Trojan.MulDrop11.25796

Technical Information

To ensure autorun and distribution

Creates the following files on removable media

<Drive name for removable media>:\correct.avi.hcy!
<Drive name for removable media>:\sdszfo.docx.hcy!
<Drive name for removable media>:\issi2013_template_for_posters.docx.hcy!
<Drive name for removable media>:\february_catalogue__2015.doc.hcy!
<Drive name for removable media>:\cveuropeo.doc.hcy!
<Drive name for removable media>:\508softwareandos.doc.hcy!
<Drive name for removable media>:\weeklysheet1215.doc.hcy!
<Drive name for removable media>:\hanni_umami_chapter.doc.hcy!
<Drive name for removable media>:\file_p_00000000_1371597592.docx.hcy!
<Drive name for removable media>:\testee.cer.hcy!
<Drive name for removable media>:\contoso_1.cer.hcy!
<Drive name for removable media>:\sdkfailsafeemulator.cer.hcy!
<Drive name for removable media>:\contosoroot_1.cer.hcy!
<Drive name for removable media>:\delete.avi.hcy!
<Drive name for removable media>:\join.avi.hcy!
<Drive name for removable media>:\archer.avi.hcy!
<Drive name for removable media>:\hildacryptreadme.html
<Drive name for removable media>:\contoso.cer.hcy!
<Drive name for removable media>:\adhd_and_obesity.docx.hcy!

Malicious functions

To complicate detection of its presence in the operating system,

deletes volume shadow copies.

Executes the following

'%WINDIR%\syswow64\net.exe' stop SQLAgent$SYSTEM_BGC /y
'%WINDIR%\syswow64\net.exe' stop bedbg /y
'%WINDIR%\syswow64\net.exe' stop MSSQLSERVER /y
'%WINDIR%\syswow64\net.exe' stop KAVFS /y
'%WINDIR%\syswow64\net.exe' stop Smcinst /y
'%WINDIR%\syswow64\net.exe' stop MSSQLServerADHelper100 /y
'%WINDIR%\syswow64\net.exe' stop TmCCSF /y
'%WINDIR%\syswow64\net.exe' stop wbengine /y
'%WINDIR%\syswow64\net.exe' stop SQLWriter /y
'%WINDIR%\syswow64\net.exe' stop VeeamTransportSvc /y
'%WINDIR%\syswow64\net.exe' stop ΓГ‡ВЈSophos Health ServiceΓГ‡ВҐ /y
'%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$TPS /y
'%WINDIR%\syswow64\net.exe' stop swi_update /y
'%WINDIR%\syswow64\net.exe' stop AcrSch2Svc /y
'%WINDIR%\syswow64\net.exe' stop MSSQL$SYSTEM_BGC /y
'%WINDIR%\syswow64\net.exe' stop VeeamBrokerSvc /y
'%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$PROFXENGAGEMENT /y
'%WINDIR%\syswow64\net.exe' stop VeeamDeploymentService /y
'%WINDIR%\syswow64\net.exe' stop SQLAgent$TPS /y
'%WINDIR%\syswow64\net.exe' stop DCAgent /y
'%WINDIR%\syswow64\net.exe' stop SmcService /y
'%WINDIR%\syswow64\net.exe' stop ReportServer$TPSAMA /y
'%WINDIR%\syswow64\net.exe' stop EPUpdateService /y
'%WINDIR%\syswow64\net.exe' stop SAVAdminService /y
'%WINDIR%\syswow64\net.exe' stop FA_Scheduler /y
'%WINDIR%\syswow64\net.exe' stop macmnsvc /y
'%WINDIR%\syswow64\net.exe' stop SQLAgent$ECWDB2 /y
'%WINDIR%\syswow64\net.exe' stop ΓГ‡ВЈZoolz 2 ServiceΓГ‡ВҐ /y
'%WINDIR%\syswow64\net.exe' stop McTaskManager /y
'%WINDIR%\syswow64\net.exe' stop ΓГ‡ВЈSophos AutoUpdate ServiceΓГ‡ВҐ /y
'%WINDIR%\syswow64\net.exe' stop ΓГ‡ВЈSophos System Protection ServiceΓГ‡ВҐ /y
'%WINDIR%\syswow64\net.exe' stop EraserSvc11710 /y
'%WINDIR%\syswow64\net.exe' stop PDVFSService /y
'%WINDIR%\syswow64\net.exe' stop SQLAgent$PROFXENGAGEMENT /y
'%WINDIR%\syswow64\net.exe' stop ΓГ‡ВЈSophos Device Control ServiceΓГ‡ВҐ /y
'%WINDIR%\syswow64\net.exe' stop SAVService /y
'%WINDIR%\syswow64\net.exe' stop EPSecurityService /y
'%WINDIR%\syswow64\net.exe' stop SQLAgent$SOPHOS /y
'%WINDIR%\syswow64\net.exe' stop ΓГ‡ВЈSymantec System RecoveryΓГ‡ВҐ /y
'%WINDIR%\syswow64\net.exe' stop Antivirus /y
'%WINDIR%\syswow64\net.exe' stop SstpSvc /y
'%WINDIR%\syswow64\net.exe' stop MSOLAP$SQL_2008 /y
'%WINDIR%\syswow64\net.exe' stop TrueKeyServiceHelper /y
'%WINDIR%\syswow64\net.exe' stop sacsvr /y
'%WINDIR%\syswow64\net.exe' stop VeeamNFSSvc /y
'%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$TPSAMA /y
'%WINDIR%\syswow64\net.exe' stop ΓГ‡ВЈSophos Message RouterΓГ‡ВҐ /y
'%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SBSMONITORING /y

Modifies file system

Creates the following files

%APPDATA%\{43104554-0e28-4d4e-b16a-884aa9f10296}\jkfgkgj3hjgfhjka.bat

Deletes the following files

<Drive name for removable media>:\parnas_01.jpeg.hcy!

Changes user data files extensions (Trojan.Encoder).

Miscellaneous

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c "%APPDATA%\{43104554-0e28-4d4e-b16a-884aa9f10296}\JKfgkgj3hjgfhjka.bat" & exit
'%WINDIR%\syswow64\net1.exe' stop sacsvr /y
'%WINDIR%\syswow64\net1.exe' stop VeeamNFSSvc /y
'%WINDIR%\syswow64\net1.exe' stop FA_Scheduler /y
'%WINDIR%\syswow64\net1.exe' stop SAVAdminService /y
'%WINDIR%\syswow64\net1.exe' stop EPUpdateService /y
'%WINDIR%\syswow64\net1.exe' stop VeeamTransportSvc /y
'%WINDIR%\syswow64\net1.exe' stop ΓГ‡ВЈSophos Health ServiceΓГ‡ВҐ /y
'%WINDIR%\syswow64\net1.exe' stop bedbg /y
'%WINDIR%\syswow64\net1.exe' stop MSSQLSERVER /y
'%WINDIR%\syswow64\net1.exe' stop KAVFS /y
'%WINDIR%\syswow64\net1.exe' stop Smcinst /y
'%WINDIR%\syswow64\net1.exe' stop MSSQLServerADHelper100 /y
'%WINDIR%\syswow64\net1.exe' stop ΓГ‡ВЈSophos Device Control ServiceΓГ‡ВҐ /y
'%WINDIR%\syswow64\net1.exe' stop TmCCSF /y
'%WINDIR%\syswow64\net1.exe' stop SQLWriter /y
'%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$TPS /y
'%WINDIR%\syswow64\net1.exe' stop SmcService /y
'%WINDIR%\syswow64\net1.exe' stop ReportServer$TPSAMA /y
'%WINDIR%\syswow64\net1.exe' stop swi_update /y
'%WINDIR%\syswow64\net1.exe' stop AcrSch2Svc /y
'%WINDIR%\syswow64\net1.exe' stop MSSQL$SYSTEM_BGC /y
'%WINDIR%\syswow64\net1.exe' stop VeeamBrokerSvc /y
'%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$PROFXENGAGEMENT /y
'%WINDIR%\syswow64\net1.exe' stop VeeamDeploymentService /y
'%WINDIR%\syswow64\net1.exe' stop SQLAgent$TPS /y
'%WINDIR%\syswow64\net1.exe' stop DCAgent /y
'%WINDIR%\syswow64\net1.exe' stop MSOLAP$SQL_2008 /y
'%WINDIR%\syswow64\net1.exe' stop TrueKeyServiceHelper /y
'%WINDIR%\syswow64\net1.exe' stop SstpSvc /y
'%WINDIR%\syswow64\net1.exe' stop Antivirus /y
'%WINDIR%\syswow64\net1.exe' stop ΓГ‡ВЈSymantec System RecoveryΓГ‡ВҐ /y
'<SYSTEM32>\vssvc.exe'
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=c: /on=c: /maxsize=unbounded
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=d: /on=d: /maxsize=401MB
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=d: /on=d: /maxsize=unbounded
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=e: /on=e: /maxsize=401MB
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=e: /on=e: /maxsize=unbounded
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=f: /on=f: /maxsize=401MB
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=f: /on=f: /maxsize=unbounded
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=g: /on=g: /maxsize=401MB
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=g: /on=g: /maxsize=unbounded
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=h: /on=h: /maxsize=401MB
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=h: /on=h: /maxsize=unbounded
'%WINDIR%\syswow64\net1.exe' stop ΓГ‡ВЈSophos Message RouterΓГ‡ВҐ /y
'%WINDIR%\syswow64\net1.exe' stop wbengine /y
'%WINDIR%\syswow64\net1.exe' stop SQLAgent$SYSTEM_BGC /y
'%WINDIR%\syswow64\net1.exe' stop SQLAgent$ECWDB2 /y
'%WINDIR%\syswow64\net1.exe' stop ΓГ‡ВЈZoolz 2 ServiceΓГ‡ВҐ /y
'%WINDIR%\syswow64\net1.exe' stop McTaskManager /y
'%WINDIR%\syswow64\net1.exe' stop ΓГ‡ВЈSophos AutoUpdate ServiceΓГ‡ВҐ /y
'%WINDIR%\syswow64\net1.exe' stop ΓГ‡ВЈSophos System Protection ServiceΓГ‡ВҐ /y
'%WINDIR%\syswow64\net1.exe' stop EraserSvc11710 /y
'%WINDIR%\syswow64\net1.exe' stop PDVFSService /y
'%WINDIR%\syswow64\net1.exe' stop SQLAgent$PROFXENGAGEMENT /y
'%WINDIR%\syswow64\net1.exe' stop SAVService /y
'%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$TPSAMA /y
'%WINDIR%\syswow64\net1.exe' stop EPSecurityService /y
'%WINDIR%\syswow64\net1.exe' stop SQLAgent$SOPHOS /y
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=c: /on=c: /maxsize=401MB
'%WINDIR%\syswow64\net1.exe' stop macmnsvc /y
'%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SBSMONITORING /y

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial