Trojan.DownLoader26.18188

Technical Information

To ensure autorun and distribution:

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\SigREST] 'ImagePath' = '"%ProgramFiles%\Topaz Systems Inc\SigWeb\SigWeb.exe"'
[<HKLM>\SYSTEM\ControlSet001\Services\SigREST] 'Start' = '00000002'

Modifies file system:

Creates the following files:

<SYSTEM32>\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD
<SYSTEM32>\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD
<SYSTEM32>\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
%TEMP%\Cab12.tmp
<SYSTEM32>\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
%TEMP%\Cab17.tmp
%TEMP%\Cab19.tmp
%TEMP%\Cab15.tmp
%TEMP%\VSD14.tmp\install.log
%WINDIR%\Installer\2cd87.msi
%WINDIR%\SigPlus\Cert\~GLH0009.TMP
%TEMP%\Cab6.tmp
%WINDIR%\SigPlus\Cert\~GLH0008.TMP
%WINDIR%\SigPlus\Cert\~GLH0006.TMP
%WINDIR%\SigPlus\Cert\~GLH0007.TMP
%TEMP%\CabE.tmp
%TEMP%\Cab10.tmp
%TEMP%\CabC.tmp
%TEMP%\Cab8.tmp
%TEMP%\CabA.tmp
%TEMP%\Cab1B.tmp
%ProgramFiles%\Topaz Systems Inc\SigWeb\SigRESTHost.dll
%ProgramFiles%\Topaz Systems Inc\SigWeb\SigWeb.exe.config
%ProgramFiles%\Topaz Systems Inc\SigWeb\SigWeb.exe
%TEMP%\Cab28.tmp
%ProgramFiles%\Topaz Systems Inc\SigWeb\SigPlusNET.dll
%WINDIR%\Installer\MSI2B.tmp
%TEMP%\~DF17D8.tmp
%WINDIR%\Installer\2cd8b.msi
%WINDIR%\Installer\MSI2A.tmp
%ProgramFiles%\Topaz Systems Inc\SigWeb\SigWeb.InstallState
%WINDIR%\Installer\2cd89.ipi
%TEMP%\~DF370E.tmp
%WINDIR%\Installer\MSI1F.tmp
%WINDIR%\Installer\MSI1D.tmp
%TEMP%\CFG1E.tmp
%TEMP%\Cab24.tmp
%TEMP%\Cab26.tmp
%TEMP%\Cab22.tmp
%WINDIR%\Installer\MSI20.tmp
C:\Config.Msi\2cd8a.rbs
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.MAP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
%TEMP%\GLK3.tmp
%TEMP%\GLB1.tmp
%TEMP%\GLC2.tmp
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2052111302-484763869-725345543-1003
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2052111302-484763869-725345543-1003
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
C:\Software\ProgVer.bat
C:\Software\CompatView.bat
C:\Software\KillIECheckNewVer.bat
C:\Software\RemoveDiscoCompatView.reg
C:\Software\CheckNewerVer.reg
C:\Software\SigWeb.exe
C:\Software\iexplore.exe
C:\Software\Readme.bat
C:\Software\ProgVer.reg
C:\Software\Sigpad Installer Readme.txt
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_.DEFAULT
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING1.MAP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING2.MAP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING.VER
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.MAP
%WINDIR%\SigPlus\SigWeb\~GLH0001.TMP
%WINDIR%\SigPlus\Cert\~GLH0004.TMP
%WINDIR%\SigPlus\Cert\~GLH0005.TMP
%WINDIR%\SigPlus\Cert\~GLH0003.TMP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.DATA
%WINDIR%\SigPlus\SigWeb\~GLH0002.TMP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SAM
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\ComDb.Dat
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SYSTEM
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SECURITY
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SOFTWARE
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.BTR
%WINDIR%\SigPlus\~GLH0000.TMP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\$WinMgmt.CFG
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\domain.txt
%TEMP%\GLG5.tmp

Deletes the following files:

%TEMP%\Cab26.tmp
%TEMP%\Cab28.tmp
%TEMP%\Cab24.tmp
%WINDIR%\Installer\MSI1F.tmp
%TEMP%\Cab22.tmp
%WINDIR%\Installer\MSI2A.tmp
%WINDIR%\Installer\2cd87.msi
%WINDIR%\Installer\2cd89.ipi
C:\Config.Msi\2cd8a.rbs
%WINDIR%\Installer\MSI20.tmp
%WINDIR%\Installer\MSI2B.tmp
%WINDIR%\Installer\MSI1D.tmp
%TEMP%\CabC.tmp
%TEMP%\CabE.tmp
%TEMP%\CabA.tmp
%TEMP%\Cab6.tmp
%TEMP%\Cab8.tmp
%TEMP%\Cab10.tmp
%TEMP%\Cab19.tmp
%TEMP%\Cab1B.tmp
%TEMP%\Cab17.tmp
%TEMP%\Cab12.tmp
%TEMP%\Cab15.tmp

Moves the following files:

from %WINDIR%\SigPlus\Cert\~GLH0006.TMP to %WINDIR%\SigPlus\Cert\swuc.exe
from %WINDIR%\SigPlus\Cert\~GLH0005.TMP to %WINDIR%\SigPlus\Cert\resetport.exe
from %WINDIR%\SigPlus\Cert\~GLH0007.TMP to %WINDIR%\SigPlus\Cert\ssl-certificate.pfx
from %WINDIR%\SigPlus\Cert\~GLH0009.TMP to %WINDIR%\SigPlus\Cert\sigweb_cert.exe
from %WINDIR%\SigPlus\Cert\~GLH0008.TMP to %WINDIR%\SigPlus\Cert\swhu.exe
from %WINDIR%\SigPlus\SigWeb\~GLH0001.TMP to %WINDIR%\SigPlus\SigWeb\SigWebSetup.msi
from %WINDIR%\SigPlus\~GLH0000.TMP to %WINDIR%\SigPlus\TopazLicense.txt
from %WINDIR%\SigPlus\SigWeb\~GLH0002.TMP to %WINDIR%\SigPlus\SigWeb\setup.exe
from %WINDIR%\SigPlus\Cert\~GLH0004.TMP to %WINDIR%\SigPlus\Cert\ResetPort.bat
from %WINDIR%\SigPlus\Cert\~GLH0003.TMP to %WINDIR%\SigPlus\Cert\ICert.bat

Network activity:

Connects to:

'sv.##mcb.com':80
'20#.#6.232.182':80
'wp#d':80
'download.windowsupdate.com':80

TCP:

HTTP GET requests:

http://sv.##mcb.com/sv.crt
http://crl.microsoft.com/pki/crl/products/CSPCA.crl via 20#.#6.232.182
http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl via 20#.#6.232.182
http://11#.#11.111.1/wpad.dat via wp#d
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt via download.windowsupdate.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab via download.windowsupdate.com

UDP:

DNS ASK sv.##mcb.com
DNS ASK crl.microsoft.com
DNS ASK wp#d
DNS ASK www.download.windowsupdate.com

Miscellaneous:

Creates and executes the following:

'%WINDIR%\SigPlus\SigWeb\setup.exe' /quiet
'%ProgramFiles%\Topaz Systems Inc\SigWeb\SigWeb.exe'
'%WINDIR%\SigPlus\Cert\swuc.exe'
'C:\Software\SigWeb.exe' AA
'%TEMP%\GLB1.tmp' AA4736 C:\Software\SigWeb.exe

Executes the following:

'<SYSTEM32>\msiexec.exe' -Embedding 05B5D5A7465691275CF1A8B653C9F50A M Global\MSI0000
'<SYSTEM32>\svchost.exe' -k HTTPFilter
'<SYSTEM32>\msiexec.exe' -Embedding 24A0F312D0C18C745EDEB2E1A3548E03
'<SYSTEM32>\msiexec.exe' /V
'<SYSTEM32>\msiexec.exe' -I "%WINDIR%\SigPlus\SigWeb\SigWebSetup.msi" /quiet

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial