Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Classes\Microsoft.PowerShellScript.1\Shell\Open\Command] '' = '<SYSTEM32>\windowspowershell\v1.0\powershell.exe "%1"'
Creates or modifies the following files
- <SYSTEM32>\tasks\_winbuff
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
blocks the following features:
- System Restore (SR)
- Windows Action Center
Executes the following
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=UtilitaWinBuff dir=in action=allow program=%WINDIR%\_DckWB\_WinBuff.ps1 enable=yes
Modifies file system
Creates the following files
- %HOMEPATH%\documents\windowspowershell\microsoft.powershell_profile.ps1
- %WINDIR%\_dckwb\log\dejmoybq.txt
Network activity
Connects to
- 'se##.winbuff.ru':21
UDP
- DNS ASK se##.winbuff.ru
Miscellaneous
Searches for the following windows
- ClassName: 'RegEdit_RegEdit' WindowName: ''
Executes the following
- '<SYSTEM32>\systeminfo.exe'
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\regfile\shell\print /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{19170A69-A883-40D5-AF97-F6DC41495F15} /f
- '<SYSTEM32>\reg.exe' delete "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Îòêðûòü CCleaner..." /f
- '<SYSTEM32>\reg.exe' delete "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Îòêðûòü CCleaner" /f
- '<SYSTEM32>\reg.exe' delete "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Çà ïóñòèòü CCleaner" /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RESFile\Shell\Print /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WSFFile\Shell\Print /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBEFile\Shell\Print /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMDFile\Shell\Print /f
- '<SYSTEM32>\reg.exe' add HKEY_CLASSES_ROOT\regfile\shell\edit\command /ve /t reg_expand_sz /d "%USERPROFILE%\YandexDisk\_\_Portable\Sublime Text Build\sublime_text.exe %1" /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BATFile\Shell\Print /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TXTFile\Shell\Print /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45e1-88C2-48DC4578924C} /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\Yandex.Disk /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\SystemFileAssociations\.webm\Shell\MediaInfo /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\SystemFileAssociations\.mpg\Shell\MediaInfo /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\SystemFileAssociations\.flv\Shell\MediaInfo /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\SystemFileAssociations\.mkv\Shell\MediaInfo /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\SystemFileAssociations\.avi\Shell\MediaInfo /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\SystemFileAssociations\.mp4\Shell\MediaInfo /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\SystemFileAssociations\.jpg\Shell\MediaInfo /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\REGFile\Shell\Print /f
- '<SYSTEM32>\reg.exe' add HKEY_CLASSES_ROOT\batfile\shell\edit\command /ve /t reg_expand_sz /d "%USERPROFILE%\YandexDisk\_\_Portable\Sublime Text Build\sublime_text.exe %1" /f
- '<SYSTEM32>\reg.exe' add HKEY_CLASSES_ROOT\cmdfile\shell\edit\command /ve /t reg_expand_sz /d "%USERPROFILE%\YandexDisk\_\_Portable\Sublime Text Build\sublime_text.exe %1" /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\SystemFileAssociations\.ps1 /f
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings /v ActiveHoursEnd /t reg_dword /d 2 /f
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings /v ActiveHoursStart /t reg_dword /d 8 /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run /v "Wondershare Helper Compact.exe" /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run /v "Acrobat Assistant 8.0" /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run /v vmware-tray.exe /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run /v "Live Update" /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Wondershare Helper Compact.exe" /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v AdobeAAMUpdater-1.0 /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v AdobeGCInvoker-1.0 /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SunJavaUpdateSched /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RtkAudUService /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Xear3DEX_P960 /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v P960Sound /f
- '<SYSTEM32>\reg.exe' delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "CCleaner Smart Cleaning" /f
- '<SYSTEM32>\reg.exe' delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /f
- '<SYSTEM32>\reg.exe' delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OneDrive /f
- '<SYSTEM32>\reg.exe' add HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell\runas /v HasLUAShield /t reg_sz /f
- '<SYSTEM32>\reg.exe' add HKEY_CLASSES_ROOT\Microsoft.PowershellScript.1\Shell\runas\command /ve /t reg_sz /d "<SYSTEM32>\windowspowershell\v1.0\powershell.exe ""%1""" /f
- '<SYSTEM32>\reg.exe' add HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell\Open /v HasLUAShield /t reg_sz /f
- '<SYSTEM32>\reg.exe' add HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell\Open\Command /ve /t reg_sz /d "<SYSTEM32>\windowspowershell\v1.0\powershell.exe ""%1""" /f
- '<SYSTEM32>\reg.exe' add HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell\Edit\Command /ve /t reg_expand_sz /d "%USERPROFILE%\YandexDisk\_\_Portable\Sublime Text Build\sublime_text.exe %1" /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell\0 /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\SystemFileAssociations\.mp3\Shell\MediaInfo /f
- '<SYSTEM32>\powercfg.exe' -hibernate off
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\MediaInfo /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\Drive\shell\mplayerc64.enqueue /f
- '<SYSTEM32>\netsh.exe' interface set interface "name=ÁåñïðîâîäГГ Гї Г±ГҐГІГј 2" "newname=WLan II"
- '<SYSTEM32>\netsh.exe' interface set interface "name=ÁåñïðîâîäГГ Гї Г±ГҐГІГј" newname=WLan
- '<SYSTEM32>\netsh.exe' interface set interface "name=ÁåñïðîâîäГîå ïîäêëþ÷åГГЁГҐ 2" "newname=WLГ n II"
- '<SYSTEM32>\netsh.exe' interface set interface "name=ÁåñïðîâîäГîå ïîäêëþ÷åГГЁГҐ" newname=WLГ n
- '<SYSTEM32>\netsh.exe' interface set interface "name=Ïîäêëþ÷åГГЁГҐ ГЇГ® ëîêà ëüГîé Г±ГҐГІГЁ 2" "newname=LГ n II"
- '<SYSTEM32>\netsh.exe' interface set interface "name=Ïîäêëþ÷åГГЁГҐ ГЇГ® ëîêà ëüГîé Г±ГҐГІГЁ" newname=LГ n
- '<SYSTEM32>\netsh.exe' interface set interface "name=Ethernet 2" "newname=Lan II"
- '<SYSTEM32>\netsh.exe' interface set interface name=Ethernet newname=Lan
- '<SYSTEM32>\netsh.exe' int tcp set global autotuninglevel=highlyrestricted
- '<SYSTEM32>\netsh.exe' int tcp set global autotuning=highlyrestricted
- '<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer /v EnableAutoTray /t reg_dword /d 0 /f
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '%WINDIR%\regedit.exe' /s %WINDIR%\_DckWB\Settings_MPC.reg
- '%WINDIR%\regedit.exe' /s %WINDIR%\_DckWB\PowerShell.reg
- '%WINDIR%\regedit.exe' /s %WINDIR%\_DckWB\Pool.reg
- '<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t reg_dword /d 1 /f
- '<SYSTEM32>\reg.exe' add HKEY_CLASSES_ROOT\exefile /v PreviewDetails /t reg_SZ /d prop:System.DateModified#System.Size#System.DateCreated#FileVersion#FileDescription#*Company /f
- '<SYSTEM32>\label.exe' Windows 7 [x64]
- '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /For=C: /On=C: /MaxSize=15GB
- '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v SystemRestorePointCreationFrequency /t reg_dword /d 7200 /f
- '<SYSTEM32>\schtasks.exe' /create /tn _WinBuff /xml %WINDIR%\_DckWB\_WinBuff.xml /f
- '<SYSTEM32>\schtasks.exe' /create /tn _WinBuff /tr "<SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe -File %WINDIR%\_DckWB\\_WinBuff.ps1" /sc ONLOGON /rl Highest /f
- '%WINDIR%\regedit.exe' /s %WINDIR%\_DckWB\Settings_7z.reg
- '<SYSTEM32>\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\MsConfig" /v NoRebootUI /t reg_dword /d 1 /f
- '<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t reg_dword /d 1 /f
- '<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t reg_dword /d 0 /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\Directory\shell\mplayerc64.play /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\Directory\shell\mplayerc64.enqueue /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\PackagedCom\ClassIndex\{776DBC8D-7347-478C-8D71-791E12EF49D8} /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\*\shell\ShareWithSkype /f
- '<SYSTEM32>\reg.exe' delete "HKEY_CLASSES_ROOT\*\shell\Open with Notepad" /f
- '<SYSTEM32>\reg.exe' delete "HKEY_CLASSES_ROOT\*\shell\Îòêðûòü Гў áëîêГîòå" /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\OpenWithList\notepad.exe /f
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\notepad /f
- '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\Browse with FastStone" /f
- '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\Browse with FastStone" /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\CLSID\{6C467336-8281-4E60-8204-430CED96822D} /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\Directory\background\shellex\ContextMenuHandlers\NvCplDesktopContext /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\igfxDTCM /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\igfxcui /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\WinRAR32 /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR32 /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu /f
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v VerboseStatus /t reg_dword /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v IgnoreRemoteKeyboardLayout /t reg_dword /d 1 /f
- '<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState /v FullPath /t reg_dword /d 1 /f
- '<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SeparateProcess /t reg_dword /d 1 /f
- '<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v AutoCheckSelect /t reg_dword /d 1 /f
- '<SYSTEM32>\reg.exe' delete HKEY_CLASSES_ROOT\Drive\shell\mplayerc64.play /f
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices /v \DosDevices\S: /t REG_BINARY /d 912830f20000100000000000 /f