Trojan.Inject1.36629

Техническая информация

Вредоносные функции:

Запускает на исполнение:

'<SYSTEM32>\attrib.exe' -r -s -h /S /D "%PROGRAM_FILES%\Gator.com"
'<SYSTEM32>\attrib.exe' -r -s -h /S /D "%CommonProgramFiles%\GMT"
'<SYSTEM32>\attrib.exe' -r -s -h "%CommonProgramFiles%\GMT\GMT.exe"
'<SYSTEM32>\attrib.exe' -r -s -h "%CommonProgramFiles%\GMT\GUninstaller.exe"
'<SYSTEM32>\attrib.exe' -r -s -h /S /D "%ALLUSERSPROFILE%\Startmen№\Programme\Gator eWallet"
'<SYSTEM32>\attrib.exe' -r -s -h /S /D "%ALLUSERSPROFILE%\Startmen№\Programme\GAIN Publishing"
'<SYSTEM32>\attrib.exe' -r -s -h /S /D "%ALLUSERSPROFILE%\Start Menu\Programs\Gator eWallet"
'<SYSTEM32>\attrib.exe' -r -s -h /S /D "%ALLUSERSPROFILE%\Start Menu\Programs\GAIN Publishing"
'<SYSTEM32>\taskkill.exe' /f /im Gator.exe
'<SYSTEM32>\taskkill.exe' /f /im GMT.exe
'<SYSTEM32>\attrib.exe' -r -s -h /S /D "%PROGRAM_FILES%\AskBar"
'<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\AskTBar" /f
'<SYSTEM32>\attrib.exe' -r -s -h "%PROGRAM_FILES%\Gator.com\Gator\Gator.exe"
'<SYSTEM32>\attrib.exe' -r -s -h "%CommonProgramFiles%\GMT\Gator<Служебное имя>etup.exe"
'<SYSTEM32>\taskkill.exe' /f /im Gator<Служебное имя>etup.exe
'<SYSTEM32>\taskkill.exe' /f /im GUninstaller.exe
'<SYSTEM32>\systeminfo.exe' /pid=2964
'<SYSTEM32>\findstr.exe' -r -s -h "C:cmdlnPIC00732010-JPG-www-facebook-com.scr"
'<SYSTEM32>\attrib.exe' -r -s -h "%WINDIR%\msnmgr.exe"
'<SYSTEM32>\attrib.exe' -r -s -h "C:cmdlnmsnmgr.exe"
'<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "sysconfig32" /f
'<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Userinit" /f
'<SYSTEM32>\attrib.exe' -r -s -h "C:cmdlnPIC01842010-JPG-www-facebook-com.scr"
'<SYSTEM32>\attrib.exe' -r -s -h "C:cmdlnJPG-www-facebook-com.scr"
'<SYSTEM32>\taskkill.exe' /f /im sysconfig32.exe
'<SYSTEM32>\taskkill.exe' /f /im msnmgr.exe
'<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trickler" /f
'<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Trickler" /f
'<SYSTEM32>\attrib.exe' -r -s -h "<SYSTEM32>\sysconfig32.exe"
'<SYSTEM32>\attrib.exe' -r -s -h "C:cmdlnsysconfig32.exe"
'<SYSTEM32>\taskkill.exe' /f /im PIC00732010-JPG-www-facebook-com.scr
'<SYSTEM32>\taskkill.exe' /f /im PIC01842010-JPG-www-facebook-com.scr
'<SYSTEM32>\attrib.exe' -r -s -h /S /D "%PROGRAM_FILES%\MyWebSearch"
'<SYSTEM32>\reg.exe' DELETE "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Internet\UseRWHlinkNavigation" /f
'<SYSTEM32>\reg.exe' DELETE "HKEY_CLASSES_ROOT\icofile\Shell" /f
'<SYSTEM32>\reg.exe' DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /f
'<SYSTEM32>\reg.exe' DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f
'<SYSTEM32>\reg.exe' DELETE "HKEY_CURRENT_USER\Software\XTZY" /f
'<SYSTEM32>\reg.exe' DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache" /f
'<SYSTEM32>\reg.exe' DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU" /f
'<SYSTEM32>\reg.exe' DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /f
'<SYSTEM32>\systeminfo.exe'
'<SYSTEM32>\findstr.exe' /I deutsch "%HOMEPATH%\sctest.txt"
'<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings" /v "Enable" /t "REG_DWORD" /d "1" /f
'<SYSTEM32>\cscript.exe' "%TEMP%\sysrestore.vbs"
'<SYSTEM32>\reg.exe' DELETE "HKEY_CURRENT_USER\Software\WinRAR\General\LastFolder" /f
'<SYSTEM32>\reg.exe' DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\OpenWithList" /f
'<SYSTEM32>\ipconfig.exe' /flushdns
'<SYSTEM32>\reg.exe' DELETE "HKEY_CURRENT_USER\Software\WinRAR\ArcHistory" /f
'<SYSTEM32>\attrib.exe' -r -s -h "<SYSTEM32>\tdsslog.dll"
'<SYSTEM32>\attrib.exe' -r -s -h "<SYSTEM32>\tdssservers.dat"
'<SYSTEM32>\attrib.exe' -r -s -h "<SYSTEM32>\tdssmain.dll"
'<SYSTEM32>\attrib.exe' -r -s -h "<SYSTEM32>\tdssinit.dll"
'<SYSTEM32>\taskkill.exe' /f /im MWSOEMON.EXE
'<SYSTEM32>\taskkill.exe' /f /im mwssvc.exe
'<SYSTEM32>\attrib.exe' -r -s -h "<DRIVERS>\tdssserv.sys"
'<SYSTEM32>\taskkill.exe' /f /im M3SRCHMN.EXE
'<SYSTEM32>\findstr.exe' Path "%APPDATA%\Thunderbird\profiles.ini"
'<SYSTEM32>\net.exe' stop srservice
'<SYSTEM32>\reg.exe' DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tmp" /f
'<SYSTEM32>\findstr.exe' Path "%APPDATA%\Mozilla\Firefox\profiles.ini"
'<SYSTEM32>\attrib.exe' -r -s -h "<SYSTEM32>\tdssl.dll"
'<SYSTEM32>\attrib.exe' -r -s -h "<SYSTEM32>\tdssserf.dll"
'<SYSTEM32>\net1.exe' stop srservice
'<SYSTEM32>\attrib.exe' -r -s -h "<SYSTEM32>\tdssadw.dll"

Внедряет код в

следующие системные процессы:

<SYSTEM32>\findstr.exe

Изменения в файловой системе:

Создает следующие файлы:

C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\$WinMgmt.CFG
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.BTR
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.MAP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP15\drivetable.txt
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\ComDb.Dat
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\domain.txt
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\drivetable.txt
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING.VER
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\RestorePointSize
%HOMEPATH%\sctest.txt
%HOMEPATH%\Desktop\fastclean.log
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.MAP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING1.MAP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING2.MAP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.DATA
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
%TEMP%\~1.bat
%TEMP%\sysrestore.vbs
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\rp.log
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SOFTWARE
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SYSTEM
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SAM
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SECURITY
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2052111302-484763869-725345543-1003
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2052111302-484763869-725345543-1003
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_.DEFAULT

Присваивает атрибут 'скрытый' для следующих файлов:

%TEMP%\~1.bat

Удаляет следующие файлы:

<SYSTEM32>\CatRoot2\edb00015.log
<SYSTEM32>\CatRoot2\edb00014.log
<SYSTEM32>\CatRoot2\edb00016.log
<SYSTEM32>\CatRoot2\res1.log
<SYSTEM32>\CatRoot2\edb00017.log
<SYSTEM32>\CatRoot2\edb00010.log
<SYSTEM32>\CatRoot2\edb0000F.log
<SYSTEM32>\CatRoot2\edb00011.log
<SYSTEM32>\CatRoot2\edb00013.log
<SYSTEM32>\CatRoot2\edb00012.log
%WINDIR%\Debug\blastcln.log
<SYSTEM32>\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TimeStamp
%WINDIR%\Debug\NetSetup.LOG
%WINDIR%\setupapi.log
%WINDIR%\Debug\UserMode\userenv.log
<SYSTEM32>\CatRoot2\tmp.edb
<SYSTEM32>\CatRoot2\res2.log
<SYSTEM32>\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
<SYSTEM32>\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
<SYSTEM32>\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TimeStamp
<SYSTEM32>\CatRoot2\edb0000E.log
<SYSTEM32>\wbem\Logs\mofcomp.log
<SYSTEM32>\wbem\Logs\FrameWork.log
<SYSTEM32>\wbem\Logs\replog.log
<SYSTEM32>\wbem\Logs\wbemcore.log
<SYSTEM32>\wbem\Logs\setup.log
%HOMEPATH%\sctest.txt
%TEMP%\sysrestore.vbs
%WINDIR%\setupact.log
%WINDIR%\Temp\Perflib_Perfdata_7e8.dat
%WINDIR%\setuperr.log
<SYSTEM32>\CatRoot2\dberr.txt
%WINDIR%\0.log
<SYSTEM32>\CatRoot2\edb.chk
<SYSTEM32>\CatRoot2\edb0000D.log
<SYSTEM32>\CatRoot2\edb.log
<SYSTEM32>\wbem\Logs\wbemess.lo_
<SYSTEM32>\wbem\Logs\wbemess.log
<SYSTEM32>\wbem\Logs\wbemprox.log
<SYSTEM32>\wbem\Logs\wmiprov.log
<SYSTEM32>\wbem\Logs\wmiadap.log

Другое:

Ищет следующие окна:

ClassName: '(null)' WindowName: '(null)'

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней