Trojan.DownLoader11.37373

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WinDiagnosis.exe' = '<Full path to virus> 30'

Malicious functions:

Executes the following:

'<SYSTEM32>\svchost.exe' -k RPCSS
'<SYSTEM32>\svchost.exe' -k regsvc
'<SYSTEM32>\svchost.exe' -k NetworkServiceNetworkRestricted
'<SYSTEM32>\wbem\wmiprvse.exe' -k netsvcs
'<SYSTEM32>\svchost.exe' /RunAsService
'<SYSTEM32>\taskhost.exe' -k LocalServiceAndNoImpersonation
'<SYSTEM32>\svchost.exe' -k SDRSVC
'<SYSTEM32>\conhost.exe' -k LocalServicePeerNet
'<SYSTEM32>\taskhost.exe' -k LocalService
'<SYSTEM32>\svchost.exe' -NetMsmqActivator
'<SYSTEM32>\rundll32.exe' -k LocalServiceNoNetwork
'<SYSTEM32>\svchost.exe' -k LocalServicePeerNet
'<SYSTEM32>\DllHost.exe' -k LocalServicePeerNet
'<SYSTEM32>\svchost.exe' -k DcomLaunch
'<SYSTEM32>\svchost.exe' -k PeerDist
'<SYSTEM32>\DllHost.exe' -k imgsvc
'<SYSTEM32>\svchost.exe' /Embedding
'<SYSTEM32>\dllhost.exe' -k NetworkService
'<SYSTEM32>\conhost.exe' -k LocalService
'%WINDIR%\eHome\ehshell.exe' /Embedding
'<SYSTEM32>\svchost.exe' 0xe6c vssvc.exe
'<SYSTEM32>\svchost.exe' /pid=0xe6c /log
'<SYSTEM32>\rundll32.exe' -k LocalSystemNetworkRestricted
'<SYSTEM32>\svchost.exe' -k secsvcs
'<SYSTEM32>\wbengine.exe'
'<SYSTEM32>\conhost.exe' -k LocalServiceAndNoImpersonation
'<SYSTEM32>\conhost.exe' -k imgsvc
'<SYSTEM32>\svchost.exe' -k WbioSvcGroup
'<SYSTEM32>\conhost.exe' -k secsvcs
'<SYSTEM32>\svchost.exe' -k WerSvcGroup
'<SYSTEM32>\svchost.exe' -k wcssvc
'<SYSTEM32>\svchost.exe' -k AxInstSVGroup
'<SYSTEM32>\taskhost.exe' -k AxInstSVGroup
'<SYSTEM32>\svchost.exe' -k LocalServiceNetworkRestricted
'<SYSTEM32>\svchost.exe' -k LocalServiceNoNetwork
'<SYSTEM32>\dllhost.exe' /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
'<SYSTEM32>\svchost.exe' -k bthsvcs
'<SYSTEM32>\conhost.exe' -k netsvcs
'<SYSTEM32>\svchost.exe' -k LocalSystemNetworkRestricted
'%WINDIR%\eHome\ehshell.exe' "%1"
'<SYSTEM32>\svchost.exe' -k swprv
'<SYSTEM32>\vssvc.exe'
'<SYSTEM32>\NOTEPAD.EXE' %1
'<SYSTEM32>\svchost.exe' -k LocalServiceAndNoImpersonation
'<SYSTEM32>\svchost.exe' -k netsvcs
'<SYSTEM32>\rundll32.exe' "%PROGRAM_FILES%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1
'<SYSTEM32>\svchost.exe' -k NetworkService
'<SYSTEM32>\conhost.exe' -k LocalSystemNetworkRestricted
'<SYSTEM32>\svchost.exe' /V
'<SYSTEM32>\svchost.exe'
'<SYSTEM32>\dllhost.exe' -k NetSvcs
'%WINDIR%\eHome\ehshell.exe' -k netsvcs
'<SYSTEM32>\svchost.exe' -k NetworkServiceAndNoImpersonation
'<SYSTEM32>\dllhost.exe' -k NetworkServiceAndNoImpersonation
'<SYSTEM32>\taskhost.exe' -k netsvcs
'<SYSTEM32>\NOTEPAD.EXE' -k netsvcs
'%WINDIR%\eHome\ehshell.exe' -k LocalSystemNetworkRestricted
'<SYSTEM32>\svchost.exe' -k defragsvc
'<SYSTEM32>\rundll32.exe' -k LocalServiceNetworkRestricted
'<SYSTEM32>\svchost.exe' /medsvc
'<SYSTEM32>\svchost.exe' /svc
'<SYSTEM32>\svchost.exe' -k LocalService

Terminates or attempts to terminate

a large number of user processes.

Modifies file system :

Creates the following files:

<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\good[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\normal[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\left_progress_2[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\big_progress_2[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\green_phone[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\bad[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\in[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\not[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\ok[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\small_progress_2[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\small_progress_1[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\button_security_status_h[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\button_summary_h[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\button_close_h[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\button_system_information_h[1]
<Auxiliary element>
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\button_registry_fix_h[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\button_stop_h[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\big_progress_1[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\button_pc_stability_issues_h[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\button_clean_junk_files_h[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\button_startup_optimization_h[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\button_summary[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\red_icon[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\folder_1[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\attention_2[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\button_fix[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\wrapper_bg[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\attention_1[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\reset[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\main[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\styles[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\progress_animation[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\HtmlControl[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\button_pc_stability_issues[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\button_system_information[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\button_startup_optimization[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\button_registry_fix[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\button_clean_junk_files[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\button_security_status[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\button_scan[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\button_stop[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\button_close[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U23MFC9\button_minimize[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\23BUYPX5\button_chat[1]

Network activity:

Connects to:

'ha####eatmentz.net':80

TCP:

HTTP POST requests:

ha####eatmentz.net/soap.php

UDP:

DNS ASK ha####eatmentz.net

Miscellaneous:

Searches for the following windows:

ClassName: 'MS_WebCheckMonitor' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'Indicator' WindowName: ''
ClassName: 'MS_AutodialMonitor' WindowName: ''

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial