Trojan.StartPage.46962

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Classes\Spiralmonkey.DreamAquarium.1\shell\Open\command] '' = '"\Windows\System32\ErrorsAndUpdates.exe" "%1"'
[<HKLM>\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command] '' = '"%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE" %1'
[<HKLM>\SOFTWARE\Classes\ftp\shell\open\command] '' = '"%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE" %1'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] 'vidc.cvid' = 'iccvid.dll'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] 'vidc.iv31' = 'ir32_32.dll'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] 'vidc.iv32' = 'ir32_32.dll'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\SamSs] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\Schedule] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\PlugPlay] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\RpcSs] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\SENS] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\TrkWks] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\winmgmt] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\ShellHWDetection] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\Themes] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\LmHosts] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\DcomLaunch] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\Dhcp] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\AudioSrv] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\CryptSvc] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\Dnscache] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\lanmanserver] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\lanmanworkstation] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\Eventlog] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\EventSystem] 'Start' = '00000002'

Malicious functions:

To complicate detection of its presence in the operating system,

forces the system hide from view:

hidden files
file extensions

blocks the following features:

User Account Control (UAC)

Creates and executes the following:

%TEMP%\Optimization.exe

Executes the following:

<SYSTEM32>\sc.exe config SysMain start= DEMAND
<SYSTEM32>\sc.exe config swprv start= DEMAND
<SYSTEM32>\sc.exe config TBS start= DEMAND
<SYSTEM32>\sc.exe config TapiSrv start= DEMAND
<SYSTEM32>\sc.exe config stisvc start= DEMAND
<SYSTEM32>\sc.exe config sppuinotify start= DEMAND
<SYSTEM32>\sc.exe config sppsvc start= AUTO
<SYSTEM32>\sc.exe config SstpSvc start= DEMAND
<SYSTEM32>\sc.exe config SSDPSRV start= DEMAND
<SYSTEM32>\sc.exe config UmRdpService start= DEMAND
<SYSTEM32>\sc.exe config UI0Detect start= DEMAND
<SYSTEM32>\sc.exe config UxSms start= AUTO
<SYSTEM32>\sc.exe config upnphost start= DEMAND
<SYSTEM32>\sc.exe config TrustedInstaller start= DEMAND
<SYSTEM32>\sc.exe config Themes start= AUTO
<SYSTEM32>\sc.exe config TermService start= DEMAND
<SYSTEM32>\sc.exe config TrkWks start= AUTO
<SYSTEM32>\sc.exe config THREADORDER start= DEMAND
<SYSTEM32>\sc.exe config Spooler start= DEMAND
<SYSTEM32>\sc.exe config SamSs start= AUTO
<SYSTEM32>\sc.exe config RpcSs start= AUTO
<SYSTEM32>\sc.exe config Schedule start= AUTO
<SYSTEM32>\sc.exe config SCardSvr start= DEMAND
<SYSTEM32>\sc.exe config RpcLocator start= DEMAND
<SYSTEM32>\sc.exe config RemoteAccess start= DISABLED
<SYSTEM32>\sc.exe config RasMan start= DEMAND
<SYSTEM32>\sc.exe config RpcEptMapper start= AUTO
<SYSTEM32>\sc.exe config RemoteRegistry start= DEMAND
<SYSTEM32>\sc.exe config SharedAccess start= DISABLED
<SYSTEM32>\sc.exe config SessionEnv start= DEMAND
<SYSTEM32>\sc.exe config SNMPTRAP start= DEMAND
<SYSTEM32>\sc.exe config ShellHWDetection start= AUTO
<SYSTEM32>\sc.exe config SensrSvc start= DEMAND
<SYSTEM32>\sc.exe config SDRSVC start= DEMAND
<SYSTEM32>\sc.exe config SCPolicySvc start= DEMAND
<SYSTEM32>\sc.exe config SENS start= AUTO
<SYSTEM32>\sc.exe config seclogon start= DEMAND
<SYSTEM32>\sc.exe config WwanSvc start= DEMAND
<SYSTEM32>\sc.exe config wudfsvc start= AUTO
<SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.bmp\ShellNew /f
<SYSTEM32>\powercfg.exe -h off
<SYSTEM32>\sc.exe config wuauserv start= DEMAND
<SYSTEM32>\sc.exe config WPCSvc start= DEMAND
<SYSTEM32>\sc.exe config WMPNetworkSvc start= DEMAND
<SYSTEM32>\sc.exe config WSearch start= DISABLED
<SYSTEM32>\sc.exe config WPDBusEnum start= AUTO
<SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.rtf\ShellNew /f
<SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.contact\ShellNew /f
<SYSTEM32>\ping.exe 127.0.0.1 -n 3
<SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.zip\CompressedFolder\ShellNew /f
<SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.jnt\jntfile\ShellNew /f
<SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.zip\ShellNew /f
<SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.rar\ShellNew /f
<SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.xdp\AcroExch.XDPDoc\ShellNew /f
<SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\Briefcase\ShellNew /f
<SYSTEM32>\sc.exe config wmiApSrv start= DEMAND
<SYSTEM32>\sc.exe config wcncsvc start= DEMAND
<SYSTEM32>\sc.exe config WbioSrvc start= DEMAND
<SYSTEM32>\sc.exe config WdiServiceHost start= DEMAND
<SYSTEM32>\sc.exe config WcsPlugInService start= DEMAND
<SYSTEM32>\sc.exe config wbengine start= DEMAND
<SYSTEM32>\sc.exe config vds start= DEMAND
<SYSTEM32>\sc.exe config VaultSvc start= DEMAND
<SYSTEM32>\sc.exe config W32Time start= DEMAND
<SYSTEM32>\sc.exe config VSS start= DEMAND
<SYSTEM32>\sc.exe config Winmgmt start= AUTO
<SYSTEM32>\sc.exe config WinHttpAutoProxySvc start= DEMAND
<SYSTEM32>\sc.exe config Wlansvc start= DEMAND
<SYSTEM32>\sc.exe config WinRM start= DEMAND
<SYSTEM32>\sc.exe config WerSvc start= DEMAND
<SYSTEM32>\sc.exe config WebClient start= DEMAND
<SYSTEM32>\sc.exe config WdiSystemHost start= DEMAND
<SYSTEM32>\sc.exe config wercplsupport start= DEMAND
<SYSTEM32>\sc.exe config Wecsvc start= DEMAND
<SYSTEM32>\sc.exe config EapHost start= DEMAND
<SYSTEM32>\sc.exe config DPS start= DEMAND
<SYSTEM32>\sc.exe config eventlog start= AUTO
<SYSTEM32>\sc.exe config EFS start= DEMAND
<SYSTEM32>\sc.exe config dot3svc start= DEMAND
<SYSTEM32>\sc.exe config defragsvc start= DEMAND
<SYSTEM32>\sc.exe config DcomLaunch start= AUTO
<SYSTEM32>\sc.exe config Dnscache start= AUTO
<SYSTEM32>\sc.exe config Dhcp start= AUTO
<SYSTEM32>\sc.exe config hidserv start= DEMAND
<SYSTEM32>\sc.exe config gpsvc start= AUTO
<SYSTEM32>\sc.exe config HomeGroupListener start= DEMAND
<SYSTEM32>\sc.exe config hkmsvc start= DEMAND
<SYSTEM32>\sc.exe config FontCache3.0.0.0 start= DEMAND
<SYSTEM32>\sc.exe config fdPHost start= DEMAND
<SYSTEM32>\sc.exe config EventSystem start= AUTO
<SYSTEM32>\sc.exe config FontCache start= AUTO
<SYSTEM32>\sc.exe config FDResPub start= DEMAND
<SYSTEM32>\sc.exe config CscService start= DEMAND
<SYSTEM32>\sc.exe config AudioEndpointBuilder start= AUTO
<SYSTEM32>\sc.exe config AppMgmt start= DEMAND
<SYSTEM32>\sc.exe config AxInstSV start= DEMAND
<SYSTEM32>\sc.exe config AudioSrv start= AUTO
<SYSTEM32>\sc.exe config Appinfo start= DEMAND
<SYSTEM32>\sc.exe config AeLookupSvc start= DEMAND
<SYSTEM32>\cmd.exe /c \Windows\System32\zh-CN\op.bat
<SYSTEM32>\sc.exe config AppIDSvc start= DEMAND
<SYSTEM32>\sc.exe config ALG start= DEMAND
<SYSTEM32>\sc.exe config clr_optimization_v2.0.50727_32 start= DISABLED
<SYSTEM32>\sc.exe config CertPropSvc start= DEMAND
<SYSTEM32>\sc.exe config CryptSvc start= AUTO
<SYSTEM32>\sc.exe config COMSysApp start= DEMAND
<SYSTEM32>\sc.exe config bthserv start= DEMAND
<SYSTEM32>\sc.exe config BFE start= AUTO
<SYSTEM32>\sc.exe config BDESVC start= DEMAND
<SYSTEM32>\sc.exe config Browser start= DEMAND
<SYSTEM32>\sc.exe config BITS start= DEMAND
<SYSTEM32>\sc.exe config PcaSvc start= AUTO
<SYSTEM32>\sc.exe config p2psvc start= DEMAND
<SYSTEM32>\sc.exe config pla start= DEMAND
<SYSTEM32>\sc.exe config PeerDistSvc start= DEMAND
<SYSTEM32>\sc.exe config p2pimsvc start= DEMAND
<SYSTEM32>\sc.exe config NetTcpPortSharing start= DISABLED
<SYSTEM32>\sc.exe config netprofm start= DEMAND
<SYSTEM32>\sc.exe config nsi start= AUTO
<SYSTEM32>\sc.exe config NlaSvc start= AUTO
<SYSTEM32>\sc.exe config ProtectedStorage start= DEMAND
<SYSTEM32>\sc.exe config ProfSvc start= AUTO
<SYSTEM32>\sc.exe config RasAuto start= DEMAND
<SYSTEM32>\sc.exe config QWAVE start= DEMAND
<SYSTEM32>\sc.exe config Power start= AUTO
<SYSTEM32>\sc.exe config PNRPAutoReg start= DEMAND
<SYSTEM32>\sc.exe config PlugPlay start= AUTO
<SYSTEM32>\sc.exe config PolicyAgent start= DEMAND
<SYSTEM32>\sc.exe config PNRPsvc start= DEMAND
<SYSTEM32>\sc.exe config Netman start= DEMAND
<SYSTEM32>\sc.exe config KtmRm start= DEMAND
<SYSTEM32>\sc.exe config KeyIso start= DEMAND
<SYSTEM32>\sc.exe config LanmanWorkstation start= AUTO
<SYSTEM32>\sc.exe config LanmanServer start= AUTO
<SYSTEM32>\sc.exe config iphlpsvc start= DEMAND
<SYSTEM32>\sc.exe config idsvc start= DEMAND
<SYSTEM32>\sc.exe config HomeGroupProvider start= DEMAND
<SYSTEM32>\sc.exe config IPBusEnum start= DEMAND
<SYSTEM32>\sc.exe config IKEEXT start= DEMAND
<SYSTEM32>\sc.exe config msiserver start= DEMAND
<SYSTEM32>\sc.exe config MSiSCSI start= DEMAND
<SYSTEM32>\sc.exe config Netlogon start= DEMAND
<SYSTEM32>\sc.exe config napagent start= DEMAND
<SYSTEM32>\sc.exe config MSDTC start= DEMAND
<SYSTEM32>\sc.exe config lmhosts start= AUTO
<SYSTEM32>\sc.exe config lltdsvc start= DEMAND
<SYSTEM32>\sc.exe config MpsSvc start= AUTO
<SYSTEM32>\sc.exe config MMCSS start= AUTO

Modifies settings of Windows Internet Explorer:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '160A' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1C00' = ''
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'CurrentLevel' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'WarnonBadCertRecving' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'

Forces autoplay for removable media.

Sets a new unauthorized home page for Windows Internet Explorer.

Modifies file system :

Creates the following files:

C:\Users\Public\Desktop\МЪС¶QQ.lnk
C:\Users\Public\Desktop\СёАЧ7.lnk
C:\Users\Public\Desktop\їб№·ТфАЦ.lnk
C:\Users\Public\Desktop\·юОсУЕ»Ї.lnk
C:\Users\Public\Desktop\ј¤»о№¤ѕЯ.lnk
<SYSTEM32>\service.exe
<SYSTEM32>\zh-CN\op.bat
<SYSTEM32>\ОЮПЯНшВз.exe
C:\Users\Public\Desktop\Зэ¶Їѕ«Бй.lnk
%TEMP%\Optimization.exe
<SYSTEM32>\oemlogo.bmp
C:\Users\Public\Desktop\ОЮПЯНшВз.lnk
C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Жф¶Ї Internet Explorer дЇААЖч.lnk
C:\Users\%USERNAME%\Favorites\ЧојСµјєЅ - BestURL.url
C:\Users\%USERNAME%\Favorites\їОјюФ°.url
%TEMP%\$inst\2.tmp
%TEMP%\$inst\7.tmp
%TEMP%\$inst\temp_0.tmp
C:\Users\Public\Desktop\Microsoft Word 2003.lnk
C:\Users\Public\Desktop\PPSУ°Тф.lnk
C:\Users\Public\Desktop\З§З§ѕІМэ.lnk
C:\Users\%USERNAME%\Favorites\ЅрєьµзДФ№¤ЧчКТ.url
C:\Users\Public\Desktop\Internet Explorer.lnk
C:\Users\Public\Desktop\Microsoft Excel 2003.lnk

Deletes the following files:

%TEMP%\$inst\7.tmp
%TEMP%\Optimization.exe
%TEMP%\$inst\temp_0.tmp
%TEMP%\$inst\2.tmp

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial