Adware.Downware.1237

Техническая информация

Вредоносные функции:

Создает и запускает на исполнение:

'%TEMP%\nssBFE6.tmp\BI.exe' { "user_ie_security_level" : "" , "json_send_time" : "29/5/2013 16:17:41:784" , "internal_error_description" : "HttpPost result: try1- Cannot load xml file %TEMP%\nssBFE6.tmp\offer.xml; try2- Cannot load xml file %TEMP%\nssBFE6.tmp\offer.xml; try3- Cannot load xml file %TEMP%\nssBFE6.tmp\offer.xml" , "internal_error_number" : "3" , "is_parallel" : "0" , "mrs_id" : "" , "vector_id" : "" , "rule_id" : "" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "542924" , "general_status_code" : "3" , "duration_details" : " InitPluginsDir:15 initializeParams:328 load_BITool:78 send_BI_Init:93 load_DownloadACC:125 retrieveUISource:31 unpack_webappfolder:0 unpack_icon:16 RetrieveMainOfferKey:0 unpack_OpenCandyDll:452 load_webapphost:0 unpack_ProxyInstaller:32 navigate_loadingUI:1263 navigateAsync_constMainOffer:47 BuildUserProfile:47 retrieve cid:0 callService1:12807 callService1:2746 callService1:2278 " , "phase_duration" : "" , "error_details" : "Error Parsing the offer xml response file" , "result" : "Error" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "31" , "build_id" : "00000000" , "dm_version" : "1.3.7.9_NoStatic.130521.01" , "bundle_id" : "a795752f-18e1-4acb-966e-a7b0066c5f72" , "machine_user_id" : "{99C32747-88F2-4AA8-BE8C-1D27A7D7E1C4}" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "4F91B5DE-8C68-4BB1-80CD-064574BDCA1A" , "publisher_internal_id" : "27" , "publisher_id" : "Avi Goldfinger" , "publisher_account_id" : "Avi_Goldfinger" , "order" : "2.0" , "phase" : "InitComplete" , "Is_Test" : "0" }
'%TEMP%\nssBFE6.tmp\BI.exe' { "json_send_time" : "29/5/2013 16:17:21:816" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "542924" , "user_type" : "NULL" , "result" : "Success" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "31" , "build_id" : "00000000" , "dm_version" : "1.3.7.9_NoStatic.130521.01" , "bundle_id" : "a795752f-18e1-4acb-966e-a7b0066c5f72" , "machine_user_id" : "{99C32747-88F2-4AA8-BE8C-1D27A7D7E1C4}" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "4F91B5DE-8C68-4BB1-80CD-064574BDCA1A" , "publisher_internal_id" : "27" , "publisher_id" : "Avi Goldfinger" , "publisher_account_id" : "Avi_Goldfinger" , "order" : "1.0" , "phase" : "Init" , "Is_Test" : "0" }

Изменения в файловой системе:

Создает следующие файлы:

<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\bullet[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\bullet[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\background_gradient[1]
%TEMP%\nssBFE6.tmp\offer.xml
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\background_gradient[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\info_48[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\httpErrorPagesScripts[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\httpErrorPagesScripts[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\info_48[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\bullet[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\info_48[1]
%TEMP%\nsn1391.tmp\inetc.dll
%TEMP%\nsi1381.tmp
%TEMP%\nsn1391.tmp\a.txt
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\IE9CompatViewList[1].xml
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\fwlink[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\542618[3]
%TEMP%\nssC514.tmp\a.txt
%TEMP%\nssBFE6.tmp\xml.dll
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\542618[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\542618[2]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\542618[1]
%TEMP%\nssBFE6.tmp\icon.png
%TEMP%\nssBFE6.tmp\Failed.htm
%TEMP%\nssBFE6.tmp\OCSetupHlp.dll
%TEMP%\nsdC504.tmp
%TEMP%\nssBFE6.tmp\ProxyInstaller.exe
%TEMP%\nssBFE6.tmp\DownloadACC.exe
%TEMP%\nssBFE6.tmp\System.dll
%TEMP%\nsyBFB7.tmp
%TEMP%\nssBFE6.tmp\webapphost.dll
%TEMP%\nssBFE6.tmp\DM_loader.gif
%TEMP%\nssBFE6.tmp\BI.exe
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\ErrorPageTemplate[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\errorPageStrings[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\errorPageStrings[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\errorPageStrings[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\ErrorPageTemplate[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ErrorPageTemplate[1]
%TEMP%\nssC514.tmp\inetc.dll
%TEMP%\nssBFE6.tmp\inetc.dll
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\navcancl[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\navcancl[1]

Удаляет следующие файлы:

<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\bullet[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\bullet[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\info_48[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\info_48[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\bullet[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\background_gradient[1]
%TEMP%\nsn1391.tmp\a.txt
%TEMP%\nsn1391.tmp\inetc.dll
%TEMP%\nssC514.tmp\inetc.dll
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\background_gradient[1]
%TEMP%\nssC514.tmp\a.txt
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\errorPageStrings[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\ErrorPageTemplate[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ErrorPageTemplate[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\navcancl[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YF7T7AK2\navcancl[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\errorPageStrings[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\httpErrorPagesScripts[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\info_48[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\httpErrorPagesScripts[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOWDBRP7\ErrorPageTemplate[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\SOXZEUJX\errorPageStrings[1]

Сетевая активность:

Подключается к:

'20#.#6.232.182':80
'localhost':60837
'localhost':52136
'20#.#6.232.182':443
'of######.#######.distributionengine.conduit-services.com':80
'localhost':49740
'cm#.########tionengine.conduit-services.com':80
'ud#.###duit-data.com':80

TCP:

Запросы HTTP GET:

cm#.########tionengine.conduit-services.com//MainOffer/542618/?Cu#############################################################
20#.#6.232.182/fwlink/?Li########################################
20#.#6.232.182/IE9CompatViewList.xml
cm#.########tionengine.conduit-services.com//Global/Failed/542618/
cm#.########tionengine.conduit-services.com//Global/ProgressBar/542618/
cm#.########tionengine.conduit-services.com//Global/Succuess/542618/

Запросы HTTP POST:

ud#.###duit-data.com/

UDP:

DNS ASK ur#.##crosoft.com
DNS ASK dn#.##ftncsi.com
DNS ASK ie######t.ie.microsoft.com
DNS ASK go.###rosoft.com
DNS ASK of######.#######.distributionengine.conduit-services.com
DNS ASK ud#.###duit-data.com
DNS ASK cm#.########tionengine.conduit-services.com

Другое:

Ищет следующие окна:

ClassName: 'MS_WebCheckMonitor' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'OleMainThreadWndClass' WindowName: ''
ClassName: 'MS_AutodialMonitor' WindowName: ''

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней