Trojan.Siggen9.55262

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\bddl server

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\bd0001] 'Start' = '00000001'
[<HKLM>\System\CurrentControlSet\Services\bd0001] 'ImagePath' = '<DRIVERS>\bd0001.sys'
[<HKLM>\SYSTEM\CurrentControlSet\Services\bd0001] 'ImagePath' = 'system32\DRIVERS\bd0001.sys'
[<HKLM>\System\CurrentControlSet\Services\bd0004] 'Start' = '00000001'
[<HKLM>\System\CurrentControlSet\Services\bd0004] 'ImagePath' = '<DRIVERS>\bd0004.sys'
[<HKLM>\SYSTEM\CurrentControlSet\Services\bd0004] 'ImagePath' = 'system32\DRIVERS\bd0004.sys'
[<HKLM>\System\CurrentControlSet\Services\BDArKit] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\BDArKit] 'ImagePath' = '<DRIVERS>\BDArKit.sys'
[<HKLM>\SYSTEM\CurrentControlSet\Services\BDArKit] 'ImagePath' = 'system32\DRIVERS\BDArKit.sys'
[<HKLM>\System\CurrentControlSet\Services\BDMWrench_x64] 'Start' = '00000001'
[<HKLM>\System\CurrentControlSet\Services\BDMWrench_x64] 'ImagePath' = '<DRIVERS>\BDMWrench_x64.sys'
[<HKLM>\SYSTEM\CurrentControlSet\Services\BDMWrench_x64] 'ImagePath' = 'system32\DRIVERS\BDMWrench_x64.sys'
[<HKLM>\System\CurrentControlSet\Services\bddlsvc] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\bddlsvc] 'ImagePath' = '"%ProgramFiles(x86)%\baidu\BaiduRJDownloader\2.0.0.257\bddlsvc.exe" -r'

Creates the following services

'bd0001' <DRIVERS>\bd0001.sys
'bd0004' <DRIVERS>\bd0004.sys
'BDArKit' <DRIVERS>\BDArKit.sys
'BDMWrench_x64' <DRIVERS>\BDMWrench_x64.sys
'bddlsvc' "%ProgramFiles(x86)%\baidu\BaiduRJDownloader\2.0.0.257\bddlsvc.exe" -r

Modifies file system

Creates the following files

%TEMP%\nsbaf14.tmp
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_14754.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_14744.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_14497.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_14000.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_13874.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_13598.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_13478.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_13442.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_13406.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_12993.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_12934.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_12882.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_12856.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_12812.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_12616.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_12350.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_12282.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_12276.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_12035.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_11843.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_11838.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_11390.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_11383.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_11339.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_11043.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_15192.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_15752.png
%PROGRAMDATA%\application data\baidu\baidurjdownloader\config\4402.dat
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_16490.png
%PROGRAMDATA%\baidu\common\global.db
%WINDIR%\temp\uddcf60.tmp
<DRIVERS>\bdarkit.sys
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_41153.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_41143.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_41100.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_41065.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_40898.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_40805.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_40694.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_38200.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_35858.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_28111.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_28108.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_24655.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_23980.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_21211.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_20621.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_19412.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_19227.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_19130.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_17588.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_17519.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_17183.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_16988.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_10849.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_15501.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_10644.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\color_desc.clr
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\adtipsui.rdb
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\drivers\bdarkit.sys
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\iebdsofthelperplug.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\mindownload.ico
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\uninstaller.exe
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\bdhyserver.exe
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\appopenastip.exe
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\appupdatetips.exe
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\bddlsvc.exe
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\bdmnetgetinfo.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin_engine.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\bdkitutils.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\drivermanager.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\appupdater.exe
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\activityassistant.exe
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\bugreport.exe
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\reportrecorddll.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\config.xml
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\basedll.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\protocoldll.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\reportdll.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\utilsdll.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\bdrcdl.exe
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\dl.dll
%TEMP%\nsraf25.tmp\installhelper.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\color_adtips.clr
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\color_openastips.clr
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_10272.png
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\color_tips.clr
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\microsoft.vc80.crt\msvcr80.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\microsoft.vc80.crt\msvcp80.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\microsoft.vc80.crt\msvcm80.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\microsoft.vc80.crt\microsoft.vc80.crt.manifest
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\microsoft.vc80.atl\atl80.dll
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\microsoft.vc80.atl\microsoft.vc80.atl.manifest
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\updatetipsui.rdb
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\uninstui.rdb
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\tipsui.rdb
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\text_updatetips.str
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\text_uninst.str
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\text_tips.str
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\text_openastips.str
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\text_cn.str
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\text_adtips.str
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\openastipsui.rdb
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\haiyanui.rdb
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\font_updatetips.f
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\font_uninst.f
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\font_tips.f
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\font_openastips.f
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\font_desc.f
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\font_adtips.f
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\color_updatetips.clr
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\skin\color_uninst.clr
%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\hysofticons\10001_10547.png
%PROGRAMDATA%\application data\baidu\baidurjdownloader\config\106.dat

Deletes the following files

%WINDIR%\temp\uddcf60.tmp
%TEMP%\nsraf25.tmp\installhelper.dll

Network activity

Connects to

'up.##.baidu.com':80

TCP

'localhost':49172
'localhost':49175
'localhost':49180
'localhost':49183
'localhost':49187

UDP

DNS ASK dr.##.baidu.com
DNS ASK cf#.####load.iyuntian.com
DNS ASK rc.#####oad.iyuntian.com
DNS ASK hb.##.baidu.com
DNS ASK up.##.baidu.com
DNS ASK dt##.###nload.iyuntian.com
DNS ASK p2#.###nload.baidu.com
DNS ASK re##.###nload.iyuntian.com
DNS ASK tk.#####oad.iyuntian.com
DNS ASK ut#.####load.iyuntian.com

Miscellaneous

Searches for the following windows

ClassName: 'abc' WindowName: 'abc'

Creates and executes the following

'%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\bdrcdl.exe' <Full path to file>
'%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\bddlsvc.exe' -i
'%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\bddlsvc.exe' -s
'%ProgramFiles(x86)%\baidu\baidurjdownloader\2.0.0.257\bddlsvc.exe' -r
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Create /tn "BDDL Server" /tr "'%ProgramFiles(x86)%\baidu\BaiduRJDownloader\2.0.0.257\AppUpdater.exe' schtask" /sc MINUTE /mo 30 /rl Highest /F' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Create /tn "BDDL Server" /tr "'%ProgramFiles(x86)%\baidu\BaiduRJDownloader\2.0.0.257\AppUpdater.exe' schtask" /sc MINUTE /mo 30 /rl Highest' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /C schtasks /Create /tn "BDDL Server" /tr "'%ProgramFiles(x86)%\baidu\BaiduRJDownloader\2.0.0.257\AppUpdater.exe' schtask" /sc MINUTE /mo 30 /rl Highest /F
'%WINDIR%\syswow64\schtasks.exe' /Create /tn "BDDL Server" /tr "'%ProgramFiles(x86)%\baidu\BaiduRJDownloader\2.0.0.257\AppUpdater.exe' schtask" /sc MINUTE /mo 30 /rl Highest /F
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Create /tn "BDDL Server" /tr "'%ProgramFiles(x86)%\baidu\BaiduRJDownloader\2.0.0.257\AppUpdater.exe' schtask" /sc MINUTE /mo 30 /rl Highest
'%WINDIR%\syswow64\schtasks.exe' /Create /tn "BDDL Server" /tr "'%ProgramFiles(x86)%\baidu\BaiduRJDownloader\2.0.0.257\AppUpdater.exe' schtask" /sc MINUTE /mo 30 /rl Highest

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial