Trojan.Siggen17.65108

Добавлен в вирусную базу Dr.Web: 2022-06-04

Описание добавлено: 2022-06-06

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\Software\Classes\inffile\shell\open\command] '' = 'C:\Users\Public\ghostroot\Message.vbs %1 %*'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner64.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\installer.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updater.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\plugin-hang-ui.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mdsched.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhost.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crashreporter.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Classes\hlpfile\shell\open\command] '' = 'C:\Users\Public\ghostroot\Message.vbs'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Kevin' = 'C:\Users\Public\ghostroot\Kevin'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'Kevin' = 'C:\Users\Public\ghostroot\Kevin'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msert.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssecse.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procxp.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner32.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htaedit.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VirtualBox.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uTorrent.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninstall.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adwcleaner_5.005.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\student.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\Software\Classes\regfile\shell\open\command] '' = 'C:\Users\Public\ghostroot\Message.vbs %1 %*'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbsedit.exe] 'Debugger' = 'wscript.exe C:\Users\Public\ghostroot\Message.vbs'
[<HKLM>\Software\Classes\exefile\shell\open\command] '' = 'C:\Users\Public\ghostroot\Message.vbs %1 %*'

Malicious functions

To complicate detection of its presence in the operating system,

forces the system hide from view:

hidden files
file extensions

blocks execution of the following system utilities:

Windows Task Manager (Taskmgr)

blocks the following features:

User Account Control (UAC)

modifies the following system settings:

[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoSetTaskbar' = '00000001'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoTrayItemsDisplay' = '00000001'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoTrayContextMenu' = '00000001'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoSaveSettings' = '00000001'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoControlPanel' = '00000001'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoStartMenuPinnedList' = '00000001'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoStartMenuMFUprogramsList' = '00000001'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000001'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFind' = '00000001'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoSecurityTab' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoSecurityTab' = '00000001'

Modifies file system

Creates the following files

C:\users\public\ghostroot\message.vbs
C:\users\public\ghostroot\starter.bat

Miscellaneous

Executes the following

'<SYSTEM32>\wscript.exe' "<PATH_SAMPLE>.vbs" /elevated
'<SYSTEM32>\cmd.exe' /c ""C:\Users\Public\ghostroot\starter.bat" "

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней