*+0 -n BLOCK -x
%TEMP%\nsx2.tmp\nsA.tmp ipseccmd -p Block6 -r Block6 -f 125.39.*.*+0 -n BLOCK -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Block6 -r Block6 -f 125.39.*.*+0 -n BLOCK -x
%PROGRAM_FILES%\FeixinMedia\mysetup.exe
%TEMP%\nsxF.tmp\ns10.tmp sc create DpSvrLookup binpath= "%PROGRAM_FILES%\beike\dptsvr.exe" type= share start= auto displayname= "ISATAP And Teredo To Cache Services"
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Block0 -r Block0 -f 118.145.*.*+0 -n BLOCK -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Block9 -r Block9 -f 221.194.*.*+0 -n BLOCK -x
%TEMP%\nsx2.tmp\nsD.tmp ipseccmd -p Block0 -r Block0 -f 118.145.*.*+0 -n BLOCK -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Block1 -r BlockTCP -f 119.147.*.*+0 -n BLOCK -x
%TEMP%\nsx2.tmp\ns7.tmp ipseccmd -p Block2 -r BlockNEW -f 119.188.*.*+0 -n BLOCK -x
%TEMP%\nsx2.tmp\ns6.tmp ipseccmd -p Block1 -r BlockTCP -f 119.147.*.*+0 -n BLOCK -x
<Текущая директория>\mzone-0001.exe
%TEMP%\nsx2.tmp\ns5.tmp sc start PolicyAgent
%TEMP%\nsx2.tmp\ns9.tmp ipseccmd -p Block4 -r BlockTHREE -f 124.238.*.*+0 -n BLOCK -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Block4 -r BlockTHREE -f 124.238.*.*+0 -n BLOCK -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Block3 -r BlockTWO -f 122.70.*.*+0 -n BLOCK -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Block2 -r BlockNEW -f 119.188.*.*+0 -n BLOCK -x
%TEMP%\nsx2.tmp\ns8.tmp ipseccmd -p Block3 -r BlockTWO -f 122.70.*.*+0 -n BLOCK -x
%TEMP%\nsxF.tmp\ns11.tmp sc description DpSvrLookup "К№УГ IPv6 ЧЄ»»јјКх(6to4ЎўISATAPЎў¶ЛїЪґъАнєН Teredo)єН IP-HTTPS Мб№©ЅшРР»ҐБЄНшдЇААјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМб№©µДјУЛЩ№¦ДЬЎЈ"
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass13 -r Pass13 -f 119.147.21.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns1A.tmp ipseccmd -p Pass14 -r Pass14 -f 119.147.41.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns19.tmp ipseccmd -p Pass13 -r Pass13 -f 119.147.21.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns18.tmp ipseccmd -p Pass12 -r Pass12 -f 119.147.182.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass12 -r Pass12 -f 119.147.182.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns1C.tmp ipseccmd -p Pass16 -r Pass16 -f 119.147.74.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass16 -r Pass16 -f 119.147.74.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass15 -r Pass15 -f 119.147.64.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass14 -r Pass14 -f 119.147.41.*+0 -n PASS -x
%TEMP%\nsx2.tmp\ns1B.tmp ipseccmd -p Pass15 -r Pass15 -f 119.147.64.*+0 -n PASS -x
%TEMP%\nsxF.tmp\ns14.tmp sc start TimerWorks
%TEMP%\nsx2.tmp\ns15.tmp ipseccmd -p Pass1 -r Pass1 -f 125.39.100.74+0 -n PASS -x
%TEMP%\nsxF.tmp\ns13.tmp sc create TimerWorks binpath= <SYSTEM32>\studomn\TimerWorks.sys type= kernel start= system group= Base tag= yes
%TEMP%\nsxF.tmp\ns12.tmp sc start DpSvrLookup
%PROGRAM_FILES%\beike\dptsvr.exe
%TEMP%\nsx2.tmp\ns17.tmp ipseccmd -p Pass11 -r Pass11 -f 119.147.15.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass11 -r Pass11 -f 119.147.15.*+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass2 -r Pass2 -f 220.181.126.15+0 -n PASS -x
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass1 -r Pass1 -f 125.39.100.74+0 -n PASS -x
%TEMP%\nsx2.tmp\ns16.tmp ipseccmd -p Pass2 -r Pass2 -f 220.181.126.15+0 -n PASS -x

Запускает на исполнение:

<SYSTEM32>\sc.exe start DpSvrLookup
<SYSTEM32>\sc.exe create TimerWorks binpath= <SYSTEM32>\studomn\TimerWorks.sys type= kernel start= system group= Base tag= yes
<SYSTEM32>\sc.exe start TimerWorks
<SYSTEM32>\sc.exe start PolicyAgent
<SYSTEM32>\sc.exe create DpSvrLookup binpath= "%PROGRAM_FILES%\beike\dptsvr.exe" type= share start= auto displayname= "ISATAP And Teredo To Cache Services"
<SYSTEM32>\sc.exe description DpSvrLookup "К№УГ IPv6 ЧЄ»»јјКх(6to4ЎўISATAPЎў¶ЛїЪґъАнєН Teredo)єН IP-HTTPS Мб№©ЅшРР»ҐБЄНшдЇААјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМб№©µДјУЛЩ№¦ДЬЎЈ"

Изменения в файловой системе:

Создает следующие файлы:

%TEMP%\nsx2.tmp\ns19.tmp
%TEMP%\nsx2.tmp\ns1A.tmp
%TEMP%\nsx2.tmp\ns17.tmp
%TEMP%\nsx2.tmp\ns18.tmp
%TEMP%\nsx2.tmp\ns1B.tmp
%TEMP%\nsx2.tmp\ns1E.tmp
%TEMP%\nsx2.tmp\ns1F.tmp
%TEMP%\nsx2.tmp\ns1C.tmp
%TEMP%\nsx2.tmp\ns1D.tmp
%WINDIR%\pro.pac
<SYSTEM32>\studomn\TimerWorks.sys
%TEMP%\nsxF.tmp\ns12.tmp
%PROGRAM_FILES%\beike\pro.txt
%TEMP%\nsxF.tmp\ns13.tmp
%TEMP%\nsx2.tmp\ns15.tmp
%TEMP%\nsx2.tmp\ns16.tmp
%TEMP%\nsxF.tmp\ns14.tmp
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\ol[1].asp
%TEMP%\nsx2.tmp\ns2B.tmp
%TEMP%\nsx2.tmp\ns2C.tmp
%TEMP%\nsx2.tmp\ns29.tmp
%TEMP%\nsx2.tmp\ns2A.tmp
%TEMP%\nsx2.tmp\ns2D.tmp
%TEMP%\nsx2.tmp\ns30.tmp
%TEMP%\nsx2.tmp\ns31.tmp
%TEMP%\nsx2.tmp\ns2E.tmp
%TEMP%\nsx2.tmp\ns2F.tmp
%TEMP%\nsx2.tmp\ns22.tmp
%TEMP%\nsx2.tmp\ns23.tmp
%TEMP%\nsx2.tmp\ns20.tmp
%TEMP%\nsx2.tmp\ns21.tmp
%TEMP%\nsx2.tmp\ns24.tmp
%TEMP%\nsx2.tmp\ns27.tmp
%TEMP%\nsx2.tmp\ns28.tmp
%TEMP%\nsx2.tmp\ns25.tmp
%TEMP%\nsx2.tmp\ns26.tmp
%TEMP%\nsx2.tmp\nsisplugin.dll
%PROGRAM_FILES%\FeixinMedia\ipseccmd.exe
%TEMP%\nss4.tmp\modern-wizard.bmp
%TEMP%\nss4.tmp\InstallOptions.dll
%TEMP%\nsx2.tmp\nsExec.dll
%TEMP%\nsx2.tmp\ns7.tmp
%TEMP%\nsx2.tmp\ns8.tmp
%TEMP%\nsx2.tmp\ns5.tmp
%TEMP%\nsx2.tmp\ns6.tmp
<Текущая директория>\mzone-0001.exe
%TEMP%\nsx2.tmp\System.dll
%PROGRAM_FILES%\FeixinMedia\menu.xml
%PROGRAM_FILES%\FeixinMedia\s0001.xml
%PROGRAM_FILES%\FeixinMedia\temp0208025000378.ini
%TEMP%\nsx2.tmp\Internet.dll
%TEMP%\nss4.tmp\ioSpecial.ini
%PROGRAM_FILES%\FeixinMedia\un0208025000378.exe
%TEMP%\nsx2.tmp\nsRandom.dll
%PROGRAM_FILES%\beike\suject.db
%PROGRAM_FILES%\beike\TimerWorks.sys
%PROGRAM_FILES%\beike\TimerWorks-nos.sys
%PROGRAM_FILES%\beike\dptsvr.exe
%TEMP%\nsxF.tmp\AccessControl.dll
%TEMP%\nsxF.tmp\ns10.tmp
%TEMP%\nsxF.tmp\ns11.tmp
%TEMP%\nsxF.tmp\System.dll
%TEMP%\nsxF.tmp\nsExec.dll
%TEMP%\nsx2.tmp\nsB.tmp
%TEMP%\nsx2.tmp\nsC.tmp
%TEMP%\nsx2.tmp\ns9.tmp
%TEMP%\nsx2.tmp\nsA.tmp
%TEMP%\nsx2.tmp\nsD.tmp
%PROGRAM_FILES%\beike\ypac.txt
%PROGRAM_FILES%\beike\msxml2.dll
%PROGRAM_FILES%\FeixinMedia\mysetup.exe
%PROGRAM_FILES%\beike\sqlite3.dll

Удаляет следующие файлы:

%TEMP%\nsx2.tmp\ns20.tmp
%TEMP%\nsx2.tmp\ns1F.tmp
%TEMP%\nsx2.tmp\ns1E.tmp
%TEMP%\nsx2.tmp\ns23.tmp
%TEMP%\nsx2.tmp\ns22.tmp
%TEMP%\nsx2.tmp\ns21.tmp
%TEMP%\nsx2.tmp\ns1A.tmp
%TEMP%\nsx2.tmp\ns19.tmp
%TEMP%\nsx2.tmp\ns18.tmp
%TEMP%\nsx2.tmp\ns1D.tmp
%TEMP%\nsx2.tmp\ns1C.tmp
%TEMP%\nsx2.tmp\ns1B.tmp
%TEMP%\nsx2.tmp\ns24.tmp
%TEMP%\nsx2.tmp\ns2D.tmp
%TEMP%\nsx2.tmp\ns2C.tmp
%TEMP%\nsx2.tmp\ns2B.tmp
%TEMP%\nsx2.tmp\ns30.tmp
%TEMP%\nsx2.tmp\ns2F.tmp
%TEMP%\nsx2.tmp\ns2E.tmp
%TEMP%\nsx2.tmp\ns27.tmp
%TEMP%\nsx2.tmp\ns26.tmp
%TEMP%\nsx2.tmp\ns25.tmp
%TEMP%\nsx2.tmp\ns2A.tmp
%TEMP%\nsx2.tmp\ns29.tmp
%TEMP%\nsx2.tmp\ns28.tmp
%TEMP%\nsx2.tmp\nsD.tmp
%TEMP%\nsx2.tmp\nsC.tmp
%TEMP%\nsx2.tmp\nsB.tmp
%TEMP%\nsxF.tmp\ns12.tmp
%TEMP%\nsxF.tmp\ns11.tmp
%TEMP%\nsxF.tmp\ns10.tmp
%TEMP%\nsx2.tmp\ns7.tmp
%TEMP%\nsx2.tmp\ns6.tmp
%TEMP%\nsx2.tmp\ns5.tmp
%TEMP%\nsx2.tmp\nsA.tmp
%TEMP%\nsx2.tmp\ns9.tmp
%TEMP%\nsx2.tmp\ns8.tmp
%TEMP%\nsxF.tmp\ns13.tmp
%PROGRAM_FILES%\FeixinMedia\menu.xml
%PROGRAM_FILES%\FeixinMedia\s0001.xml
%PROGRAM_FILES%\FeixinMedia\mysetup.exe
%TEMP%\nsx2.tmp\ns17.tmp
%TEMP%\nsx2.tmp\ns16.tmp
%TEMP%\nsx2.tmp\ns15.tmp
%PROGRAM_FILES%\beike\TimerWorks-nos.sys
%PROGRAM_FILES%\beike\TimerWorks.sys
%TEMP%\nsxF.tmp\ns14.tmp
%TEMP%\nsxF.tmp\System.dll
%TEMP%\nsxF.tmp\nsExec.dll
%TEMP%\nsxF.tmp\AccessControl.dll

Сетевая активность:

Подключается к:

'localhost':1037
'tj.#ones.cn':80

TCP:

Запросы HTTP GET:

tj.#ones.cn/ol.asp?t=################################
tj.#ones.cn/svr.asp?t=####################################

UDP:

DNS ASK tj.#ones.cn

Другое:

Ищет следующие окна:

ClassName: 'Shell_TrayWnd' WindowName: ''

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней