Trojan.Siggen9.39913

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'GrpConv' = 'grpconv -o'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'GrpConv' = 'grpconv -o'

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\IDMWFP] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\IDMWFP] 'ImagePath' = 'system32\DRIVERS\idmwfp.sys'

Creates the following services

'IDMWFP' system32\DRIVERS\idmwfp.sys

Malicious functions

Executes the following

'%WINDIR%\syswow64\taskkill.exe' /f /im IDM*
'%WINDIR%\syswow64\taskkill.exe' /f /im IEMon*

Modifies file system

Creates the following files

%ProgramFiles(x86)%\idm\uninstall.exe
%ProgramFiles(x86)%\idm\libcrypto.dll
%ProgramFiles(x86)%\idm\languages\idm_chn2.lng
%ProgramFiles(x86)%\idm\iemonitor.exe
%ProgramFiles(x86)%\idm\iegetvl2.htm
%ProgramFiles(x86)%\idm\iegetvl.htm
%ProgramFiles(x86)%\idm\iegetall.htm
%ProgramFiles(x86)%\idm\ieext.htm
%ProgramFiles(x86)%\idm\idmwfp64.sys
%ProgramFiles(x86)%\idm\idmwfp32.sys
%ProgramFiles(x86)%\idm\idmwfp.inf
%ProgramFiles(x86)%\idm\idmwfp.cat
%ProgramFiles(x86)%\idm\idmvs.dll
%ProgramFiles(x86)%\idm\idmvmprs64.dll
%ProgramFiles(x86)%\idm\idmvmprs.dll
%ProgramFiles(x86)%\idm\idmvconv.dll
%ProgramFiles(x86)%\idm\idmtdi64.sys
%ProgramFiles(x86)%\idm\idmtdi32.sys
%ProgramFiles(x86)%\idm\libssl.dll
%ProgramFiles(x86)%\idm\mediumilstart.exe
%ProgramFiles(x86)%\idm\ref.reg
%ProgramFiles(x86)%\idm\toolbar\h3m_glossy\h3m_glossy_large_hot.bmp
%WINDIR%\temp\uddd3ad.tmp
<DRIVERS>\setcde1.tmp
%APPDATA%\idm\idmfc.dat
nul
%ProgramFiles(x86)%\idm\nsuninstall.dat
%APPDATA%\microsoft\windows\start menu\programs\idm\uninstall.lnk
%APPDATA%\microsoft\windows\start menu\programs\idm\idm.lnk
C:\users\public\desktop\idm.lnk
%ProgramFiles(x86)%\idm\toolbar\pureflat.tbi
%ProgramFiles(x86)%\idm\绿化.bat
%ProgramFiles(x86)%\idm\toolbar\pureflat\pureflat_small_hot.bmp
%ProgramFiles(x86)%\idm\toolbar\pureflat\pureflat_small.bmp
%ProgramFiles(x86)%\idm\toolbar\pureflat\pureflat_larg_hot.bmp
%ProgramFiles(x86)%\idm\toolbar\pureflat\pureflat_larg.bmp
%ProgramFiles(x86)%\idm\toolbar\h3m_glossy.tbi
%ProgramFiles(x86)%\idm\toolbar\h3m_glossy\h3m_glossy_small_normal.bmp
%ProgramFiles(x86)%\idm\toolbar\h3m_glossy\h3m_glossy_small_hot.bmp
%ProgramFiles(x86)%\idm\toolbar\h3m_glossy\h3m_glossy_large_normal.bmp
%WINDIR%\syswow64\drivers\set1e14.tmp
%ProgramFiles(x86)%\idm\idmtdi.inf
%ProgramFiles(x86)%\idm\idmtdi.cat
%ProgramFiles(x86)%\idm\idmshellext64.dll
%ProgramFiles(x86)%\idm\idmftype.dll
%ProgramFiles(x86)%\idm\idmftype.dat
%ProgramFiles(x86)%\idm\idmfsa.dll
%ProgramFiles(x86)%\idm\idmfc.dat
%ProgramFiles(x86)%\idm\idmcchandler7_64.dll
%ProgramFiles(x86)%\idm\idmcchandler7.dll
%ProgramFiles(x86)%\idm\idmcchandler2_64.dll
%ProgramFiles(x86)%\idm\idmcchandler2.dll
%ProgramFiles(x86)%\idm\idmbroker.exe
%ProgramFiles(x86)%\idm\idmbrbtn64.dll
%ProgramFiles(x86)%\idm\idmbrbtn.dll
%ProgramFiles(x86)%\idm\idmantypeinfo.tlb
%ProgramFiles(x86)%\idm\idman.exe
%ProgramFiles(x86)%\idm\globalerrors.log
%ProgramFiles(x86)%\idm\downlwithidm64.dll
%ProgramFiles(x86)%\idm\downlwithidm.dll
%ProgramFiles(x86)%\idm\defexclist.txt
%ProgramFiles(x86)%\idm\idmftype64.dll
%ProgramFiles(x86)%\idm\idmgcext.crx
%ProgramFiles(x86)%\idm\idmgcext59.crx
%ProgramFiles(x86)%\idm\idmgetall.dll
%ProgramFiles(x86)%\idm\idmopext.nex
%ProgramFiles(x86)%\idm\idmnetmon64.dll
%ProgramFiles(x86)%\idm\idmnetmon.dll
%ProgramFiles(x86)%\idm\idmmzcc7_64.dll
%ProgramFiles(x86)%\idm\idmmzcc7.dll
%ProgramFiles(x86)%\idm\idmmzcc3.xpi
%ProgramFiles(x86)%\idm\idmmzcc2.xpi
%ProgramFiles(x86)%\idm\idmmzcc.xpi
%ProgramFiles(x86)%\idm\idmmsghost.json
%ProgramFiles(x86)%\idm\idmmsghostmoz.json
%ProgramFiles(x86)%\idm\idmmsghost.exe
%ProgramFiles(x86)%\idm\idmmkb.dll
%ProgramFiles(x86)%\idm\idmintegrator64.exe
%ProgramFiles(x86)%\idm\idmindex.dll
%ProgramFiles(x86)%\idm\idmiecc64.dll
%ProgramFiles(x86)%\idm\idmiecc.dll
%ProgramFiles(x86)%\idm\idmgrhlp.exe
%ProgramFiles(x86)%\idm\idmgetall64.dll
%ProgramFiles(x86)%\idm\idmshellext.dll
%HOMEPATH%\desktop\internet download manager.lnk

Deletes the following files

%WINDIR%\temp\uddd3ad.tmp

Moves the following files

from <DRIVERS>\setcde1.tmp to <DRIVERS>\idmwfp.sys
from %WINDIR%\syswow64\drivers\set1e14.tmp to %WINDIR%\syswow64\drivers\idmwfp.sys

Network activity

TCP

HTTP GET requests

http://js##tup.com/update/install/data2.zip

HTTP POST requests

http://ho##soft.cn/api/report.asp

UDP

DNS ASK js##tup.com
DNS ASK ho##soft.cn

Miscellaneous

Searches for the following windows

ClassName: 'RegEdit_RegEdit' WindowName: ''
ClassName: '' WindowName: ''

Creates and executes the following

'%ProgramFiles(x86)%\idm\idman.exe' /rtr /setlngid 2052 /fulllngfile idm_chn2.lng
'%ProgramFiles(x86)%\idm\idmbroker.exe' -RegServer
'%ProgramFiles(x86)%\idm\uninstall.exe' -instdriv
'%WINDIR%\syswow64\cmd.exe' /c ""%ProgramFiles(x86)%\idm\绿化.bat" /s /S /SILENT /silent /quiet /noreboot /verysilent /sp /norestart /q /qn /SilentInstall"' (with hidden window)
'%WINDIR%\syswow64\regedit.exe' /s "%ProgramFiles(x86)%\idm\ref.reg"' (with hidden window)
'<SYSTEM32>\rundll32.exe' SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 %ProgramFiles(x86)%\idm\idmwfp.inf' (with hidden window)
'%WINDIR%\syswow64\net.exe' start IDMWFP' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c ""%ProgramFiles(x86)%\idm\绿化.bat" /s /S /SILENT /silent /quiet /noreboot /verysilent /sp /norestart /q /qn /SilentInstall"
'%WINDIR%\syswow64\regedit.exe' /s "%ProgramFiles(x86)%\idm\ref.reg"
'%WINDIR%\syswow64\reg.exe' query "HKU\S-1-5-19"
'<SYSTEM32>\rundll32.exe' SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 %ProgramFiles(x86)%\idm\idmwfp.inf
'<SYSTEM32>\runonce.exe' -r
'<SYSTEM32>\grpconv.exe' -o
'%WINDIR%\syswow64\net.exe' start IDMWFP
'%WINDIR%\syswow64\net1.exe' start IDMWFP
'%WINDIR%\syswow64\regsvr32.exe' /s "%ProgramFiles(x86)%\idm\IDMShellExt64.dll"
'<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\idm\IDMShellExt64.dll"
'%WINDIR%\syswow64\rundll32.exe' setupapi.dll,InstallHinfSection DefaultInstall 128 .\idmwfp.inf
'%WINDIR%\syswow64\runonce.exe' -r
'%WINDIR%\syswow64\grpconv.exe' -o
'%WINDIR%\syswow64\mshta.exe' VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(a.SpecialFolders(""Desktop"") & ""\Internet Download Manager.lnk""):b.TargetPath=""%ProgramFiles(x86)%\idm\IDMan.e...

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial