Trojan.KillProc.30556

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-99' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-100' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Explorer' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-96' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-97' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-98' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos103' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-104' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Winlogon' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-101' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-102' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-95' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-86' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-87' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-88' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-82' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-83' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-84' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-92' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-93' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'googlchrome' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'PizDA-2' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-90' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-91' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'farSH' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'GameCenter' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Crossfire' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Taskmgr' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Microsoft' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'java-32bit' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'kaspersky' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ESET' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Del-Win32bit' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'CfireMailru' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'csrss' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Dwm' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xaxaxaxa-LOL' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'PizDa' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'XerWiRazblokiruete' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Fuck' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Hacker' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'RangoHack' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Zorgee' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Hit-1Sukaaaaaa' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'IhTooT9991' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'KooITebe' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'KisMyAss' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Popapapapapap' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'HitKillFuckSuka' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-48' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-49' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-50' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-45' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-46' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-47' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-54' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-55' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-56' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-51' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-52' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-53' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-44' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-34' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-35' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-36' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-31' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-32' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-33' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-41' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-42' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-43' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-37' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-38' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-39' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-73' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-74' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-75' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-70' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-71' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-72' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-79' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-80' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-81' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-76' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-77' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-78' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-69' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-60' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-61' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-62' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-57' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-58' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-59' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-66' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-67' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Foockissss' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-63' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-64' = '"<Full path to virus>"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Wondwos-65' = '"<Full path to virus>"'

Malicious functions:

Executes the following:

'<SYSTEM32>\taskkill.exe' /f /im explorer.exe

Terminates or attempts to terminate

the following system processes:

%WINDIR%\Explorer.EXE

Miscellaneous:

Searches for the following windows:

ClassName: '(null)' WindowName: '?????? ?????????'
ClassName: '(null)' WindowName: '??? ?????????'
ClassName: '(null)' WindowName: '(null)'
ClassName: 'Indicator' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
ClassName: '(null)' WindowName: '????????? ????? Windows'

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial