Trojan.PWS.Siggen3.25165

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

Sets the following service settings

[HKLM\System\CurrentControlSet\Services\ALG] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\SNMPTRAP] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\RpcLocator] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\PerfHost] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\msiserver] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\ose64] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\MSDTC] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\idsvc] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\Fax] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\ehSched] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\Microsoft SharePoint Workspace Audit Service] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\ehRecvr] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\COMSysApp] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\clr_optimization_v4.0.30319_64] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\clr_optimization_v4.0.30319_32] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\clr_optimization_v2.0.50727_64] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\clr_optimization_v2.0.50727_32] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\aspnet_state] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\Steam Client Service] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\UI0Detect] 'Start' = '00000002'

Changes the following executable system files

<SYSTEM32>\alg.exe
<SYSTEM32>\locator.exe
%WINDIR%\syswow64\perfhost.exe
<SYSTEM32>\msiexec.exe
%WINDIR%\syswow64\msiexec.exe
<SYSTEM32>\msdtc.exe
%WINDIR%\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe
<SYSTEM32>\fxssvc.exe
%WINDIR%\ehome\ehsched.exe
%WINDIR%\ehome\ehrecvr.exe
<SYSTEM32>\dllhost.exe
%WINDIR%\syswow64\dllhost.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\mscorsvw.exe
%WINDIR%\microsoft.net\framework64\v2.0.50727\mscorsvw.exe
%WINDIR%\microsoft.net\framework\v2.0.50727\mscorsvw.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\aspnet_state.exe
%WINDIR%\syswow64\svchost.exe
<SYSTEM32>\snmptrap.exe
<SYSTEM32>\ui0detect.exe

Infects the following executable files

<SYSTEM32>\alg.exe
<SYSTEM32>\snmptrap.exe
<SYSTEM32>\locator.exe
%WINDIR%\syswow64\perfhost.exe
<SYSTEM32>\msiexec.exe
%WINDIR%\syswow64\msiexec.exe
%CommonProgramFiles%\microsoft shared\source engine\ose.exe
<SYSTEM32>\msdtc.exe
%WINDIR%\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe
<SYSTEM32>\fxssvc.exe
%CommonProgramFiles(x86)%\steam\steamservice.exe
%WINDIR%\ehome\ehsched.exe
%WINDIR%\ehome\ehrecvr.exe
<SYSTEM32>\dllhost.exe
%WINDIR%\syswow64\dllhost.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\mscorsvw.exe
%WINDIR%\microsoft.net\framework64\v2.0.50727\mscorsvw.exe
%WINDIR%\microsoft.net\framework\v2.0.50727\mscorsvw.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\aspnet_state.exe
%WINDIR%\syswow64\svchost.exe
%ProgramFiles%\microsoft office\office14\groove.exe
<SYSTEM32>\ui0detect.exe

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Security Center

blocks the following features:

Windows Action Center

Modifies file system

Creates the following files

%LOCALAPPDATA%\bofcanbd\cmd.exe
<SYSTEM32>\cgeekgqa.tmp
<SYSTEM32>\llmnfmik.tmp
%WINDIR%\syswow64\cfhmbolj.tmp
<SYSTEM32>\bknabmml.tmp
%WINDIR%\syswow64\njngqlgb.tmp
%CommonProgramFiles%\microsoft shared\source engine\comjfjop.tmp
<SYSTEM32>\alkfjmmo.tmp
%WINDIR%\microsoft.net\framework64\v3.0\windows communication foundation\kenfacma.tmp
<SYSTEM32>\pckeljad.tmp
%WINDIR%\ehome\mgblegmp.tmp
%CommonProgramFiles(x86)%\steam\qqnbiobf.tmp
%ProgramFiles%\microsoft office\office14\ohbafhai.tmp
<SYSTEM32>\mnijpjdh.tmp
%WINDIR%\syswow64\bjbjfcgn.tmp
%WINDIR%\microsoft.net\framework64\v4.0.30319\hldkaphp.tmp
%WINDIR%\microsoft.net\framework\v4.0.30319\ljapedgi.tmp
%WINDIR%\microsoft.net\framework64\v2.0.50727\pgmkclli.tmp
%WINDIR%\microsoft.net\framework\v2.0.50727\pafebbne.tmp
%WINDIR%\microsoft.net\framework64\v4.0.30319\cciodqdi.tmp
%WINDIR%\syswow64\bgjpjmnl.tmp
<SYSTEM32>\cofglmmf.tmp
%LOCALAPPDATA%\bofcanbd\hefohnga.tmp
%WINDIR%\ehome\cgbjiohf.tmp
<SYSTEM32>\bgibmicb.tmp

Deletes the following files

%LOCALAPPDATA%\bofcanbd\hefohnga.tmp
<SYSTEM32>\cgeekgqa.tmp
<SYSTEM32>\llmnfmik.tmp
%WINDIR%\syswow64\cfhmbolj.tmp
<SYSTEM32>\bknabmml.tmp
%WINDIR%\syswow64\njngqlgb.tmp
%CommonProgramFiles%\microsoft shared\source engine\comjfjop.tmp
<SYSTEM32>\alkfjmmo.tmp
%WINDIR%\microsoft.net\framework64\v3.0\windows communication foundation\kenfacma.tmp
<SYSTEM32>\pckeljad.tmp
%WINDIR%\ehome\mgblegmp.tmp
%ProgramFiles%\microsoft office\office14\ohbafhai.tmp
%WINDIR%\ehome\cgbjiohf.tmp
<SYSTEM32>\mnijpjdh.tmp
%WINDIR%\syswow64\bjbjfcgn.tmp
%WINDIR%\microsoft.net\framework64\v4.0.30319\hldkaphp.tmp
%WINDIR%\microsoft.net\framework\v4.0.30319\ljapedgi.tmp
%WINDIR%\microsoft.net\framework64\v2.0.50727\pgmkclli.tmp
%WINDIR%\microsoft.net\framework\v2.0.50727\pafebbne.tmp
%WINDIR%\microsoft.net\framework64\v4.0.30319\cciodqdi.tmp
%WINDIR%\syswow64\bgjpjmnl.tmp
<SYSTEM32>\cofglmmf.tmp
%CommonProgramFiles(x86)%\steam\qqnbiobf.tmp
<SYSTEM32>\bgibmicb.tmp

Network activity

Connects to

't.#e':443
'st####ommunity.com':443
'13#.#81.204.67':80

TCP

Other

't.#e':443
'st####ommunity.com':443

UDP

DNS ASK t.#e
DNS ASK st####ommunity.com

Miscellaneous

Executes the following

'<SYSTEM32>\alg.exe'
'%WINDIR%\microsoft.net\framework64\v4.0.30319\aspnet_state.exe'

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial