Trojan.MulDrop5.46226

Technical Information

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\icvsetup.exe' = '%WINDIR%\incops3\icvsetup.exe:*:Enabled:INCOPS VACCINE'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\ivpatch.exe' = '%WINDIR%\incops3\ivpatch.exe:*:Enabled:INCOPS UPDATE'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\icvupdo.exe' = '%WINDIR%\incops3\icvupdo.exe:*:Enabled:INCOPS VERUP'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\icvsetup.exe' = '%WINDIR%\incops3\icvsetup.exe:*:Enabled:INCOPS VACCINE'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\pc_mail.exe' = '%WINDIR%\incops3\pc_mail.exe:*:Enabled:INCOPS PC-MAIL'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\pcftp.exe' = '%WINDIR%\incops3\pcftp.exe:*:Enabled:INCOPS PCFTP'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\ivpatch.exe' = '%WINDIR%\incops3\ivpatch.exe:*:Enabled:INCOPS UPDATE'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\pc_mail.exe' = '%WINDIR%\incops3\pc_mail.exe:*:Enabled:INCOPS PC-MAIL'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\icvupdo.exe' = '%WINDIR%\incops3\icvupdo.exe:*:Enabled:INCOPS VERUP'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\wpatchdn.exe' = '%WINDIR%\incops3\wpatchdn.exe:*:Enabled:INCOPS WPSIG'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\wpatchdn.exe' = '%WINDIR%\incops3\wpatchdn.exe:*:Enabled:INCOPS WPSIG'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\pmsAgent.exe' = '%WINDIR%\incops3\pmsAgent.exe:*:Enabled:INCOPS PMS'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\pmsAgent.exe' = '%WINDIR%\incops3\pmsAgent.exe:*:Enabled:INCOPS PMS'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\wpatchdo.exe' = '%WINDIR%\incops3\wpatchdo.exe:*:Enabled:INCOPS WPDLG'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\wpatchdo.exe' = '%WINDIR%\incops3\wpatchdo.exe:*:Enabled:INCOPS WPDLG'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\wpatchrb.exe' = '%WINDIR%\incops3\wpatchrb.exe:*:Enabled:INCOPS WPRBT'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\wpatchrb.exe' = '%WINDIR%\incops3\wpatchrb.exe:*:Enabled:INCOPS WPRBT'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\forcemon.exe' = '%WINDIR%\incops3\forcemon.exe:*:Enabled:INCOPS FM'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\forcemon.exe' = '%WINDIR%\incops3\forcemon.exe:*:Enabled:INCOPS FM'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\incops3.exe' = '%WINDIR%\incops3\incops3.exe:*:Enabled:INCOPS III'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\incops3.exe' = '%WINDIR%\incops3\incops3.exe:*:Enabled:INCOPS III'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\pcdist.exe' = '%WINDIR%\incops3\pcdist.exe:*:Enabled:INCOPS DIST'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\pcdist.exe' = '%WINDIR%\incops3\pcdist.exe:*:Enabled:INCOPS DIST'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\ic3fd.exe' = '%WINDIR%\incops3\ic3fd.exe:*:Enabled:INCOPS FILE-DOWN'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\ic3fd.exe' = '%WINDIR%\incops3\ic3fd.exe:*:Enabled:INCOPS FILE-DOWN'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\icsng.exe' = '%WINDIR%\incops3\icsng.exe:*:Enabled:INCOPS IS'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\pc2links.exe' = '%WINDIR%\incops3\pc2links.exe:*:Enabled:INCOPS PC2LINKS'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\pc2link.exe' = '%WINDIR%\incops3\pc2link.exe:*:Enabled:INCOPS PC2LINK'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\pcftp.exe' = '%WINDIR%\incops3\pcftp.exe:*:Enabled:INCOPS PCFTP'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\pc2links.exe' = '%WINDIR%\incops3\pc2links.exe:*:Enabled:INCOPS PC2LINKS'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\icourl.exe' = '%WINDIR%\incops3\icourl.exe:*:Enabled:INCOPS IU'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\icsng.exe' = '%WINDIR%\incops3\icsng.exe:*:Enabled:INCOPS IS'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\incops3\pc2link.exe' = '%WINDIR%\incops3\pc2link.exe:*:Enabled:INCOPS PC2LINK'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\incops3\icourl.exe' = '%WINDIR%\incops3\icourl.exe:*:Enabled:INCOPS IU'

Creates and executes the following:

'%WINDIR%\INCOPS3\xpsp2fw.exe'

Modifies file system :

Creates the following files:

%WINDIR%\INCOPS3\VUP2.tmp
%WINDIR%\INCOPS3\VUP3.tmp
%TEMP%\ic3dec.dll
%TEMP%\REP1.tmp

Deletes the following files:

%WINDIR%\INCOPS3\xpsp2fw.ini
%TEMP%\ic3dec.dll
%TEMP%\REP1.tmp
%WINDIR%\INCOPS3\xpsp2fw.exe

Moves the following files:

from %WINDIR%\INCOPS3\VUP3.tmp to %WINDIR%\INCOPS3\xpsp2fw.ini
from %WINDIR%\INCOPS3\VUP2.tmp to %WINDIR%\INCOPS3\xpsp2fw.exe

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial