Техническая информация
Вредоносные функции:
Создает и запускает на исполнение:
- '%PROGRAM_FILES%\InitioVendor\CendaAES\AESUpdater.exe'
- '%PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\DPInst.exe' /S /SA
- '%TEMP%\is-N647T.tmp\<Имя вируса>.tmp' /SL5="$40036,1005122,51712,<Полный путь к вирусу>"
Изменения в файловой системе:
Создает следующие файлы:
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\570FB14ABC805C46708F32F92F10C3B4
- %WINDIR%\DPINST.LOG
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\570FB14ABC805C46708F32F92F10C3B4
- %PROGRAM_FILES%\InitioVendor\CendaAES\unins000.dat
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-G5III.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-8ALJ4.tmp
- %ALLUSERSPROFILE%\Start Menu\Programs\Initio Chip Utility For Vendor\Uninstall TOSHIBA FirmwrareUpdrade v1.03.lnk
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-S0242.tmp
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
- <SYSTEM32>\DRVSTORE\ivusbhdd_5676DDEF28CE10F3A48BE3F302696BCF8C6F6B1C\ivusbWxp86.sys
- %WINDIR%\inf\oem3.PNF
- %WINDIR%\inf\oem3.inf
- <SYSTEM32>\DRVSTORE\ivusbhdd_5676DDEF28CE10F3A48BE3F302696BCF8C6F6B1C\ivusbWin732.sys
- <SYSTEM32>\DRVSTORE\ivusbhdd_5676DDEF28CE10F3A48BE3F302696BCF8C6F6B1C\IvUSBHDD.cat
- <SYSTEM32>\DRVSTORE\ivusbhdd_5676DDEF28CE10F3A48BE3F302696BCF8C6F6B1C\ivusbhdd.inf
- <SYSTEM32>\DRVSTORE\ivusbhdd_5676DDEF28CE10F3A48BE3F302696BCF8C6F6B1C\ivusbW2k86.sys
- <SYSTEM32>\DRVSTORE\ivusbhdd_5676DDEF28CE10F3A48BE3F302696BCF8C6F6B1C\ivusbWlh86.sys
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-5HKHG.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-ILECC.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-P2QT1.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-M4V1S.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-VIRE8.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-NMUQQ.tmp
- %TEMP%\is-NKE05.tmp\_isetup\_RegDLL.tmp
- %TEMP%\is-N647T.tmp\<Имя вируса>.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-CJK27.tmp
- %TEMP%\is-NKE05.tmp\_isetup\_shfoldr.dll
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-5D4NA.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-2EBQ9.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-MMN54.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-59NGQ.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-6GFFA.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-CKJQU.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-E34SU.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-4LB2M.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-OU3L5.tmp
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-E9G6E.tmp
Присваивает атрибут 'скрытый' для следующих файлов:
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
Перемещает следующие файлы:
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-2EBQ9.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\ivusbWxp86.sys
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-6GFFA.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\ivusbWxp64.sys
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-MMN54.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\ivusbW2k86.sys
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-OU3L5.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\IvUSBHDD.inf
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-CKJQU.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\ivusbhdd.cat
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-G5III.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\ivusbWin764.sys
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-S0242.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\DPInst.exe
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-8ALJ4.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\ivusbWin732.sys
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-59NGQ.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\ivusbWlh86.sys
- %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\is-5HKHG.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\Drivers\ivusbWlh64.sys
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-ILECC.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\iCommon.dll
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-VIRE8.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\iWNASPI32.dll
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-P2QT1.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\1530Class.dll
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-CJK27.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\unins000.exe
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-NMUQQ.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\AESUpdater.exe
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-E34SU.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\C800.NVM
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-E9G6E.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\Security Application V1.02.iso
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-4LB2M.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\PIO_1607E_V2.50B013.bta
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-M4V1S.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\SPTIASPI.DLL
- %PROGRAM_FILES%\InitioVendor\CendaAES\is-5D4NA.tmp в %PROGRAM_FILES%\InitioVendor\CendaAES\difxapi.dll
Сетевая активность:
Подключается к:
- '20#.#6.232.182':80
- 'wp#d':80
TCP:
Запросы HTTP GET:
- 20#.#6.232.182/pki/crl/products/tspca.crl
- 20#.#6.232.182/pki/crl/products/MicWinHarComPCA_2008-01-08.crl
- wp#d/wpad.dat
UDP:
- DNS ASK crl.microsoft.com
- DNS ASK wp#d
Другое:
Ищет следующие окна:
- ClassName: '' WindowName: ' '
- ClassName: 'Shell_TrayWnd' WindowName: ''
