Trojan.DownLoader11.16707

Added to the Dr.Web virus database: 2014-06-14

Virus description added: 2014-06-14

Technical Information

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Mnying\Mnying.exe' = '%PROGRAM_FILES%\Mnying\Mnying.exe:*:Enabled:ГАЕ®УЄ'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\kele\tjjrfx_70745.exe' = '%PROGRAM_FILES%\kele\tjjrfx_70745.exe:*:Enabled:百度卫士在线安装程序'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\kele\tjjrfx_70745.exe' = '%PROGRAM_FILES%\kele\tjjrfx_70745.exe:*:Enabled:百度卫士在线安装程序'

Creates and executes the following:

'%PROGRAM_FILES%\kele\yunboplayer.exe'
'%PROGRAM_FILES%\Mnying\Mnying.exe' /A
'%PROGRAM_FILES%\kele\pczh_107_306.exe'
'%PROGRAM_FILES%\kele\tjjrfx_70745.exe'
'%PROGRAM_FILES%\kele\-8670_360_MM.exe'

Executes the following:

'<SYSTEM32>\taskkill.exe' /F /im mvhd.exe

Modifies file system :

Creates the following files:

%TEMP%\nsoA.tmp\Mnying.exe
%TEMP%\nse6.tmp\System.dll
%TEMP%\nstB.tmp\Base64.dll
%TEMP%\nstB.tmp\System.dll
%TEMP%\nse6.tmp\res\onlineWnd.zip
%TEMP%\nse6.tmp\BDMDownload.dll
%TEMP%\nse6.tmp\dl.dll
%TEMP%\nse6.tmp\BDMSkin.dll
%TEMP%\nstB.tmp\NSISdl.dll
%PROGRAM_FILES%\kele\uboskin\skin\tv.jpg
%PROGRAM_FILES%\kele\uboskin\skin\zb.jpg
%PROGRAM_FILES%\kele\uboskin\skin\min.jpg
%PROGRAM_FILES%\kele\uboskin\skin\pk.jpg
%HOMEPATH%\Desktop\ЛС№·µјєЅ.lnk
%TEMP%\nsh9.tmp
%TEMP%\nsoA.tmp\System.dll
%HOMEPATH%\Desktop\2345µјєЅ.lnk
%TEMP%\nst5.tmp
%PROGRAM_FILES%\Mnying\Mnying.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\tongji0606[1].php
%ALLUSERSPROFILE%\Application Data\Baidu\Common\Global.db
%ALLUSERSPROFILE%\Start Menu\Programs\ГАЕ®УЄ\Р¶ФШГАЕ®УЄ.lnk
%ALLUSERSPROFILE%\Desktop\ГАЕ®УЄ.lnk
%PROGRAM_FILES%\ainqngz4.0\Ainqngz4.0.exe
%HOMEPATH%\AppData\LocalLow\Mnying\Fav9.dat
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\70745[1]
%PROGRAM_FILES%\ainqngz4.0\uninstall.exe
%PROGRAM_FILES%\ainqngz4.0\fdcard.exe
%PROGRAM_FILES%\Mnying\mvyy.exe
%PROGRAM_FILES%\Mnying\usst.exe
%TEMP%\nse6.tmp\hu.dll
%TEMP%\nse6.tmp\BDLogicUtils.dll
%TEMP%\nse6.tmp\BDMNetGetInfo.dll
%HOMEPATH%\Templates\5201461757110\YYM_955WD30.gif
%ALLUSERSPROFILE%\Start Menu\Programs\ГАЕ®УЄ\ГАЕ®УЄ.lnk
%TEMP%\nse6.tmp\tmppm4bkx.dll
%PROGRAM_FILES%\Mnying\ГАЕ®УЄ.lnk
%PROGRAM_FILES%\kele\tjjrfx_70745.exe
%PROGRAM_FILES%\kele\ubohe.db
%PROGRAM_FILES%\kele\sg1.ico
%PROGRAM_FILES%\kele\tj.txt
%PROGRAM_FILES%\kele\yunboplayer.exe
%PROGRAM_FILES%\kele\uboskin\icon.ico
%PROGRAM_FILES%\kele\uboskin\uboplaylist.xml
%PROGRAM_FILES%\kele\ЛС№·µјєЅ.url
%PROGRAM_FILES%\kele\uboskin\config.ini
%TEMP%\nsb3.tmp\NSISdl.dll
%TEMP%\nsb3.tmp\open
%TEMP%\nsv2.tmp
%TEMP%\nsb3.tmp\System.dll
%PROGRAM_FILES%\kele\-8670_360_MM.exe
%PROGRAM_FILES%\kele\link.txt
%PROGRAM_FILES%\kele\pczh_107_306.exe
%PROGRAM_FILES%\kele\2345µјєЅ.url
%PROGRAM_FILES%\kele\ie.ico
%PROGRAM_FILES%\kele\uboskin\app\loading.html
%PROGRAM_FILES%\kele\uboskin\skin\list.jpg
%PROGRAM_FILES%\kele\uboskin\skin\logo.jpg
%PROGRAM_FILES%\kele\uboskin\skin\dibulan.jpg
%PROGRAM_FILES%\kele\uboskin\skin\hp.jpg
%PROGRAM_FILES%\kele\uboskin\skin\logo.tif
%PROGRAM_FILES%\kele\uboskin\skin\max-2.jpg
%PROGRAM_FILES%\kele\uboskin\skin\menu.jpg
%PROGRAM_FILES%\kele\uboskin\skin\lt.jpg
%PROGRAM_FILES%\kele\uboskin\skin\max-1.jpg
%PROGRAM_FILES%\kele\uboskin\html\loading.html
%PROGRAM_FILES%\kele\uboskin\html\loading.swf
%PROGRAM_FILES%\kele\uboskin\app\loading.swf
%PROGRAM_FILES%\kele\uboskin\html\gbook.html
%PROGRAM_FILES%\kele\uboskin\html\logo.gif
%PROGRAM_FILES%\kele\uboskin\skin\biaotilan.jpg
%PROGRAM_FILES%\kele\uboskin\skin\bj.jpg
%PROGRAM_FILES%\kele\uboskin\skin\Close.jpg
%PROGRAM_FILES%\kele\uboskin\skin\bf.jpg

Deletes the following files:

%TEMP%\nstB.tmp\Base64.dll
%HOMEPATH%\Templates\5201461757110\YYM_955WD30.gif
%TEMP%\nstB.tmp\NSISdl.dll
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\70745[1]
%TEMP%\nstB.tmp\System.dll
%TEMP%\nsb3.tmp\open
%TEMP%\nsb3.tmp\NSISdl.dll
%TEMP%\nsb3.tmp\System.dll
%TEMP%\nsoA.tmp\System.dll
%TEMP%\nsoA.tmp\Mnying.exe

Network activity:

Connects to:

'tj.##ccms.net':80
'12#.#25.114.144':80
'up####.aiqingzhihui.com':80
'pp#.#dsbw.cn':80
'localhost':1037

TCP:

HTTP GET requests:

tj.##ccms.net/tongji0606.php?fl######################################################################################################################
12#.#25.114.144/api/openapi/json_get_weishi_down_url_v1/70745
pp#.#dsbw.cn/app.txt
up####.aiqingzhihui.com/0403/help1.html

UDP:

DNS ASK we#.#ny8.com
DNS ASK tj#.mny8.cn
DNS ASK tj###.mny8.cn
DNS ASK we####.baidu.com
DNS ASK up####.aiqingzhihui.com
DNS ASK pp#.#dsbw.cn
DNS ASK p.#.#aidu.com
DNS ASK tj.##ccms.net
'tj###.mny8.cn':8202

Miscellaneous:

Searches for the following windows:

ClassName: '#32770' WindowName: '(null)'
ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
ClassName: 'BDMOnLineWnd' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
ClassName: '(null)' WindowName: '(null)'

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial