Trojan.DownLoader6.9377

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Control Panel\Desktop] 'SCRNSAVE.EXE' = '<Full path to virus>'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'run' = ' <Full path to virus>'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe, <Full path to virus>'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows Antivirus' = '<Full path to virus>'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows Antivirus' = '<Full path to virus>'
[<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = ' <Full path to virus>'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 'Windows Antivirus' = '<Full path to virus>'

Malicious functions:

Executes the following:

%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\uw_8aunm.cmdline"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC.tmp" "%TEMP%\vbcB.tmp"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\3-u1bimr.cmdline"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA.tmp" "%TEMP%\vbc9.tmp"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\55hxd-md.cmdline"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES10.tmp" "%TEMP%\vbcF.tmp"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\fiwfghqe.cmdline"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE.tmp" "%TEMP%\vbcD.tmp"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\gsspsmr8.cmdline"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4.tmp" "%TEMP%\vbc3.tmp"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\e5o7ccuj.cmdline"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\vbc1.tmp"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\mok8daha.cmdline"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8.tmp" "%TEMP%\vbc7.tmp"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe /noconfig @"%TEMP%\jrycsvxr.cmdline"
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6.tmp" "%TEMP%\vbc5.tmp"

Modifies file system :

Creates the following files:

%TEMP%\uw_8aunm.out
%TEMP%\uw_8aunm.cmdline
%TEMP%\uw_8aunm.0.vb
%TEMP%\uw_8aunm.dll
%TEMP%\RESC.tmp
%TEMP%\vbcB.tmp
%TEMP%\3-u1bimr.out
%TEMP%\3-u1bimr.cmdline
%TEMP%\3-u1bimr.0.vb
%TEMP%\3-u1bimr.dll
%TEMP%\RESA.tmp
%TEMP%\vbc9.tmp
%TEMP%\55hxd-md.out
%TEMP%\55hxd-md.cmdline
%TEMP%\55hxd-md.0.vb
%TEMP%\55hxd-md.dll
%TEMP%\RES10.tmp
%TEMP%\vbcF.tmp
%TEMP%\fiwfghqe.out
%TEMP%\fiwfghqe.cmdline
%TEMP%\fiwfghqe.0.vb
%TEMP%\fiwfghqe.dll
%TEMP%\RESE.tmp
%TEMP%\vbcD.tmp
%TEMP%\gsspsmr8.out
%TEMP%\gsspsmr8.cmdline
%TEMP%\gsspsmr8.0.vb
%TEMP%\gsspsmr8.dll
%TEMP%\RES4.tmp
%TEMP%\vbc3.tmp
%TEMP%\e5o7ccuj.out
%TEMP%\e5o7ccuj.cmdline
%TEMP%\e5o7ccuj.0.vb
%TEMP%\e5o7ccuj.dll
%TEMP%\RES2.tmp
%TEMP%\vbc1.tmp
%TEMP%\mok8daha.out
%TEMP%\mok8daha.cmdline
%TEMP%\mok8daha.0.vb
%TEMP%\mok8daha.dll
%TEMP%\RES8.tmp
%TEMP%\vbc7.tmp
%TEMP%\jrycsvxr.out
%TEMP%\jrycsvxr.cmdline
%TEMP%\jrycsvxr.0.vb
%TEMP%\jrycsvxr.dll
%TEMP%\RES6.tmp
%TEMP%\vbc5.tmp

Deletes the following files:

%TEMP%\uw_8aunm.0.vb
%TEMP%\vbcB.tmp
%TEMP%\RESC.tmp
%TEMP%\uw_8aunm.out
%TEMP%\uw_8aunm.dll
%TEMP%\uw_8aunm.cmdline
%TEMP%\3-u1bimr.cmdline
%TEMP%\vbc9.tmp
%TEMP%\RESA.tmp
%TEMP%\3-u1bimr.dll
%TEMP%\3-u1bimr.out
%TEMP%\3-u1bimr.0.vb
%TEMP%\55hxd-md.0.vb
%TEMP%\vbcF.tmp
%TEMP%\RES10.tmp
%TEMP%\55hxd-md.dll
%TEMP%\55hxd-md.cmdline
%TEMP%\55hxd-md.out
%TEMP%\fiwfghqe.0.vb
%TEMP%\vbcD.tmp
%TEMP%\RESE.tmp
%TEMP%\fiwfghqe.dll
%TEMP%\fiwfghqe.out
%TEMP%\fiwfghqe.cmdline
%TEMP%\gsspsmr8.dll
%TEMP%\vbc3.tmp
%TEMP%\RES4.tmp
%TEMP%\gsspsmr8.out
%TEMP%\gsspsmr8.0.vb
%TEMP%\gsspsmr8.cmdline
%TEMP%\e5o7ccuj.dll
%TEMP%\vbc1.tmp
%TEMP%\RES2.tmp
%TEMP%\e5o7ccuj.0.vb
%TEMP%\e5o7ccuj.out
%TEMP%\e5o7ccuj.cmdline
%TEMP%\mok8daha.dll
%TEMP%\vbc7.tmp
%TEMP%\RES8.tmp
%TEMP%\mok8daha.cmdline
%TEMP%\mok8daha.0.vb
%TEMP%\mok8daha.out
%TEMP%\jrycsvxr.out
%TEMP%\vbc5.tmp
%TEMP%\RES6.tmp
%TEMP%\jrycsvxr.cmdline
%TEMP%\jrycsvxr.0.vb
%TEMP%\jrycsvxr.dll

Network activity:

Connects to:

'85.##7.220.130':6697

Miscellaneous:

Searches for the following windows:

ClassName: 'Indicator' WindowName: ''

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial