Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{JJKP340B-WUWN-R564-658V-JND13HT6ESCD}] 'StubPath' = '<SYSTEM32>\microsoft\windows.exe Restart'
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{JJKP340B-WUWN-R564-658V-JND13HT6ESCD}] 'StubPath' = '<SYSTEM32>\microsoft\windows.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'Policies' = '<SYSTEM32>\microsoft\windows.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'Policies' = '<SYSTEM32>\microsoft\windows.exe'
Вредоносные функции:
Создает и запускает на исполнение:
- '<SYSTEM32>\Microsoft\windows.exe'
- '%TEMP%\3.exe'
Запускает на исполнение:
- '<SYSTEM32>\svchost.exe'
- '<SYSTEM32>\Microsoft\windows.exe'
- '%TEMP%\IDM_Setup_Temp\IDM1.tmp' -d "%TEMP%\IDM_Setup_Temp\"
- '%TEMP%\3.exe'
- '%TEMP%\idman613.exe'
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\alg.exe
большое количество пользовательских процессов.
Изменения в файловой системе:
Создает следующие файлы:
- %TEMP%\IDM_Setup_Temp\IDM53.tmp
- %TEMP%\IDM_Setup_Temp\IDM54.tmp
- %TEMP%\IDM_Setup_Temp\IDM52.tmp
- %TEMP%\IDM_Setup_Temp\IDM50.tmp
- %TEMP%\IDM_Setup_Temp\IDM51.tmp
- %TEMP%\IDM_Setup_Temp\IDM58.tmp
- %TEMP%\IDM_Setup_Temp\IDM59.tmp
- %TEMP%\IDM_Setup_Temp\IDM57.tmp
- %TEMP%\IDM_Setup_Temp\IDM55.tmp
- %TEMP%\IDM_Setup_Temp\IDM56.tmp
- %TEMP%\IDM_Setup_Temp\IDM49.tmp
- %TEMP%\IDM_Setup_Temp\IDM42.tmp
- %TEMP%\IDM_Setup_Temp\IDM43.tmp
- %TEMP%\IDM_Setup_Temp\IDM41.tmp
- %TEMP%\IDM_Setup_Temp\IDM39.tmp
- %TEMP%\IDM_Setup_Temp\IDM40.tmp
- %TEMP%\IDM_Setup_Temp\IDM47.tmp
- %TEMP%\IDM_Setup_Temp\IDM48.tmp
- %TEMP%\IDM_Setup_Temp\IDM46.tmp
- %TEMP%\IDM_Setup_Temp\IDM44.tmp
- %TEMP%\IDM_Setup_Temp\IDM45.tmp
- %TEMP%\IDM_Setup_Temp\IDM60.tmp
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new
- <SYSTEM32>\Microsoft\windows.exe
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new
- %TEMP%\IDM_Setup_Temp\IDM72.tmp
- %TEMP%\IDM_Setup_Temp\IDM73.tmp
- %TEMP%\UuU.uUu
- %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.new
- %TEMP%\XxX.xXx
- %TEMP%\XX--XX--XX.txt
- %APPDATA%\logs.dat
- %TEMP%\IDM_Setup_Temp\IDM71.tmp
- %TEMP%\IDM_Setup_Temp\IDM64.tmp
- %TEMP%\IDM_Setup_Temp\IDM65.tmp
- %TEMP%\IDM_Setup_Temp\IDM63.tmp
- %TEMP%\IDM_Setup_Temp\IDM61.tmp
- %TEMP%\IDM_Setup_Temp\IDM62.tmp
- %TEMP%\IDM_Setup_Temp\IDM69.tmp
- %TEMP%\IDM_Setup_Temp\IDM70.tmp
- %TEMP%\IDM_Setup_Temp\IDM68.tmp
- %TEMP%\IDM_Setup_Temp\IDM66.tmp
- %TEMP%\IDM_Setup_Temp\IDM67.tmp
- %TEMP%\IDM_Setup_Temp\IDM10.tmp
- %TEMP%\IDM_Setup_Temp\IDM11.tmp
- %TEMP%\IDM_Setup_Temp\IDM9.tmp
- %TEMP%\IDM_Setup_Temp\IDM7.tmp
- %TEMP%\IDM_Setup_Temp\IDM8.tmp
- %TEMP%\IDM_Setup_Temp\IDM15.tmp
- %TEMP%\IDM_Setup_Temp\IDM16.tmp
- %TEMP%\IDM_Setup_Temp\IDM14.tmp
- %TEMP%\IDM_Setup_Temp\IDM12.tmp
- %TEMP%\IDM_Setup_Temp\IDM13.tmp
- %TEMP%\IDM_Setup_Temp\IDM6.tmp
- %TEMP%\idman613.exe
- %TEMP%\IDM_Setup_Temp\IDM0.tmp
- %TEMP%\aut2.tmp
- %TEMP%\aut1.tmp
- %TEMP%\3.exe
- %TEMP%\IDM_Setup_Temp\IDM4.tmp
- %TEMP%\IDM_Setup_Temp\IDM5.tmp
- %TEMP%\IDM_Setup_Temp\IDM3.tmp
- %TEMP%\IDM_Setup_Temp\IDM1.tmp
- %TEMP%\IDM_Setup_Temp\IDM2.tmp
- %TEMP%\IDM_Setup_Temp\IDM17.tmp
- %TEMP%\IDM_Setup_Temp\IDM32.tmp
- %TEMP%\IDM_Setup_Temp\IDM33.tmp
- %TEMP%\IDM_Setup_Temp\IDM31.tmp
- %TEMP%\IDM_Setup_Temp\IDM29.tmp
- %TEMP%\IDM_Setup_Temp\IDM30.tmp
- %TEMP%\IDM_Setup_Temp\IDM37.tmp
- %TEMP%\IDM_Setup_Temp\IDM38.tmp
- %TEMP%\IDM_Setup_Temp\IDM36.tmp
- %TEMP%\IDM_Setup_Temp\IDM34.tmp
- %TEMP%\IDM_Setup_Temp\IDM35.tmp
- %TEMP%\IDM_Setup_Temp\IDM28.tmp
- %TEMP%\IDM_Setup_Temp\IDM21.tmp
- %TEMP%\IDM_Setup_Temp\IDM22.tmp
- %TEMP%\IDM_Setup_Temp\IDM20.tmp
- %TEMP%\IDM_Setup_Temp\IDM18.tmp
- %TEMP%\IDM_Setup_Temp\IDM19.tmp
- %TEMP%\IDM_Setup_Temp\IDM26.tmp
- %TEMP%\IDM_Setup_Temp\IDM27.tmp
- %TEMP%\IDM_Setup_Temp\IDM25.tmp
- %TEMP%\IDM_Setup_Temp\IDM23.tmp
- %TEMP%\IDM_Setup_Temp\IDM24.tmp
Присваивает атрибут 'скрытый' для следующих файлов:
- %APPDATA%\logs.dat
- <SYSTEM32>\Microsoft\windows.exe
Удаляет следующие файлы:
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3660.284046
- %TEMP%\XxX.xXx
- %TEMP%\UuU.uUu
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3660.284078
- %TEMP%\aut2.tmp
- %TEMP%\aut1.tmp
- %TEMP%\3.exe
- %TEMP%\XX--XX--XX.txt
Перемещает следующие файлы:
- %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.new в %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch в %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3660.284078
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch в %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3660.284046
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new в %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new в %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
Подменяет следующие файлы:
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
- %TEMP%\UuU.uUu
- %TEMP%\XxX.xXx
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
Сетевая активность:
Подключается к:
- 'localhost':1037
UDP:
- DNS ASK www.se##er.com
Другое:
Ищет следующие окна:
- ClassName: 'Shell_TrayWnd' WindowName: ''
