Trojan.DownLoader25.61023

Technical Information

To ensure autorun and distribution:

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\msvyiran] 'ImagePath' = '%APPDATA%\1472503961\msvyiran.exe'
[<HKLM>\SYSTEM\ControlSet001\Services\msvyiran] 'Start' = '00000002'

Malicious functions:

Creates and executes the following:

'%APPDATA%\1472503961\msvyiran.exe'
'%APPDATA%\1472503961\msvcssist.exe' BootDoThings
'%TEMP%\is-BGPQT.tmp\<File name>.tmp' /SL5="$30092,1000012,56832,<Full path to file>"
'%APPDATA%\1472503961\msvyiran.exe' -i

Executes the following:

'<SYSTEM32>\net.exe' start msvyiran
'<SYSTEM32>\net1.exe' start msvyiran
'<SYSTEM32>\sc.exe' delete msvyiran
'<SYSTEM32>\regsvr32.exe' /s "%APPDATA%\1472503961\DataView.dll"
'<SYSTEM32>\sc.exe' stop msvyiran

Modifies file system:

Creates the following files:

%APPDATA%\1472503961\resource\is-KODB9.tmp
%APPDATA%\1472503961\resource\is-VNA33.tmp
%APPDATA%\1472503961\resource\is-CQSJV.tmp
%APPDATA%\1472503961\resource\is-SQ4EV.tmp
%APPDATA%\1472503961\resource\is-CVB78.tmp
%APPDATA%\1472503961\resource\is-U299U.tmp
%APPDATA%\1472503961\resource\is-L9JDF.tmp
%APPDATA%\1472503961\resource\is-RNA1I.tmp
%APPDATA%\1472503961\resource\is-EHLLQ.tmp
%APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_locales\zh_CN\is-QLC8F.tmp
%APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_metadata\is-B2LSN.tmp
%APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\res\is-7GTKO.tmp
%APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_locales\en\is-7L4GL.tmp
%APPDATA%\1472503961\resource\is-7702H.tmp
%APPDATA%\1472503961\resource\is-KM9U1.tmp
%APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_metadata\is-86SK9.tmp
%APPDATA%\1472503961\resource\is-TUN59.tmp
%APPDATA%\1472503961\resource\is-S50MI.tmp
%APPDATA%\1472503961\resource\DirectUI\is-AE4AR.tmp
%APPDATA%\1472503961\xmlconfig\is-PCM0B.tmp
%APPDATA%\1472503961\resource\DirectUI\is-ERAQR.tmp
%APPDATA%\1472503961\resource\DirectUI\is-ODRSV.tmp
%APPDATA%\1472503961\is-G0LHO.tmp
%ALLUSERSPROFILE%\Desktop\јтФјИХАъ.lnk
%APPDATA%\1472503961\xmlconfig\is-8FRT4.tmp
%APPDATA%\1472503961\is-SD53C.tmp
%APPDATA%\1472503961\resource\DirectUI\is-AMCVM.tmp
%APPDATA%\1472503961\resource\is-M4US0.tmp
%APPDATA%\1472503961\resource\is-PIM80.tmp
%APPDATA%\1472503961\resource\is-HU2I1.tmp
%APPDATA%\1472503961\resource\is-8OK8L.tmp
%APPDATA%\1472503961\resource\is-MU0F4.tmp
%APPDATA%\1472503961\resource\is-VPOEG.tmp
%APPDATA%\1472503961\resource\is-EQUS5.tmp
%APPDATA%\1472503961\resource\is-TMKQ9.tmp
%APPDATA%\1472503961\is-KB9NU.tmp
%APPDATA%\1472503961\extensions\is-25D6K.tmp
%APPDATA%\1472503961\is-S361V.tmp
%APPDATA%\1472503961\is-PKU38.tmp
%APPDATA%\1472503961\extensions\is-8VKO4.tmp
%APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-JCGUG.tmp
%APPDATA%\1472503961\extensions\is-LAKK9.tmp
%APPDATA%\1472503961\extensions\is-PUGDS.tmp
%APPDATA%\1472503961\is-U583I.tmp
%TEMP%\is-9H8QN.tmp\ISTask.dll
%APPDATA%\1472503961\is-V4ON4.tmp
%TEMP%\is-BGPQT.tmp\<File name>.tmp
%TEMP%\is-9H8QN.tmp\_isetup\_shfoldr.dll
%APPDATA%\1472503961\is-80SUI.tmp
%APPDATA%\1472503961\is-VF35H.tmp
%APPDATA%\1472503961\is-1B04I.tmp
%APPDATA%\1472503961\is-97RK1.tmp
%APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-HC6UO.tmp
%APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-0J5GG.tmp
%APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-IQ7MV.tmp
%APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_metadata\is-UJR8O.tmp
%APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-KOQML.tmp
%APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-L6RH1.tmp
%APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\res\is-KTLOK.tmp
%APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-6RNHG.tmp
%APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-AS6PC.tmp
%APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_metadata\is-07DH0.tmp
%APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-T0BG0.tmp
%APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-H1DP4.tmp
%APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-6FA17.tmp
%APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-LVAJQ.tmp
%APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_locales\en\is-RKHJP.tmp
%APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_locales\zh_CN\is-ST8V4.tmp
%APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\res\is-7MMK1.tmp
%APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\res\is-K5TSP.tmp

Deletes the following files:

%APPDATA%\1472503961\DataView.dll

Moves the following files:

from %APPDATA%\1472503961\resource\is-SQ4EV.tmp to %APPDATA%\1472503961\resource\btn_alpha.png
from %APPDATA%\1472503961\resource\is-KODB9.tmp to %APPDATA%\1472503961\resource\btn_cancel.png
from %APPDATA%\1472503961\resource\is-EHLLQ.tmp to %APPDATA%\1472503961\resource\browser.png
from %APPDATA%\1472503961\resource\is-CQSJV.tmp to %APPDATA%\1472503961\resource\btnBK.png
from %APPDATA%\1472503961\resource\is-RNA1I.tmp to %APPDATA%\1472503961\resource\btn_ok.png
from %APPDATA%\1472503961\resource\is-CVB78.tmp to %APPDATA%\1472503961\resource\btn_today.png
from %APPDATA%\1472503961\resource\is-VNA33.tmp to %APPDATA%\1472503961\resource\btn_close.png
from %APPDATA%\1472503961\resource\is-L9JDF.tmp to %APPDATA%\1472503961\resource\btn_min.png
from %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_locales\zh_CN\is-QLC8F.tmp to %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_locales\zh_CN\messages.json
from %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_metadata\is-B2LSN.tmp to %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_metadata\computed_hashes.json
from %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\res\is-7GTKO.tmp to %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\res\icon.gif
from %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_locales\en\is-7L4GL.tmp to %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_locales\en\messages.json
from %APPDATA%\1472503961\resource\is-7702H.tmp to %APPDATA%\1472503961\resource\arrow_right.png
from %APPDATA%\1472503961\resource\is-KM9U1.tmp to %APPDATA%\1472503961\resource\box_check.png
from %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_metadata\is-86SK9.tmp to %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_metadata\verified_contents.json
from %APPDATA%\1472503961\resource\is-TUN59.tmp to %APPDATA%\1472503961\resource\arrow_left.png
from %APPDATA%\1472503961\resource\DirectUI\is-AMCVM.tmp to %APPDATA%\1472503961\resource\DirectUI\scrollArrowDown.bmp
from %APPDATA%\1472503961\resource\DirectUI\is-ERAQR.tmp to %APPDATA%\1472503961\resource\DirectUI\scrollArrowUp.bmp
from %APPDATA%\1472503961\resource\is-MU0F4.tmp to %APPDATA%\1472503961\resource\return.png
from %APPDATA%\1472503961\resource\is-VPOEG.tmp to %APPDATA%\1472503961\resource\wtl.exe.manifest
from %APPDATA%\1472503961\xmlconfig\is-PCM0B.tmp to %APPDATA%\1472503961\xmlconfig\install.xml
from %APPDATA%\1472503961\xmlconfig\is-8FRT4.tmp to %APPDATA%\1472503961\xmlconfig\riliclient.xml
from %APPDATA%\1472503961\resource\DirectUI\is-ODRSV.tmp to %APPDATA%\1472503961\resource\DirectUI\scrollBar.bmp
from %APPDATA%\1472503961\resource\DirectUI\is-AE4AR.tmp to %APPDATA%\1472503961\resource\DirectUI\srollBk.bmp
from %APPDATA%\1472503961\resource\is-HU2I1.tmp to %APPDATA%\1472503961\resource\License.txt
from %APPDATA%\1472503961\resource\is-8OK8L.tmp to %APPDATA%\1472503961\resource\logo.png
from %APPDATA%\1472503961\resource\is-U299U.tmp to %APPDATA%\1472503961\resource\Calendar.ico
from %APPDATA%\1472503961\resource\is-S50MI.tmp to %APPDATA%\1472503961\resource\comboxBk.png
from %APPDATA%\1472503961\resource\is-EQUS5.tmp to %APPDATA%\1472503961\resource\now_start.png
from %APPDATA%\1472503961\resource\is-TMKQ9.tmp to %APPDATA%\1472503961\resource\radio.png
from %APPDATA%\1472503961\resource\is-M4US0.tmp to %APPDATA%\1472503961\resource\mainBk.png
from %APPDATA%\1472503961\resource\is-PIM80.tmp to %APPDATA%\1472503961\resource\menuButton.png
from %APPDATA%\1472503961\extensions\is-LAKK9.tmp to %APPDATA%\1472503961\extensions\jySougou.sext
from %APPDATA%\1472503961\extensions\is-PUGDS.tmp to %APPDATA%\1472503961\extensions\sec_setting.json
from %APPDATA%\1472503961\is-KB9NU.tmp to %APPDATA%\1472503961\msvyiran.exe
from %APPDATA%\1472503961\extensions\is-25D6K.tmp to %APPDATA%\1472503961\extensions\jychromeex.crx
from %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-HC6UO.tmp to %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\background.js
from %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-6FA17.tmp to %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\calmath.js
from %APPDATA%\1472503961\extensions\is-8VKO4.tmp to %APPDATA%\1472503961\extensions\setting.json
from %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-JCGUG.tmp to %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\background.html
from %APPDATA%\1472503961\is-97RK1.tmp to %APPDATA%\1472503961\DataView64.dll
from %APPDATA%\1472503961\is-80SUI.tmp to %APPDATA%\1472503961\fixfunction.dll
from %APPDATA%\1472503961\is-V4ON4.tmp to %APPDATA%\1472503961\config.ini
from %APPDATA%\1472503961\is-1B04I.tmp to %APPDATA%\1472503961\DataView.dll
from %APPDATA%\1472503961\is-S361V.tmp to %APPDATA%\1472503961\kan.exe
from %APPDATA%\1472503961\is-PKU38.tmp to %APPDATA%\1472503961\msvcssist.exe
from %APPDATA%\1472503961\is-VF35H.tmp to %APPDATA%\1472503961\istask.dll
from %APPDATA%\1472503961\is-U583I.tmp to %APPDATA%\1472503961\jywebHelper.dll
from %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-0J5GG.tmp to %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\background.js
from %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-IQ7MV.tmp to %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\calmath.js
from %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_metadata\is-UJR8O.tmp to %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_metadata\verified_contents.json
from %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-KOQML.tmp to %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\background.html
from %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-L6RH1.tmp to %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\popup.html
from %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\res\is-KTLOK.tmp to %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\res\crx.png
from %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-6RNHG.tmp to %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\contentscript.js
from %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-AS6PC.tmp to %APPDATA%\1472503961\extensions\int2\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\manifest.json
from %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-H1DP4.tmp to %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\popup.html
from %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\res\is-7MMK1.tmp to %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\res\crx.png
from %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-LVAJQ.tmp to %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\contentscript.js
from %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\is-T0BG0.tmp to %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\manifest.json
from %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_locales\zh_CN\is-ST8V4.tmp to %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_locales\zh_CN\messages.json
from %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_metadata\is-07DH0.tmp to %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_metadata\computed_hashes.json
from %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\res\is-K5TSP.tmp to %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\res\icon.gif
from %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_locales\en\is-RKHJP.tmp to %APPDATA%\1472503961\extensions\chrome\faihpblmbndeljifkdhmkegbololnfmb\4.0.2_0\_locales\en\messages.json

Substitutes the following files:

%APPDATA%\1472503961\DataView.dll

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial