マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Trojan.DownLoader9.7609

Added to the Dr.Web virus database: 2013-05-14

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'vip' = 'c:\winnt\system32\micros\vv.bat'
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'win32x' = 'c:\winnt\system32\micros\svhost.exe'
  • [<HKLM>\SOFTWARE\Classes\ChatFile\Shell\open\command] '' = '"c:\winnt\system32\micros\svhost.exe"'
  • [<HKLM>\SOFTWARE\Classes\APD\Shell\open\command] '' = '"c:\winnt\system32\micros\svhost.exe"'
Malicious functions:
Creates and executes the following:
  • 'C:\winnt\system32\micros\secure.exe' /n /fh /r "copy.bat"
  • 'C:\winnt\system32\micros\secure.exe' /n /fh /r "vv.bat"
  • 'C:\winnt\system32\micros\secure.exe' /n /fh /r "tftp4nt.exe -install"
  • 'C:\winnt\system32\micros\secure.exe' /n /fh /r "tftpsrv.exe"
  • 'C:\winnt\system32\micros\secure.exe' /n /fh /r "v.bat"
  • 'C:\winnt\system32\micros\svhost.exe'
  • 'C:\winnt\system32\micros\secure.exe' /n /fh /r svhost.exe
  • 'C:\winnt\system32\micros\secure.exe' /n /fh UPDATE
  • 'C:\winnt\system32\micros\secure.exe' /n /fh /r "ft.bat"
  • 'C:\winnt\system32\micros\ownage.exe'
Executes the following:
  • '<SYSTEM32>\net.exe' stop Iface.exe /y
  • '<SYSTEM32>\net1.exe' stop Icsuppnt.exe /y
  • '<SYSTEM32>\net.exe' stop Icsuppnt.exe /y
  • '<SYSTEM32>\net1.exe' stop Iface.exe /y
  • '<SYSTEM32>\net.exe' stop IOMON98 /y
  • '<SYSTEM32>\net1.exe' stop Internet Alert 99 /y
  • '<SYSTEM32>\net.exe' stop Internet Alert 99 /y
  • '<SYSTEM32>\net1.exe' stop Icsupp95.exe /y
  • '<SYSTEM32>\net.exe' stop ICMON /y
  • '<SYSTEM32>\net1.exe' stop Icloadnt.exe /y
  • '<SYSTEM32>\net.exe' stop Icloadnt.exe /y
  • '<SYSTEM32>\net1.exe' stop ICMON /y
  • '<SYSTEM32>\net.exe' stop Icsupp95.exe /y
  • '<SYSTEM32>\net1.exe' stop Icmon.exe /y
  • '<SYSTEM32>\net.exe' stop Icmon.exe /y
  • '<SYSTEM32>\net1.exe' stop Look'n'Stop /y
  • '<SYSTEM32>\net.exe' stop Look'n'Stop /y
  • '<SYSTEM32>\net1.exe' stop Lockdown2000.exe /y
  • '<SYSTEM32>\net.exe' stop Look'n'Stop Lite /y
  • '<SYSTEM32>\net1.exe' stop Lookout.exe /y
  • '<SYSTEM32>\net.exe' stop Lookout.exe /y
  • '<SYSTEM32>\net1.exe' stop Look'n'Stop Lite /y
  • '<SYSTEM32>\net.exe' stop Lockdown2000.exe /y
  • '<SYSTEM32>\net1.exe' stop Iomon98.exe /y
  • '<SYSTEM32>\net.exe' stop Iomon98.exe /y
  • '<SYSTEM32>\net1.exe' stop IOMON98 /y
  • '<SYSTEM32>\net.exe' stop Jedi.exe /y
  • '<SYSTEM32>\net1.exe' stop LOCKDOWN2000 /y
  • '<SYSTEM32>\net.exe' stop LOCKDOWN2000 /y
  • '<SYSTEM32>\net1.exe' stop Jedi.exe /y
  • '<SYSTEM32>\net.exe' stop Frw.exe /y
  • '<SYSTEM32>\net1.exe' stop Freedom 2 /y
  • '<SYSTEM32>\net.exe' stop Freedom 2 /y
  • '<SYSTEM32>\net1.exe' stop Frw.exe /y
  • '<SYSTEM32>\net.exe' stop F-Stopw.exe /y
  • '<SYSTEM32>\net1.exe' stop F-STOPW /y
  • '<SYSTEM32>\net.exe' stop F-STOPW /y
  • '<SYSTEM32>\net1.exe' stop Fp-Win.exe /y
  • '<SYSTEM32>\net.exe' stop F-Prot95.exe /y
  • '<SYSTEM32>\net1.exe' stop F-PROT95 /y
  • '<SYSTEM32>\net.exe' stop F-PROT95 /y
  • '<SYSTEM32>\net1.exe' stop F-Prot95.exe /y
  • '<SYSTEM32>\net.exe' stop Fp-Win.exe /y
  • '<SYSTEM32>\net1.exe' stop FP-WIN /y
  • '<SYSTEM32>\net.exe' stop FP-WIN /y
  • '<SYSTEM32>\net1.exe' stop Ibmasn.exe /y
  • '<SYSTEM32>\net.exe' stop Ibmasn.exe /y
  • '<SYSTEM32>\net1.exe' stop Iamserv.exe /y
  • '<SYSTEM32>\net.exe' stop Ibmavsp.exe /y
  • '<SYSTEM32>\net1.exe' stop Icload95.exe /y
  • '<SYSTEM32>\net.exe' stop Icload95.exe /y
  • '<SYSTEM32>\net1.exe' stop Ibmavsp.exe /y
  • '<SYSTEM32>\net.exe' stop Iamserv.exe /y
  • '<SYSTEM32>\net1.exe' stop GNAT Box Lite /y
  • '<SYSTEM32>\net.exe' stop GNAT Box Lite /y
  • '<SYSTEM32>\net1.exe' stop F-Stopw.exe /y
  • '<SYSTEM32>\net.exe' stop IAMAPP /y
  • '<SYSTEM32>\net1.exe' stop Iamapp.exe /y
  • '<SYSTEM32>\net.exe' stop Iamapp.exe /y
  • '<SYSTEM32>\net1.exe' stop IAMAPP /y
  • '<SYSTEM32>\net.exe' stop NeoWatch /y
  • '<SYSTEM32>\net1.exe' stop Navwnt.exe /y
  • '<SYSTEM32>\net.exe' stop Navwnt.exe /y
  • '<SYSTEM32>\net1.exe' stop NeoWatch /y
  • '<SYSTEM32>\net.exe' stop NISUM /y
  • '<SYSTEM32>\net1.exe' stop NISSERV /y
  • '<SYSTEM32>\net.exe' stop NISSERV /y
  • '<SYSTEM32>\net1.exe' stop NAVWNT /y
  • '<SYSTEM32>\net.exe' stop NAVW32 /y
  • '<SYSTEM32>\net1.exe' stop NAVRUNR /y
  • '<SYSTEM32>\net.exe' stop NAVRUNR /y
  • '<SYSTEM32>\net1.exe' stop NAVW32 /y
  • '<SYSTEM32>\net.exe' stop NAVWNT /y
  • '<SYSTEM32>\net1.exe' stop Navw32.exe /y
  • '<SYSTEM32>\net.exe' stop Navw32.exe /y
  • '<SYSTEM32>\net1.exe' stop Normist.exe /y
  • '<SYSTEM32>\net.exe' stop Normist.exe /y
  • '<SYSTEM32>\net1.exe' stop Norman Personal Firewall /y
  • '<SYSTEM32>\net.exe' stop NORTON /y
  • '<SYSTEM32>\net1.exe' stop Norton AntiVirus Server /y
  • '<SYSTEM32>\net.exe' stop Norton AntiVirus Server /y
  • '<SYSTEM32>\net1.exe' stop NORTON /y
  • '<SYSTEM32>\net.exe' stop Norman Personal Firewall /y
  • '<SYSTEM32>\net1.exe' stop Nisum.exe /y
  • '<SYSTEM32>\net.exe' stop Nisum.exe /y
  • '<SYSTEM32>\net1.exe' stop NISUM /y
  • '<SYSTEM32>\net.exe' stop NMAIN /y
  • '<SYSTEM32>\net1.exe' stop Nmain.exe /y
  • '<SYSTEM32>\net.exe' stop Nmain.exe /y
  • '<SYSTEM32>\net1.exe' stop NMAIN /y
  • '<SYSTEM32>\net.exe' stop McAfee Internet Guard Dog Pro /y
  • '<SYSTEM32>\net1.exe' stop McAfee Firewall /y
  • '<SYSTEM32>\net.exe' stop McAfee Firewall /y
  • '<SYSTEM32>\net1.exe' stop McAfee Internet Guard Dog Pro /y
  • '<SYSTEM32>\net.exe' stop Mpftray.exe /y
  • '<SYSTEM32>\net1.exe' stop Moolive.exe /y
  • '<SYSTEM32>\net.exe' stop Moolive.exe /y
  • '<SYSTEM32>\net1.exe' stop MCAFEE /y
  • '<SYSTEM32>\net.exe' stop Luall.exe /y
  • '<SYSTEM32>\net1.exe' stop LUALL /y
  • '<SYSTEM32>\net.exe' stop LUALL /y
  • '<SYSTEM32>\net1.exe' stop Luall.exe /y
  • '<SYSTEM32>\net.exe' stop MCAFEE /y
  • '<SYSTEM32>\net1.exe' stop LUCOMSERVER /y
  • '<SYSTEM32>\net.exe' stop LUCOMSERVER /y
  • '<SYSTEM32>\net1.exe' stop NAVLU32 /y
  • '<SYSTEM32>\net.exe' stop NAVLU32 /y
  • '<SYSTEM32>\net1.exe' stop Navapw32.exe /y
  • '<SYSTEM32>\net.exe' stop Navlu32.exe /y
  • '<SYSTEM32>\net1.exe' stop Navnt.exe /y
  • '<SYSTEM32>\net.exe' stop Navnt.exe /y
  • '<SYSTEM32>\net1.exe' stop Navlu32.exe /y
  • '<SYSTEM32>\net.exe' stop Navapw32.exe /y
  • '<SYSTEM32>\net1.exe' stop N32scanw.exe /y
  • '<SYSTEM32>\net.exe' stop N32scanw.exe /y
  • '<SYSTEM32>\net1.exe' stop Mpftray.exe /y
  • '<SYSTEM32>\net.exe' stop NAVAPSVC /y
  • '<SYSTEM32>\net1.exe' stop NAVAPW32 /y
  • '<SYSTEM32>\net.exe' stop NAVAPW32 /y
  • '<SYSTEM32>\net1.exe' stop NAVAPSVC /y
  • '<SYSTEM32>\net1.exe' stop F-Prot.exe /y
  • '<SYSTEM32>\net1.exe' stop AVP32 /y
  • '<SYSTEM32>\net.exe' stop AVP32 /y
  • '<SYSTEM32>\net1.exe' stop Avp.exe /y
  • '<SYSTEM32>\net.exe' stop Avp32.exe /y
  • '<SYSTEM32>\net1.exe' stop Avpcc.exe /y
  • '<SYSTEM32>\net.exe' stop Avpcc.exe /y
  • '<SYSTEM32>\net1.exe' stop Avp32.exe /y
  • '<SYSTEM32>\net.exe' stop Avp.exe /y
  • '<SYSTEM32>\net1.exe' stop Avgctrl.exe /y
  • '<SYSTEM32>\net.exe' stop Avgctrl.exe /y
  • '<SYSTEM32>\net1.exe' stop Ave32.exe /y
  • '<SYSTEM32>\net.exe' stop Avkserv.exe /y
  • '<SYSTEM32>\net1.exe' stop Avnt.exe /y
  • '<SYSTEM32>\net.exe' stop Avnt.exe /y
  • '<SYSTEM32>\net1.exe' stop Avkserv.exe /y
  • '<SYSTEM32>\net.exe' stop AVSync Manager /y
  • '<SYSTEM32>\net1.exe' stop Avsched32.exe /y
  • '<SYSTEM32>\net.exe' stop Avsched32.exe /y
  • '<SYSTEM32>\net1.exe' stop AVSync Manager /y
  • '<SYSTEM32>\net.exe' stop Avwin95.exe /y
  • '<SYSTEM32>\net1.exe' stop AVSYNMGR /y
  • '<SYSTEM32>\net.exe' stop AVSYNMGR /y
  • '<SYSTEM32>\net1.exe' stop Avpupd.exe /y
  • '<SYSTEM32>\net.exe' stop Avpm.exe /y
  • '<SYSTEM32>\net1.exe' stop Avpdos32.exe /y
  • '<SYSTEM32>\net.exe' stop Avpdos32.exe /y
  • '<SYSTEM32>\net1.exe' stop Avpm.exe /y
  • '<SYSTEM32>\net.exe' stop Avpupd.exe /y
  • '<SYSTEM32>\net1.exe' stop Avptc32.exe /y
  • '<SYSTEM32>\net.exe' stop Avptc32.exe /y
  • '<SYSTEM32>\net1.exe' stop _Avpm.exe /y
  • '<SYSTEM32>\net.exe' stop _Avpm.exe /y
  • '<SYSTEM32>\net1.exe' stop _Avpcc.exe /y
  • '<SYSTEM32>\net.exe' stop Ackwin32.exe /y
  • '<SYSTEM32>\net1.exe' stop Agnitum Outpost Firewall /y
  • '<SYSTEM32>\net.exe' stop Agnitum Outpost Firewall /y
  • '<SYSTEM32>\net1.exe' stop Ackwin32.exe /y
  • '<SYSTEM32>\net.exe' stop _Avpcc.exe /y
  • '<SYSTEM32>\cmd.exe' /c copy.bat
  • '<SYSTEM32>\cmd.exe' /c vv.bat
  • '<SYSTEM32>\cmd.exe' /c ft.bat
  • '%WINDIR%\msagent\agentsvr.exe' -Embedding
  • '<SYSTEM32>\net1.exe' stop _Avp32.exe /y
  • '<SYSTEM32>\net.exe' stop _Avp32.exe /y
  • '<SYSTEM32>\cmd.exe' /c v.bat
  • '<SYSTEM32>\net.exe' stop AVCONSOL /y
  • '<SYSTEM32>\net1.exe' stop Autodown.exe /y
  • '<SYSTEM32>\net.exe' stop Autodown.exe /y
  • '<SYSTEM32>\net1.exe' stop AVCONSOL /y
  • '<SYSTEM32>\net.exe' stop Ave32.exe /y
  • '<SYSTEM32>\net1.exe' stop Avconsol.exe /y
  • '<SYSTEM32>\net.exe' stop Avconsol.exe /y
  • '<SYSTEM32>\net1.exe' stop ATRACK /y
  • '<SYSTEM32>\net.exe' stop ANTIVIR /y
  • '<SYSTEM32>\net1.exe' stop Anti-Trojan.exe /y
  • '<SYSTEM32>\net.exe' stop Anti-Trojan.exe /y
  • '<SYSTEM32>\net1.exe' stop ANTIVIR /y
  • '<SYSTEM32>\net.exe' stop ATRACK /y
  • '<SYSTEM32>\net1.exe' stop Apvxdwin.exe /y
  • '<SYSTEM32>\net.exe' stop Apvxdwin.exe /y
  • '<SYSTEM32>\net1.exe' stop Dvp95.exe /y
  • '<SYSTEM32>\net.exe' stop Dvp95.exe /y
  • '<SYSTEM32>\net1.exe' stop Defwatch.exe /y
  • '<SYSTEM32>\net.exe' stop Dvp95_0.exe /y
  • '<SYSTEM32>\net1.exe' stop Ecengine.exe /y
  • '<SYSTEM32>\net.exe' stop Ecengine.exe /y
  • '<SYSTEM32>\net1.exe' stop Dvp95_0.exe /y
  • '<SYSTEM32>\net.exe' stop Defwatch.exe /y
  • '<SYSTEM32>\net1.exe' stop Cleaner3.exe /y
  • '<SYSTEM32>\net.exe' stop Cleaner3.exe /y
  • '<SYSTEM32>\net1.exe' stop Cleaner.exe /y
  • '<SYSTEM32>\net.exe' stop ConSeal PC Firewall
  • '<SYSTEM32>\net1.exe' stop Defwatch /y
  • '<SYSTEM32>\net.exe' stop Defwatch /y
  • '<SYSTEM32>\net1.exe' stop ConSeal PC Firewall
  • '<SYSTEM32>\net.exe' stop Findviru.exe /y
  • '<SYSTEM32>\net1.exe' stop F-Agnt95.exe /y
  • '<SYSTEM32>\net.exe' stop F-Agnt95.exe /y
  • '<SYSTEM32>\net1.exe' stop Findviru.exe /y
  • '<SYSTEM32>\net.exe' stop F-Prot.exe /y
  • '<SYSTEM32>\net1.exe' stop Fprot.exe /y
  • '<SYSTEM32>\net.exe' stop Fprot.exe /y
  • '<SYSTEM32>\net1.exe' stop eTrust EZ Firewall /y
  • '<SYSTEM32>\net.exe' stop Esafe.exe /y
  • '<SYSTEM32>\net1.exe' stop eSafe Protect Desktop /y
  • '<SYSTEM32>\net.exe' stop eSafe Protect Desktop /y
  • '<SYSTEM32>\net1.exe' stop Esafe.exe /y
  • '<SYSTEM32>\net.exe' stop eTrust EZ Firewall /y
  • '<SYSTEM32>\net1.exe' stop Espwatch.exe /y
  • '<SYSTEM32>\net.exe' stop Espwatch.exe /y
  • '<SYSTEM32>\net1.exe' stop Blackice.exe /y
  • '<SYSTEM32>\net.exe' stop Blackice.exe /y
  • '<SYSTEM32>\net1.exe' stop BlackICE Defender /y
  • '<SYSTEM32>\net.exe' stop CA Sessionwall-3 /y
  • '<SYSTEM32>\net1.exe' stop Cfiadmin.exe /y
  • '<SYSTEM32>\net.exe' stop Cfiadmin.exe /y
  • '<SYSTEM32>\net1.exe' stop CA Sessionwall-3 /y
  • '<SYSTEM32>\net.exe' stop BlackICE Defender /y
  • '<SYSTEM32>\net1.exe' stop Avwupd32.exe /y
  • '<SYSTEM32>\net.exe' stop Avwupd32.exe /y
  • '<SYSTEM32>\net1.exe' stop Avwin95.exe /y
  • '<SYSTEM32>\net.exe' stop Blackd.exe /y
  • '<SYSTEM32>\net1.exe' stop BLACKICE /y
  • '<SYSTEM32>\net.exe' stop BLACKICE /y
  • '<SYSTEM32>\net1.exe' stop Blackd.exe /y
  • '<SYSTEM32>\net.exe' stop Claw95.exe /y
  • '<SYSTEM32>\net1.exe' stop Cfinet32.exe /y
  • '<SYSTEM32>\net.exe' stop Cfinet32.exe /y
  • '<SYSTEM32>\net1.exe' stop Claw95.exe /y
  • '<SYSTEM32>\net.exe' stop Cleaner.exe /y
  • '<SYSTEM32>\net1.exe' stop Claw95cf.exe /y
  • '<SYSTEM32>\net.exe' stop Claw95cf.exe /y
  • '<SYSTEM32>\net1.exe' stop CFINET32 /y
  • '<SYSTEM32>\net.exe' stop CFINET /y
  • '<SYSTEM32>\net1.exe' stop Cfiaudit.exe /y
  • '<SYSTEM32>\net.exe' stop Cfiaudit.exe /y
  • '<SYSTEM32>\net1.exe' stop CFINET /y
  • '<SYSTEM32>\net.exe' stop CFINET32 /y
  • '<SYSTEM32>\net1.exe' stop Cfinet.exe /y
  • '<SYSTEM32>\net.exe' stop Cfinet.exe /y
Modifies file system :
Creates the following files:
  • C:\winnt\system32\micros\v.bat
  • C:\winnt\system32\micros\vv.bat
  • C:\winnt\system32\micros\svhost.exe
  • C:\winnt\system32\micros\secure.exe
  • C:\winnt\system32\micros\sqlpass.dic
  • C:\winnt\system32\micros\rconnect.log
  • C:\winnt\system32\micros\TMP1.$$$
  • C:\winnt\system32\micros\r.ini
  • C:\winnt\system32\micros\coderx.dll
  • C:\winnt\system32\micros\rcfg.ini
  • C:\winnt\system32\micros\Libparse.exe
  • C:\winnt\system32\micros\mscmd.exe
  • C:\winnt\system32\micros\kammi.exe
  • C:\winnt\system32\micros\copy.bat
  • C:\winnt\system32\micros\ft.bat
  • C:\winnt\system32\micros\rconnect.conf
  • C:\winnt\system32\micros\scansql.exe
  • C:\winnt\system32\micros\ownage.exe
  • C:\winnt\system32\micros\nickz.dbx
  • C:\winnt\system32\micros\osql.exe
Sets the 'hidden' attribute to the following files:
  • C:\winnt\system32\micros\rconnect.conf
  • C:\winnt\system32\micros\mscmd.exe
Deletes the following files:
  • C:\winnt\system32\micros\TMP2.$$$
Moves the following files:
  • from C:\winnt\system32\micros\TMP1.$$$ to C:\winnt\system32\micros\r.ini
  • from C:\winnt\system32\micros\r.ini to C:\winnt\system32\micros\TMP2.$$$
Network activity:
Connects to:
  • 'ir#.##ozchat.com':7000
UDP:
  • DNS ASK ir#.##ozchat.com
Miscellaneous:
Searches for the following windows:
  • ClassName: '' WindowName: 'UPDATE'
  • ClassName: 'Shell_TrayWnd' WindowName: ''
  • ClassName: 'EDIT' WindowName: ''

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android