Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows Reg Services' = '<SYSTEM32>\ffservice.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows Reg Services' = '<SYSTEM32>\ffservice.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'Windows Reg Services' = '<SYSTEM32>\ffservice.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'csmm' = '<SYSTEM32>\csmm.exe'
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{a75aed00-d7bf-11d1-9947-00c0Cf98bbc9}] 'StubPath' = '<SYSTEM32>\lservice.exe'
Изменяет следующие исполняемые системные файлы:
- <SYSTEM32>\dllcache\msconfig.exe
- %WINDIR%\pchealth\helpctr\binaries\msconfig.exe
Вредоносные функции:
Для затруднения выявления своего присутствия в системе
блокирует запуск следующих системных утилит:
- Интерпретатора командной строки (CMD)
- Диспетчера задач (Taskmgr)
- Редактора реестра (RegEdit)
блокирует:
- Компонент восстановления системы (SR)
Создает и запускает на исполнение:
- '<SYSTEM32>\sxmm.dll' /pid=5796
- '<SYSTEM32>\sxmm.dll' /pid=5740
- '<SYSTEM32>\sxmm.dll' /pid=5952
- '<SYSTEM32>\sxmm.dll' /pid=4084
- '<SYSTEM32>\sxmm.dll' /pid=6092
- '<SYSTEM32>\sxmm.dll' /pid=5684
- '<SYSTEM32>\sxmm.dll' /pid=5196
- '<SYSTEM32>\sxmm.dll' /pid=4856
- '<SYSTEM32>\sxmm.dll' /pid=2552
- '<SYSTEM32>\sxmm.dll' /pid=5600
- '<SYSTEM32>\sxmm.dll' /pid=1456
- '<SYSTEM32>\sxmm.dll' /pid=3172
- '<SYSTEM32>\sxmm.dll' /pid=6128
- '<SYSTEM32>\sxmm.dll' /pid=5520
- '<SYSTEM32>\sxmm.dll' /pid=4480
- '<SYSTEM32>\sxmm.dll' /pid=7000
- '<SYSTEM32>\sxmm.dll' /pid=6968
- '<SYSTEM32>\sxmm.dll' /pid=3524
- '<SYSTEM32>\sxmm.dll' /pid=4976
- '<SYSTEM32>\sxmm.dll' /pid=4356
- '<SYSTEM32>\sxmm.dll' /pid=5136
- '<SYSTEM32>\sxmm.dll' /pid=5408
- '<SYSTEM32>\sxmm.dll' /pid=2496
- '<SYSTEM32>\sxmm.dll' /pid=4216
- '<SYSTEM32>\sxmm.dll' /pid=5072
- '<SYSTEM32>\sxmm.dll' /pid=3308
- '<SYSTEM32>\sxmm.dll' /pid=5100
- '<SYSTEM32>\sxmm.dll' /pid=5164
- '<SYSTEM32>\sxmm.dll' /pid=5316
- '<SYSTEM32>\sxmm.dll' /pid=5184
- '<SYSTEM32>\sxmm.dll' /pid=5056
- '<SYSTEM32>\sxmm.dll' /pid=5040
- '<SYSTEM32>\sxmm.dll' /pid=5080
- '<SYSTEM32>\sxmm.dll' /pid=4912
- '<SYSTEM32>\sxmm.dll' /pid=3000
- '<SYSTEM32>\sxmm.dll' /pid=5352
- '<SYSTEM32>\sxmm.dll' /pid=328
- '<SYSTEM32>\sxmm.dll' /pid=6140
- '<SYSTEM32>\sxmm.dll' /pid=3656
- '<SYSTEM32>\sxmm.dll' /pid=2988
- '<SYSTEM32>\sxmm.dll' /pid=2796
- '<SYSTEM32>\sxmm.dll' /pid=6124
- '<SYSTEM32>\sxmm.dll' /pid=5784
- '<SYSTEM32>\sxmm.dll' /pid=5688
- '<SYSTEM32>\sxmm.dll' /pid=5964
- '<SYSTEM32>\sxmm.dll' /pid=6016
- '<SYSTEM32>\sxmm.dll' /pid=5872
- '<SYSTEM32>\sxmm.dll' /pid=7028
- '<SYSTEM32>\sxmm.dll' /pid=7704
- '<SYSTEM32>\sxmm.dll' /pid=6500
- '<SYSTEM32>\sxmm.dll' /pid=7728
- '<SYSTEM32>\sxmm.dll' /pid=7848
- '<SYSTEM32>\sxmm.dll' /pid=7792
- '<SYSTEM32>\sxmm.dll' /pid=7620
- '<SYSTEM32>\sxmm.dll' /pid=7412
- '<SYSTEM32>\sxmm.dll' /pid=7380
- '<SYSTEM32>\sxmm.dll' /pid=7404
- '<SYSTEM32>\sxmm.dll' /pid=7564
- '<SYSTEM32>\sxmm.dll' /pid=6404
- '<SYSTEM32>\sxmm.dll' /pid=7928
- '<SYSTEM32>\sxmm.dll' /pid=6260
- '<SYSTEM32>\sxmm.dll' /pid=6200
- '<SYSTEM32>\sxmm.dll' /pid=6388
- '<SYSTEM32>\sxmm.dll' /pid=7716
- '<SYSTEM32>\sxmm.dll' /pid=7672
- '<SYSTEM32>\sxmm.dll' /pid=6896
- '<SYSTEM32>\sxmm.dll' /pid=7944
- '<SYSTEM32>\sxmm.dll' /pid=6652
- '<SYSTEM32>\sxmm.dll' /pid=6744
- '<SYSTEM32>\sxmm.dll' /pid=8128
- '<SYSTEM32>\sxmm.dll' /pid=6776
- '<SYSTEM32>\sxmm.dll' /pid=7216
- '<SYSTEM32>\sxmm.dll' /pid=7316
- '<SYSTEM32>\sxmm.dll' /pid=7276
- '<SYSTEM32>\sxmm.dll' /pid=7352
- '<SYSTEM32>\sxmm.dll' /pid=7440
- '<SYSTEM32>\sxmm.dll' /pid=7392
- '<SYSTEM32>\sxmm.dll' /pid=7244
- '<SYSTEM32>\sxmm.dll' /pid=7044
- '<SYSTEM32>\sxmm.dll' /pid=6932
- '<SYSTEM32>\sxmm.dll' /pid=7064
- '<SYSTEM32>\sxmm.dll' /pid=7164
- '<SYSTEM32>\sxmm.dll' /pid=7132
- '<SYSTEM32>\sxmm.dll' /pid=7504
- '<SYSTEM32>\sxmm.dll' /pid=6304
- '<SYSTEM32>\sxmm.dll' /pid=6096
- '<SYSTEM32>\sxmm.dll' /pid=4756
- '<SYSTEM32>\sxmm.dll' /pid=7200
- '<SYSTEM32>\sxmm.dll' /pid=7152
- '<SYSTEM32>\sxmm.dll' /pid=4876
- '<SYSTEM32>\sxmm.dll' /pid=7812
- '<SYSTEM32>\sxmm.dll' /pid=7552
- '<SYSTEM32>\sxmm.dll' /pid=8012
- '<SYSTEM32>\sxmm.dll' /pid=8084
- '<SYSTEM32>\sxmm.dll' /pid=8036
- '<SYSTEM32>\sxmm.dll' /pid=4624
- '<SYSTEM32>\sxmm.dll' monitor off
- '<SYSTEM32>\sxmm.dll' /pid=2884
- '<SYSTEM32>\sxmm.dll' /pid=4476
- '<SYSTEM32>\sxmm.dll' /pid=4564
- '<SYSTEM32>\sxmm.dll' /pid=4532
- '<SYSTEM32>\sxmm.dll' /pid=3612
- '<SYSTEM32>\sxmm.dll' /pid=1148
- '<SYSTEM32>\sxmm.dll' /pid=3532
- '<SYSTEM32>\sxmm.dll' /f /im iexplore.exe
- '<SYSTEM32>\sxmm.dll'
- '<SYSTEM32>\sxmm.dll' cdrom open
- '<SYSTEM32>\sxmm.dll' /pid=4556
- '<SYSTEM32>\sxmm.dll' /pid=5052
- '<SYSTEM32>\sxmm.dll' /pid=5036
- '<SYSTEM32>\sxmm.dll' /pid=5060
- '<SYSTEM32>\sxmm.dll' /pid=5124
- '<SYSTEM32>\sxmm.dll' /pid=5076
- '<SYSTEM32>\sxmm.dll' /pid=5004
- '<SYSTEM32>\sxmm.dll' /pid=4740
- '<SYSTEM32>\sxmm.dll' /pid=4604
- '<SYSTEM32>\sxmm.dll' /pid=4828
- '<SYSTEM32>\sxmm.dll' /pid=4940
- '<SYSTEM32>\sxmm.dll' /pid=4900
- '<SYSTEM32>\sxmm.dll' /pid=1572
- '<SYSTEM32>\sxmm.dll' clipboard clear
- '<SYSTEM32>\sxmm.dll' stdbeep
- '<SYSTEM32>\sxmm.dll' win trans ititle My Computer 0
- '<SYSTEM32>\sxmm.dll' win close title "Calculator"
- '<SYSTEM32>\sxmm.dll' win close title "Windows Media Player"
- '<SYSTEM32>\sxmm.dll' mutesysvolume 1
- '<SYSTEM32>\sxmm.exe'
- '<SYSTEM32>\csmm.exe'
- '<SYSTEM32>\sxmm.dll' service stop SharedAccess
- '<SYSTEM32>\d_service.exe'
- '<SYSTEM32>\sxmm.dll' service disabled SharedAccess
- '<SYSTEM32>\d_service.exe' mutesysvolume 1
- '<SYSTEM32>\sxmm.dll' /pid=2360
- '<SYSTEM32>\sxmm.dll' /pid=4072
- '<SYSTEM32>\sxmm.dll' /pid=3396
- '<SYSTEM32>\sxmm.dll' /pid=3452
- '<SYSTEM32>\sxmm.dll' /pid=2464
- '<SYSTEM32>\sxmm.dll' /pid=4016
- '<SYSTEM32>\sxmm.dll' /pid=3896
- '<SYSTEM32>\sxmm.dll' /pid=3848
- '<SYSTEM32>\sxmm.dll' /pid=3888
- '<SYSTEM32>\sxmm.exe' /pid=3988
- '<SYSTEM32>\sxmm.dll' /pid=3328
- '<SYSTEM32>\sxmm.dll' /pid=5256
- '<SYSTEM32>\sxmm.dll' /pid=5200
- '<SYSTEM32>\sxmm.dll' /pid=5428
- '<SYSTEM32>\sxmm.dll' /pid=5708
- '<SYSTEM32>\sxmm.dll' /pid=5612
- '<SYSTEM32>\sxmm.dll' /pid=3964
- '<SYSTEM32>\sxmm.dll' /pid=4192
- '<SYSTEM32>\sxmm.dll' /pid=4152
- '<SYSTEM32>\sxmm.dll' /pid=4272
- '<SYSTEM32>\sxmm.dll' /pid=4620
- '<SYSTEM32>\sxmm.dll' /pid=4396
- '<SYSTEM32>\sxmm.dll' /pid=5844
- '<SYSTEM32>\sxmm.dll' /pid=2368
- '<SYSTEM32>\sxmm.dll' /pid=2440
- '<SYSTEM32>\sxmm.dll' /pid=5008
- '<SYSTEM32>\sxmm.dll' /pid=5024
- '<SYSTEM32>\sxmm.dll' /pid=4584
- '<SYSTEM32>\sxmm.dll' /pid=4832
- '<SYSTEM32>\sxmm.dll' /pid=4544
- '<SYSTEM32>\sxmm.dll' /pid=2516
- '<SYSTEM32>\sxmm.dll' /pid=2900
- '<SYSTEM32>\sxmm.dll' /pid=3084
- '<SYSTEM32>\sxmm.dll' /pid=4136
- '<SYSTEM32>\sxmm.dll' /pid=2416
- '<SYSTEM32>\sxmm.dll' /pid=5588
- '<SYSTEM32>\sxmm.dll' /pid=5492
- '<SYSTEM32>\sxmm.dll' /pid=5628
- '<SYSTEM32>\sxmm.dll' /pid=5764
- '<SYSTEM32>\sxmm.dll' /pid=5732
- '<SYSTEM32>\sxmm.dll' /pid=5444
- '<SYSTEM32>\sxmm.dll' /pid=5228
- '<SYSTEM32>\sxmm.dll' /pid=5180
- '<SYSTEM32>\sxmm.dll' /pid=5220
- '<SYSTEM32>\sxmm.dll' /pid=5400
- '<SYSTEM32>\sxmm.dll' /pid=5384
- '<SYSTEM32>\sxmm.dll' /pid=5780
- '<SYSTEM32>\sxmm.dll' /pid=3932
- '<SYSTEM32>\sxmm.dll' /pid=6084
- '<SYSTEM32>\sxmm.dll' /pid=3660
- '<SYSTEM32>\sxmm.dll' /pid=1380
- '<SYSTEM32>\sxmm.dll' /pid=2996
- '<SYSTEM32>\sxmm.dll' /pid=6020
- '<SYSTEM32>\sxmm.dll' /pid=5892
- '<SYSTEM32>\sxmm.dll' /pid=5868
- '<SYSTEM32>\sxmm.dll' /pid=5836
- '<SYSTEM32>\sxmm.dll' /pid=5924
- '<SYSTEM32>\sxmm.dll' /pid=5980
- '<SYSTEM32>\d_service.exe' (загружен из сети Интернет)
Запускает на исполнение:
- '<SYSTEM32>\net1.exe' win close title "Windows Media Player"
- '<SYSTEM32>\net1.exe' /pid=2584
- '<SYSTEM32>\net.exe' service stop SharedAccess
- '<SYSTEM32>\net1.exe' /pid=2716
- '<SYSTEM32>\net1.exe' mutesysvolume 1
- '<SYSTEM32>\net1.exe' /pid=3500
- '<SYSTEM32>\net1.exe' win close title "Calculator"
- '<SYSTEM32>\net1.exe' user 30 /add
- '<SYSTEM32>\net1.exe' user 28 /add
- '<SYSTEM32>\net1.exe' user 26 /add
- '<SYSTEM32>\net1.exe' /pid=3856
- '<SYSTEM32>\notepad.exe'
- '<SYSTEM32>\net1.exe' user 29 /add
- '<SYSTEM32>\net1.exe' /pid=2808
- '<SYSTEM32>\net1.exe' /pid=7756
- '<SYSTEM32>\taskkill.exe' win close title "Calculator"
- '<SYSTEM32>\net1.exe' stdbeep
- '<SYSTEM32>\taskkill.exe'
- '<SYSTEM32>\taskkill.exe' /pid=6832
- '<SYSTEM32>\taskkill.exe' service stop SharedAccess
- '<SYSTEM32>\taskkill.exe' /pid=5680
- '<SYSTEM32>\net1.exe' /pid=4468
- '<SYSTEM32>\taskkill.exe' /f /im iexplore.exe
- '<SYSTEM32>\net1.exe' /pid=3564
- '<SYSTEM32>\net1.exe' /pid=5852
- '<SYSTEM32>\taskkill.exe' win trans ititle My Computer 0
- '<SYSTEM32>\net1.exe' clipboard clear
- '<SYSTEM32>\net1.exe' user 9 /add
- '<SYSTEM32>\net1.exe' user 8 /add
- '<SYSTEM32>\net1.exe' user 7 /add
- '<SYSTEM32>\net1.exe' user 12 /add
- '<SYSTEM32>\net1.exe' user 10 /add
- '<SYSTEM32>\net1.exe' user 11 /add
- '<SYSTEM32>\net1.exe' user 6 /add
- '<SYSTEM32>\net1.exe' user 2 /add
- '<SYSTEM32>\net1.exe' user 1 /add
- '<SYSTEM32>\reg.exe' add HKLM\software\microsoft\windows\currentversion\run /v csmm /t reg_sz /d <SYSTEM32>\csmm.exe /f
- '<SYSTEM32>\net1.exe' user 5 /add
- '<SYSTEM32>\net1.exe' user 4 /add
- '<SYSTEM32>\net1.exe' user 3 /add
- '<SYSTEM32>\net1.exe' user 14 /add
- '<SYSTEM32>\net1.exe' user 23 /add
- '<SYSTEM32>\net1.exe' user 22 /add
- '<SYSTEM32>\net1.exe' user 21 /add
- '<SYSTEM32>\net1.exe' user 27 /add
- '<SYSTEM32>\net1.exe' user 25 /add
- '<SYSTEM32>\net1.exe' user 24 /add
- '<SYSTEM32>\net1.exe' user 20 /add
- '<SYSTEM32>\net1.exe' user 17 /add
- '<SYSTEM32>\net1.exe' user 15 /add
- '<SYSTEM32>\net1.exe' user 13 /add
- '<SYSTEM32>\net1.exe' user 19 /add
- '<SYSTEM32>\net1.exe' user 18 /add
- '<SYSTEM32>\net1.exe' user 16 /add
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\taskkill.exe
- <SYSTEM32>\net.exe
- <SYSTEM32>\net1.exe
следующие пользовательские процессы:
- iexplore.exe
Завершает или пытается завершить
следующие пользовательские процессы:
- iexplore.exe
Изменяет следующие настройки проводника Windows (Windows Explorer):
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000002'
Изменения в файловой системе:
Создает следующие файлы:
- <SYSTEM32>\lservice.exe
- <SYSTEM32>\ffservice.exe
- <SYSTEM32>\d_service.exe
- <SYSTEM32>\wservice.exe
- <SYSTEM32>\csmm.exe
- <SYSTEM32>\sxmm.dll
- <SYSTEM32>\sxmm.exe
Присваивает атрибут 'скрытый' для следующих файлов:
- <SYSTEM32>\ffservice.exe
- <SYSTEM32>\lservice.exe
- <SYSTEM32>\wservice.exe
Удаляет следующие файлы:
- %WINDIR%\Fonts\verdanaz.ttf
- %WINDIR%\Fonts\vrinda.ttf
- %WINDIR%\Fonts\webdings.ttf
- %WINDIR%\Fonts\verdana.ttf
- %WINDIR%\Fonts\verdanab.ttf
- %WINDIR%\Fonts\verdanai.ttf
- %WINDIR%\Fonts\wst_fren.fon
- %WINDIR%\Fonts\wst_germ.fon
- %WINDIR%\Fonts\wst_ital.fon
- %WINDIR%\Fonts\wingding.ttf
- %WINDIR%\Fonts\wst_czec.fon
- %WINDIR%\Fonts\wst_engl.fon
- %WINDIR%\Fonts\times.ttf
- %WINDIR%\Fonts\timesbd.ttf
- %WINDIR%\Fonts\timesbi.ttf
- %WINDIR%\Fonts\symbol.ttf
- %WINDIR%\Fonts\tahoma.ttf
- %WINDIR%\Fonts\tahomabd.ttf
- %WINDIR%\Fonts\trebucbi.ttf
- %WINDIR%\Fonts\trebucit.ttf
- %WINDIR%\Fonts\tunga.ttf
- %WINDIR%\Fonts\timesi.ttf
- %WINDIR%\Fonts\trebuc.ttf
- %WINDIR%\Fonts\trebucbd.ttf
- <SYSTEM32>\ss3dfo.scr
- <SYSTEM32>\ssbezier.scr
- <SYSTEM32>\ssflwbox.scr
- <SYSTEM32>\dllcache\sstext3d.scr
- <SYSTEM32>\logon.scr
- <SYSTEM32>\scrnsave.scr
- <SYSTEM32>\sspipes.scr
- <SYSTEM32>\ssstars.scr
- <SYSTEM32>\sstext3d.scr
- <SYSTEM32>\ssmarque.scr
- <SYSTEM32>\ssmypics.scr
- <SYSTEM32>\ssmyst.scr
- <SYSTEM32>\dllcache\scrnsave.scr
- <SYSTEM32>\dllcache\ss3dfo.scr
- <SYSTEM32>\dllcache\ssbezier.scr
- %WINDIR%\Fonts\wst_span.fon
- %WINDIR%\Fonts\wst_swed.fon
- <SYSTEM32>\dllcache\logon.scr
- <SYSTEM32>\dllcache\ssmyst.scr
- <SYSTEM32>\dllcache\sspipes.scr
- <SYSTEM32>\dllcache\ssstars.scr
- <SYSTEM32>\dllcache\ssflwbox.scr
- <SYSTEM32>\dllcache\ssmarque.scr
- <SYSTEM32>\dllcache\ssmypics.scr
- %WINDIR%\Fonts\framd.ttf
- %WINDIR%\Fonts\framdit.ttf
- %WINDIR%\Fonts\gautami.ttf
- %WINDIR%\Fonts\courbi.ttf
- %WINDIR%\Fonts\couri.ttf
- %WINDIR%\Fonts\estre.ttf
- %WINDIR%\Fonts\georgiaz.ttf
- %WINDIR%\Fonts\GlobalMonospace.CompositeFont
- %WINDIR%\Fonts\GlobalSansSerif.CompositeFont
- %WINDIR%\Fonts\georgia.ttf
- %WINDIR%\Fonts\georgiab.ttf
- %WINDIR%\Fonts\georgiai.ttf
- %WINDIR%\Fonts\arial.ttf
- %WINDIR%\Fonts\arialbd.ttf
- %WINDIR%\Fonts\arialbi.ttf
- <SYSTEM32>\wservice.exe
- <SYSTEM32>\lservice.exe
- <SYSTEM32>\ffservice.exe
- %WINDIR%\Fonts\comicbd.ttf
- %WINDIR%\Fonts\cour.ttf
- %WINDIR%\Fonts\courbd.ttf
- %WINDIR%\Fonts\ariali.ttf
- %WINDIR%\Fonts\ariblk.ttf
- %WINDIR%\Fonts\comic.ttf
- %WINDIR%\Fonts\pala.ttf
- %WINDIR%\Fonts\palab.ttf
- %WINDIR%\Fonts\palabi.ttf
- %WINDIR%\Fonts\micross.ttf
- %WINDIR%\Fonts\modern.fon
- %WINDIR%\Fonts\mvboli.ttf
- %WINDIR%\Fonts\script.fon
- %WINDIR%\Fonts\shruti.ttf
- %WINDIR%\Fonts\sylfaen.ttf
- %WINDIR%\Fonts\palai.ttf
- %WINDIR%\Fonts\raavi.ttf
- %WINDIR%\Fonts\roman.fon
- %WINDIR%\Fonts\kartika.ttf
- %WINDIR%\Fonts\l_10646.ttf
- %WINDIR%\Fonts\latha.ttf
- %WINDIR%\Fonts\GlobalSerif.CompositeFont
- %WINDIR%\Fonts\GlobalUserInterface.CompositeFont
- %WINDIR%\Fonts\impact.ttf
- %WINDIR%\Fonts\lsansi.ttf
- %WINDIR%\Fonts\lucon.ttf
- %WINDIR%\Fonts\mangal.ttf
- %WINDIR%\Fonts\lsans.ttf
- %WINDIR%\Fonts\lsansd.ttf
- %WINDIR%\Fonts\lsansdi.ttf
Сетевая активность:
Подключается к:
- 'mr#####.persiangig.com':80
- 'localhost':1036
TCP:
Запросы HTTP GET:
- mr#####.persiangig.com/vipserver.exe
UDP:
- DNS ASK mr#####.persiangig.com
Другое:
Ищет следующие окна:
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'BUTTON' WindowName: ''
