Trojan.StartPage.48668

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Classes\regedit\shell\open\command] '' = 'regedit.exe %1'
[<HKLM>\SOFTWARE\Classes\comfile\shell\open\command] '' = '"%1" %*'
[<HKLM>\SOFTWARE\Microsoft\Command Processor] 'AutoRun' = ''
[<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = '"%1" %*'
[<HKLM>\SOFTWARE\Classes\batfile\shell\open\command] '' = '"%1" %*'
[<HKLM>\SOFTWARE\Classes\crexefile\shell\open\command] '' = '"%1" %*'
[<HKLM>\SOFTWARE\Classes\cmdfile\shell\open\command] '' = '"%1" %*'
[<HKLM>\SOFTWARE\Classes\regfile\shell\open\command] '' = 'regedit.exe "%1"'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\winmgmt] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\wuauserv] 'Start' = '00000002'

Malicious functions:

To complicate detection of its presence in the operating system,

forces the system hide from view:

hidden files

blocks the following features:

System Restore (SR)

Creates and executes the following:

C:\ComboFix\swreg.cfexe save "hklm\software\microsoft\windows\currentversion\internet settings\activex cache" temp00.hiv
C:\ComboFix\dumphive.cfexe temp00.hiv runs.cf
C:\ComboFix\swreg.cfexe save "hklm\software\microsoft\schedulingagent" temp00.hiv
C:\ComboFix\sed.cfexe "/Tasksfolder/I!d;s/\x22$//;s/.*\x22//;s/\\\\/\\/g" runs.cf
C:\ComboFix\dumphive.cfexe -e temp00.hiv runs.cf
C:\ComboFix\swreg.cfexe save "hku\.default\software\microsoft\windows\currentversion\explorer\shell folders" temp00.hiv
C:\ComboFix\regt.cfexe /s creg.cf
C:\ComboFix\sed.cfexe "/:\\/!d;s/.*\t//;"
C:\ComboFix\nircmd.cfexe service manual wmi
C:\ComboFix\sed.cfexe "s/.*$/@&/;"
C:\ComboFix\setpath.cfexe
C:\ComboFix\sed.cfexe -n "s/.*> *//;s/ .*//p;"
C:\ComboFix\nircmd.cfexe service start winmgmt
C:\ComboFix\nircmd.cfexe sysrefresh intl
C:\ComboFix\swreg.cfexe query hklm\software\swearware
C:\ComboFix\nircmd.cfexe wait 1500
C:\ComboFix\swsc.cfexe query srservice
C:\ComboFix\regt.cfexe /s region.cf
C:\ComboFix\nircmd.cfexe killprocess regt.cfexe
C:\ComboFix\vfind.cfexe -mrtd *
C:\ComboFix\swreg.cfexe query "hkcu\control panel\international_combofixbackup"
C:\ComboFix\swreg.cfexe copy "hku\.default\control panel\international" "hku\.default\control panel\international_combofixbackup" /s
C:\ComboFix\swreg.cfexe copy "hkcu\control panel\international" "hkcu\control panel\international_combofixbackup" /s
C:\ComboFix\swreg.cfexe query hkcr\clsid\{9f143c3a-1457-6cca-03a7-7aa23b61e40f}\inprocserver32 /ve
C:\ComboFix\nircmd.cfexe killprocess fubcwj.exe
C:\ComboFix\nircmd.cfexe killprocess conime.exe
C:\ComboFix\nircmd.cfexe killprocess severe.exe
C:\ComboFix\nircmd.cfexe killprocess rundl132.exe
C:\ComboFix\nircmd.cfexe killprocess logo1_.exe
C:\ComboFix\nircmd.cfexe killprocess bryato.exe
C:\ComboFix\nircmd.exe win close ititle "ComboFix"
C:\ComboFix\nircmd.exe regdelval "hkcu\software\policies\microsoft\windows\system" "disablecmd"
C:\ComboFix\swreg.exe query hklm\system\currentcontrolset\enum\root\system
C:\ComboFix\nircmd.cfexe killprocess thguard.exe
C:\ComboFix\swreg.exe import cfexe.cf
C:\ComboFix\nircmd.cfexe killprocess OSO.EXE
C:\ComboFix\sed.cfexe "$d;s/.*/%systemroot%\\system32;%systemroot%;%systemroot%\\system32\\wbem;&/;"
C:\ComboFix\sed.cfexe -e :a -e "N;s/\n/;/g;ta;"
C:\ComboFix\swreg.cfexe query "hklm\system\currentcontrolset\control\session manager\environment" /v comspec
C:\ComboFix\swreg.cfexe delete "hkcu\software\microsoft\windows\currentversion\policies\system" /v "disableregistrytools"
C:\ComboFix\sed.cfexe "/\treg_expand_sz/I!d;s/.*\t//"
C:\ComboFix\sed.cfexe "/.*\t/!d;s///;s/;/\n/g"
C:\ComboFix\nircmd.cfexe killprocess vfind.cfexe
C:\ComboFix\nircmd.cfexe killprocess verclsid.dat
C:\ComboFix\nircmd.cfexe killprocess find.cfexe
C:\ComboFix\swreg.cfexe query "hklm\system\currentcontrolset\control\session manager\environment" /v path
C:\ComboFix\nircmd.cfexe killprocess findstr.cfexe

Executes the following:

<SYSTEM32>\findstr.exe . 3rr
<SYSTEM32>\findstr.exe /i CFScript
<SYSTEM32>\find.exe "%USERNAME%"
<SYSTEM32>\find.exe "\"
<SYSTEM32>\findstr.exe /i ":\\"
<SYSTEM32>\regsvr32.exe /s <SYSTEM32>\vbscript.dll
<SYSTEM32>\chcp.com 437
<SYSTEM32>\find.exe /i "combofix"
<SYSTEM32>\findstr.exe /i state.*RUNNING
<SYSTEM32>\findstr.exe /v /x /i "%systemroot% %systemroot%\system32 %systemroot%\system32\wbem %WINDIR% <SYSTEM32> <SYSTEM32>\wbem"
<SYSTEM32>\findstr.exe /i /l /x %systemroot%\system32\cmd.exe
<SYSTEM32>\find.exe "Windows XP"
<SYSTEM32>\find.exe "Version 6.0.6000"
<SYSTEM32>\findstr.exe /m /i /f:/ update_load
<SYSTEM32>\find.exe "FAT"
<SYSTEM32>\find.exe "\\"
<SYSTEM32>\chcp.com
<SYSTEM32>\chkdsk.exe /l

Forces autoplay for removable media.

Sets a new unauthorized home page for Windows Internet Explorer.

Modifies file system :

Creates the following files:

C:\ComboFix\vfind.cfexe
C:\ComboFix\zip.cfexe
C:\ComboFix\ERDNT.e_e
C:\ComboFix\SF.cfexe
C:\ComboFix\swsc.cfexe
C:\ComboFix\swxcacls.cfexe
C:\ComboFix\ERDNTDOS.LOC
C:\ComboFix\FProps.vbs
C:\ComboFix\lnkread.vbs
C:\ComboFix\LocalDrive.vbs
C:\ComboFix\ERDNTWIN.LOC
C:\ComboFix\ERUNT.LOC
C:\ComboFix\findcombo.vbs
C:\ComboFix\dd.cfexe
C:\ComboFix\dumphive.cfexe
C:\ComboFix\ERUNT.cfexe
C:\ComboFix\winlogondef.cf
C:\ComboFix\zhsvc.cf
C:\ComboFix\catchme.cfexe
C:\ComboFix\handle.cfexe
C:\ComboFix\RestartIt.cfexe
C:\ComboFix\sed.cfexe
C:\ComboFix\setpath.cfexe
C:\ComboFix\moveex.cfexe
C:\ComboFix\mtee.cfexe
C:\ComboFix\Ntrights.cfexe
C:\ComboFix\OSid.vbs
C:\ComboFix\dnd.cf
C:\ComboFix\dll_whitelist.cf
C:\ComboFix\whitedir.cf
C:\ComboFix\temp00.hiv
C:\ComboFix\runs.cf
C:\ComboFix\appdatafolders.cf
C:\ComboFix\miscfile.cf
C:\ComboFix\borlander_file.cf
C:\ComboFix\borlander_folder.cf
C:\ComboFix\vundonames.cf
C:\ComboFix\attr.cf
C:\ComboFix\Cfiles.cf
C:\ComboFix\Cfolders.cf
C:\ComboFix\swreg.cfexe
C:\ComboFix\nircmd.cfexe
<SYSTEM32>\swxcacls.exe
C:\ComboFix\restore_pt.vbs
C:\ComboFix\SvcDrv.vbs
C:\ComboFix\errdbg.cf
<SYSTEM32>\swsc.exe
%WINDIR%\nircmd.exe
C:\ComboFix\regt.cfexe
C:\ComboFix\setpath.bat
<SYSTEM32>\vfind.exe
<SYSTEM32>\swreg.exe
%WINDIR%\catchme.exe
C:\ComboFix\nircmd.exe
C:\ComboFix\ntp.exe
C:\ComboFix\NTPBack.exe
C:\ComboFix\Qoo.bat
C:\ComboFix\Sys.bat
C:\ComboFix\upload.bat
C:\ComboFix\swreg.exe
C:\ComboFix\cfexe.cf
C:\ComboFix\clsid.cf
C:\ComboFix\Creg.cf
C:\ComboFix\ComboFix.sys
C:\ComboFix\023.cf
C:\ComboFix\023v.cf
C:\ComboFix\Combobatch.bat
C:\ComboFix\ComboFix.bat
C:\ComboFix\DelClsid.bat
C:\ComboFix\Boot.bat
C:\ComboFix\CF_anti-viking.bat
C:\ComboFix\CFCleanUp.bat
C:\ComboFix\FIND3M.bat
C:\ComboFix\Look2Me.bat
C:\ComboFix\MoveIt.bat
C:\ComboFix\NTP.bat
C:\ComboFix\FIXLSP.bat
C:\ComboFix\history.bat
C:\ComboFix\List-C.bat
C:\ComboFix\erunt.cf
C:\ComboFix\safeboot.cf
C:\ComboFix\safeboot.def.cf
C:\ComboFix\safeboot.def.vista.cf
C:\ComboFix\Policies.cf
C:\ComboFix\region.cf
C:\ComboFix\rogues.cf
C:\ComboFix\svc_wht.cf
C:\ComboFix\v_combofix.cf
C:\ComboFix\whitedirB.cf
C:\ComboFix\WhiteLegacy.cf
C:\ComboFix\svchost.cf
C:\ComboFix\svchost.vista.cf
C:\ComboFix\system_ini.cf
C:\ComboFix\LocalServiceNetworkRestricted.cf
C:\ComboFix\LocalSystemNetworkRestricted.cf
C:\ComboFix\Look.cf
C:\ComboFix\executables.cf
C:\ComboFix\L2M_combofix.cf
C:\ComboFix\LocalService.cf
C:\ComboFix\ndis_combofix.cf
C:\ComboFix\netsvc.xp.cf
C:\ComboFix\NetworkService.cf
C:\ComboFix\notifykeys.cf
C:\ComboFix\netsvc.bad.cf
C:\ComboFix\netsvc.cf
C:\ComboFix\netsvc.vista.cf

Deletes the following files:

C:\ComboFix\CF_anti-viking.bat
C:\ComboFix\temp00.hiv
C:\ComboFix\runs.cf
C:\ComboFix\netsvc.vista.cf
C:\ComboFix\svchost.vista.cf
C:\ComboFix\cfexe.cf

Moves the following files:

from C:\ComboFix\netsvc.xp.cf to C:\ComboFix\netsvc.cf

Miscellaneous:

Searches for the following windows:

ClassName: 'RegEdit_RegEdit' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'EDIT' WindowName: ''

Tecnologías

Términos

Formación y educación

Mitos

Technical Information

Curing recommendations

Free trial