Trojan.Win32.VICERCON.G

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust die folgenden Eigenkopien in das betroffene System ein:

• %System%\{String Name}.exe - where String Name can be any of the following:
  • about
  • account
  • activities
  • administration
  • advertised
  • along
  • always
  • areas
  • around
  • attend
  • because
  • become
  • besides
  • both
  • capacity
  • ceremony
  • change
  • cloud
  • collecting
  • command
  • compromised
  • computer
  • constructive
  • consultants
  • cooperation
  • coverage
  • crime
  • crowded
  • cultural
  • culture
  • development
  • digital
  • disable
  • disaster
  • Dongpo
  • during
  • energy
  • ensure
  • escalated
  • even
  • Even
  • event
  • Falcon
  • featuring
  • festivals
  • figure
  • financial
  • firewalls
  • First
  • first
  • former
  • forum
  • found
  • from
  • gotten
  • governments
  • historical
  • hotbed
  • imagine
  • improve
  • inadequate
  • information
  • innovation
  • installed
  • international
  • learn
  • legendary
  • line
  • machine
  • management
  • manager
  • may
  • Meanwhile
  • memorial
  • more
  • needtemporarily
  • neglect
  • notice
  • obvious
  • often
  • opening
  • past
  • people
  • performances
  • poverty
  • pretty
  • prevention
  • product
  • products
  • programs
  • proper
  • provided
  • quality
  • quickly
  • realize
  • recently
  • recorded
  • related
  • residence
  • response
  • result
  • routes
  • running
  • sanitation
  • scenario
  • scientific
  • Sensor
  • sensor
  • services
  • silently
  • sites
  • skeptical
  • Slums
  • slums
  • special
  • strengthening
  • such
  • suffer
  • suggestions
  • sure
  • sustainable
  • technological
  • temple
  • there
  • those
  • thought
  • through
  • tintr
  • tools
  • tourist
  • transformation
  • turn
  • turned
  • turning
  • uninstall
  • unwilling
  • visit
  • watch
  • when
  • which
  • your
  • yourself

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Schleust die folgenden Dateien ein:

• %System%\wostmp\{random numbers} → copy of original malware
• %System%\LogFiles\normaliz.dll
• %System%\LogFiles\micsoboeh.exe → detected as Coinminer.Win32.MALXMR.TIAOODFG
• %System%\LogFiles\rubescuritys.exe → detected as Coinminer.Win32.MALXMR.TDQ
• %Windows%\Swil\prologs
• %Windows%\Fonts\clientdb\ds\{Hash} → detected as TROJ_GEN.R002C0PKB20
• %Windows%\Fonts\clientdb\gt\{Hash} → detected as TROJ_GEN.R002C0PKB20
• %Windows%\Fonts\clientdb\ds\{Hash} → detected as Coinminer.Win32.MALXMR.TIAOODFG
• %Windows%\Fonts\clientdb\gt\{Hash} → detected as Coinminer.Win32.MALXMR.TIAOODFG
• %Windows%\Fonts\clientdb\ds\{Hash} → detected as Coinminer.Win64.MALXMR.FAILA (When ran in 64bit environment)
• %Windows%\Fonts\clientdb\gt\{Hash} → detected as Coinminer.Win64.MALXMR.FAILA (When ran in 64bit environment)

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).. %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.)

Fügt die folgenden Prozesse hinzu:

• %System%\{String Name}.exe {Service Name}
• %System%\LogFiles\micsoboeh.exe allbit32 wxp|w2003 mwrite:0 ewrite:0 twrite:0 size:0 newrun:1 flag:2 c:3 stopwork:nope "{Malware Defined Strings}"
• %System%\LogFiles\micsoboeh.exe all_i_bit32 wxp|w2003 mwrite:0 ewrite:0 twrite:0 size:0 newrun:1 flag:2 c:3 stopwork:nope "{Malware Defined Strings}"
• %System%\LogFiles\rubescuritys.exe -a yespowersugar -o stratum+tcp://146.59.217.34:7042 -u sugar1qtcx5933wwh769lvxu5k05w63eszq6epgf075lz -p x -t 1
• %System%\LogFiles\micsoboeh.exe tworun wxp|w2003 mwrite:0 ewrite:0 twrite:0 size:0 newrun:1 flag:2 c:3 stopwork:nope "{Malware Defined Strings}"

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Erstellt die folgenden Ordner:

• %System%\wostmp\
• %Windows%\Fonts\clientdb\
• %Windows%\Fonts\clientdb\ds
• %Windows%\Fonts\clientdb\gt
• %Windows%\Swil

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).. %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.)

Andere Systemänderungen

Fügt die folgenden Registrierungseinträge hinzu:

HKEY_CLASSES_ROOT\SHTinfo
comment = {Hex Values}

HKEY_CURRENT_ROOT\SHTinfo
intranet = {Hex Values}

HKEY_CURRENT_ROOT\SHTinfo
notice = {Hex Values}

HKEY_CURRENT_ROOT\SHTinfo
peer = {Hex Values}

HKEY_CURRENT_ROOT\SHTinfo
staticpeer = {Malware Defined Values}

HKEY_CURRENT_ROOT\SHTinfo
tunnel = {Malware Defined Values}

HKEY_CURRENT_ROOT\SHTinfo
sha1 = {Malware Defined Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
comment = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
intranet = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
notice = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
peer = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
staticpeer = {Malware Defined Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
tunnel = {Malware Defined Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
sha1 = {Malware Defined Values}

Adware-Routine

Fügt die folgenden Dienste hinzu und führt sie aus:

• Service Name: {Random Characters} → to execute copy as a service.
  Launch String: %System%\{String Name}.exe {Service Name}

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Datendiebstahl

Folgende Daten werden gesammelt:

• Computer Name
• Username
• CPU Information
• Local Time

Andere Details

Fügt die folgenden Registrierungsschlüssel hinzu:

HKEY_CLASSES_ROOT\SHTinfo

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo

Es macht Folgendes:

• It uses the following uncommon ports:
  • 27930
  • 55273
• It sends UDP packets to any of the following IP addresses within the network range:
  • {BLOCKED}.{BLOCKED}.248.1 up to {BLOCKED}.{BLOCKED}.248.255
  • {BLOCKED}.{BLOCKED}.39.1 up to {BLOCKED}.{BLOCKED}.39.255
  • {BLOCKED}.{BLOCKED}.246.1 up to {BLOCKED}.{BLOCKED}.246.255
  • {BLOCKED}.{BLOCKED}.4.1 up to (BLOCKED}.{BLOCKED}.4.255
  • {BLOCKED}.{BLOCKED}.37.1 up to {BLOCKED}.{BLOCKED}.37.255
  • {BLOCKED}.{BLOCKED}.202.1 up to {BLOCKED}.{BLOCKED}.202.255
  • {BLOCKED}.{BLOCKED}.93.1 up to {BLOCKED}.{BLOCKED}.93.255
  • {BLOCKED}.{BLOCKED}.186.1 up to {BLOCKED}.{BLOCKED}.{BLOCKED}.255
  • {BLOCKED}.{BLOCKED}.81.1 up to {BLOCKED}.{BLOCKED}.81.255
  • {BLOCKED}.{BLOCKED}.21.1 up to {BLOCKED}.{BLOCKED}.21.255
  • {BLOCKED}.{BLOCKED}.39.1 up to {BLOCKED}.{BLOCKED}.39.255
  • {BLOCKED}.{BLOCKED}.73.1 up to {BLOCKED}.{BLOCKED}.73.255
  • {BLOCKED}.{BLOCKED}.109.1 up to {BLOCKED}.{BLOCKED}.109.255
  • {BLOCKED}.{BLOCKED}.30.1 up to {BLOCKED}.{BLOCKED}.30.255
  • {BLOCKED}.{BLOCKED}.201.1 up to {BLOCKED}.{BLOCKED}.201.255
  • {BLOCKED}.{BLOCKED}.6.1 up to {BLOCKED}.{BLOCKED}.6.255
  • {BLOCKED}.{BLOCKED}.27.1 up to {BLOCKED}.{BLOCKED}.27.255
  • {BLOCKED}.{BLOCKED}.198.1 up to {BLOCKED}.{BLOCKED}.198.255
  • {BLOCKED}.{BLOCKED}.137.1 up to {BLOCKED}.{BLOCKED}.137.255
  • {BLOCKED}.{BLOCKED}.139.1 up to {BLOCKED}.{BLOCKED}.139.255
  • {BLOCKED}.{BLOCKED}.184.1 up to {BLOCKED}.{BLOCKED}.184.255
  • {BLOCKED}.{BLOCKED}.203.1 up to {BLOCKED}.{BLOCKED}.203.255
  • {BLOCKED}.{BLOCKED}.17.1 up to {BLOCKED}.{BLOCKED}.17.255
  • {BLOCKED}.{BLOCKED}.128.1 up to {BLOCKED}.{BLOCKED}.128.255
  • {BLOCKED}.{BLOCKED}.100.1 up to {BLOCKED}.{BLOCKED}.100.255
  • {BLOCKED}.{BLOCKED}.231.1 up to {BLOCKED}.{BLOCKED}.231.255
  • {BLOCKED}.{BLOCKED}.51.1 up to {BLOCKED}.{BLOCKED}.51.255
  • {BLOCKED}.{BLOCKED}.15.1 up to {BLOCKED}.{BLOCKED}.15.255
  • {BLOCKED}.{BLOCKED}.166.1 up to {BLOCKED}.{BLOCKED}.166.255
  • {BLOCKED}.{BLOCKED}.1.1 up to {BLOCKED}.{BLOCKED}.1.255
  • {BLOCKED}.{BLOCKED}.145.1 up to {BLOCKED}.{BLOCKED}.145.255
  • {BLOCKED}.{BLOCKED}.33.1 up to {BLOCKED}.{BLOCKED}.33.255
  • {BLOCKED}.{BLOCKED}.83.1 up to {BLOCKED}.{BLOCKED}.83.255
  • {BLOCKED}.{BLOCKED}.123.1 up to {BLOCKED}.{BLOCKED}.123.255
  • {BLOCKED}.{BLOCKED}.58.1 up to {BLOCKED}.{BLOCKED}.58.255
  • {BLOCKED}.{BLOCKED}.6.1 up to {BLOCKED}.{BLOCKED}.6.255
  • {BLOCKED}.{BLOCKED}.213.1 up to {BLOCKED}.{BLOCKED}.213.255
  • {BLOCKED}.{BLOCKED}.33.1 up to {BLOCKED}.{BLOCKED}.33.255
  • {BLOCKED}.{BLOCKED}.168.1 up to {BLOCKED}.{BLOCKED}.168.255
  • {BLOCKED}.{BLOCKED}.189.1 up to {BLOCKED}.{BLOCKED}.189.255
  • {BLOCKED}.{BLOCKED}.189.1 up to {BLOCKED}.{BLOCKED}.189.255
  • {BLOCKED}.{BLOCKED}.125.1 up to {BLOCKED}.{BLOCKED}.125.255
  • {BLOCKED}.{BLOCKED}.121.1 up to {BLOCKED}.{BLOCKED}.121.255
  • {BLOCKED}.{BLOCKED}.131.1 up to {BLOCKED}.{BLOCKED}.131.255
  • {BLOCKED}.{BLOCKED}.194.1 up to {BLOCKED}.{BLOCKED}.194.255
  • {BLOCKED}.{BLOCKED}.93.1 up to {BLOCKED}.{BLOCKED}.93.255
  • {BLOCKED}.{BLOCKED}.112.1 up to {BLOCKED}.{BLOCKED}.112.255
  • {BLOCKED}.{BLOCKED}.218.1 up to {BLOCKED}.{BLOCKED}.218.255
  • {BLOCKED}.{BLOCKED}.152.1 up to {BLOCKED}.{BLOCKED}.152.255
  • {BLOCKED}.{BLOCKED}.128.1 up to {BLOCKED}.{BLOCKED}.128.255
  • {BLOCKED}.{BLOCKED}.235.1 up to {BLOCKED}.{BLOCKED}.235.255
  • {BLOCKED}.{BLOCKED}.12.1 up to {BLOCKED}.{BLOCKED}.12.255
  • {BLOCKED}.{BLOCKED}.0.1 up to {BLOCKED}.{BLOCKED}.0.255
  • {BLOCKED}.{BLOCKED}.31.1 up to {BLOCKED}.{BLOCKED}.31.255
  • {BLOCKED}.{BLOCKED}.56.1 up to {BLOCKED}.{BLOCKED}.56.255
  • {BLOCKED}.{BLOCKED}.127.1 up to {BLOCKED}.{BLOCKED}.127.255
  • {BLOCKED}.{BLOCKED}.34.1 up to {BLOCKED}.{BLOCKED}.34.255
  • {BLOCKED}.{BLOCKED}.16.1 up to {BLOCKED}.{BLOCKED}.16.255
  • {BLOCKED}.{BLOCKED}.168.1 up to {BLOCKED}.{BLOCKED}.168.255
  • {BLOCKED}.{BLOCKED}.80.0 up to {BLOCKED}.{BLOCKED}.97.255
  • {BLOCKED}.{BLOCKED}.5.0 up to {BLOCKED}.{BLOCKED}.15.255
  • {BLOCKED}.{BLOCKED}.190.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.25.0 up to {BLOCKED}.{BLOCKED}.50.255
  • {BLOCKED}.{BLOCKED}.1.0 up to {BLOCKED}.{BLOCKED}.25.255
  • {BLOCKED}.{BLOCKED}.210.0 up to {BLOCKED}.{BLOCKED}.250.255
  • {BLOCKED}.{BLOCKED}.1.0 up to {BLOCKED}.{BLOCKED}.26.255
  • {BLOCKED}.{BLOCKED}.252.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.140.0 up to {BLOCKED}.{BLOCKED}.165.255
  • {BLOCKED}.{BLOCKED}.60.0 up to {BLOCKED}.{BLOCKED}.90.255
  • {BLOCKED}.{BLOCKED}.90.0 up to {BLOCKED}.{BLOCKED}.115.255
  • {BLOCKED}.{BLOCKED}.85.0 up to {BLOCKED}.{BLOCKED}.120.255
  • {BLOCKED}.{BLOCKED}.60.0 up to {BLOCKED}.{BLOCKED}.85.255
  • {BLOCKED}.{BLOCKED}.50.0 up to {BLOCKED}.{BLOCKED}.60.255
  • {BLOCKED}.{BLOCKED}.140.0 up to {BLOCKED}.{BLOCKED}.165.255
  • {BLOCKED}.{BLOCKED}.150.0 up to {BLOCKED}.{BLOCKED}.175.255
  • {BLOCKED}.{BLOCKED}.140.0 up to {BLOCKED}.{BLOCKED}.165.255
  • {BLOCKED}.{BLOCKED}.40.0 up to {BLOCKED}.{BLOCKED}.65.255
  • {BLOCKED}.{BLOCKED}.185.0 up to {BLOCKED}.{BLOCKED}.210.255
  • {BLOCKED}.{BLOCKED}.100.0 up to {BLOCKED}.{BLOCKED}.110.255
  • {BLOCKED}.{BLOCKED}.230.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.200.0 up to {BLOCKED}.{BLOCKED}.225.255
  • {BLOCKED}.{BLOCKED}.90.0 up to {BLOCKED}.{BLOCKED}.115.255
  • {BLOCKED}.{BLOCKED}.185.0 up to {BLOCKED}.{BLOCKED}.200.255
  • {BLOCKED}.{BLOCKED}.5.0 up to {BLOCKED}.{BLOCKED}.15.255
  • {BLOCKED}.{BLOCKED}.120.0 up to {BLOCKED}.{BLOCKED}.150.255
  • {BLOCKED}.{BLOCKED}.211.0 up to {BLOCKED}.{BLOCKED}.240.255
  • {BLOCKED}.{BLOCKED}.85.0 up to {BLOCKED}.{BLOCKED}.100.255
  • {BLOCKED}.{BLOCKED}.35.0 up to {BLOCKED}.{BLOCKED}.75.255
  • {BLOCKED}.{BLOCKED}.50.0 up to {BLOCKED}.{BLOCKED}.60.255
  • {BLOCKED}.{BLOCKED}.70.0 up to {BLOCKED}.{BLOCKED}.85.255
  • {BLOCKED}.{BLOCKED}.20.0 up to {BLOCKED}.{BLOCKED}.38.255
  • {BLOCKED}.{BLOCKED}.180.0 up to {BLOCKED}.{BLOCKED}.200.255
  • {BLOCKED}.{BLOCKED}.140.0 up to {BLOCKED}.{BLOCKED}.165.255
  • {BLOCKED}.{BLOCKED}.90.0 up to {BLOCKED}.{BLOCKED}.110.255
  • {BLOCKED}.{BLOCKED}.145.0 up to {BLOCKED}.{BLOCKED}.175.255
  • {BLOCKED}.{BLOCKED}.220.0 up to {BLOCKED}.{BLOCKED}.220.255
  • {BLOCKED}.{BLOCKED}.230.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.40.0 up to {BLOCKED}.{BLOCKED}.60.255
  • {BLOCKED}.{BLOCKED}.185.0 up to {BLOCKED}.{BLOCKED}.200.255
  • {BLOCKED}.{BLOCKED}.1.0 up to {BLOCKED}.{BLOCKED}.20.255
  • {BLOCKED}.{BLOCKED}.65.0 up to {BLOCKED}.{BLOCKED}.75.255
  • {BLOCKED}.{BLOCKED}.210.0 up to {BLOCKED}.{BLOCKED}.240.255
  • {BLOCKED}.{BLOCKED}.75.0 up to {BLOCKED}.{BLOCKED}.90.255
  • {BLOCKED}.{BLOCKED}.150.0 up to {BLOCKED}.{BLOCKED}.175.255
  • {BLOCKED}.{BLOCKED}.1.0 up to {BLOCKED}.{BLOCKED}.15.255.
  • {BLOCKED}.{BLOCKED}.145.0 up to {BLOCKED}.{BLOCKED}.160.255
  • {BLOCKED}.{BLOCKED}.150.0 up to {BLOCKED}.{BLOCKED}.165.255
  • {BLOCKED}.{BLOCKED}.230.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.25.0 up to {BLOCKED}.{BLOCKED}.55.255
  • {BLOCKED}.{BLOCKED}.50.0 up to {BLOCKED}.{BLOCKED}.80.255
  • {BLOCKED}.{BLOCKED}.85.0 up to {BLOCKED}.{BLOCKED}.115.255
  • {BLOCKED}.{BLOCKED}.10.0 up to {BLOCKED}.{BLOCKED}.30.255
  • {BLOCKED}.{BLOCKED}.155.0 up to {BLOCKED}.{BLOCKED}.175.255
  • {BLOCKED}.{BLOCKED}.165.0 up to {BLOCKED}.{BLOCKED}.185.255
  • {BLOCKED}.{BLOCKED}.230.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.85.0 up to {BLOCKED}.{BLOCKED}.105.255
  • {BLOCKED}.{BLOCKED}.110.0 up to {BLOCKED}.{BLOCKED}.130.255
  • {BLOCKED}.{BLOCKED}.180.0 up to {BLOCKED}.{BLOCKED}.210.255
  • {BLOCKED}.{BLOCKED}.155.0 up to {BLOCKED}.{BLOCKED}.180.255
  • {BLOCKED}.{BLOCKED}.60.0 up to {BLOCKED}.{BLOCKED}.70.255
  • {BLOCKED}.{BLOCKED}.155.0 up to {BLOCKED}.{BLOCKED}.180.255
  • {BLOCKED}.{BLOCKED}.152.0 up to {BLOCKED}.{BLOCKED}.175.255
  • {BLOCKED}.{BLOCKED}.130.0 up to {BLOCKED}.{BLOCKED}.165.255
  • {BLOCKED}.{BLOCKED}.210.0 up to {BLOCKED}.{BLOCKED}.245.255
  • {BLOCKED}.{BLOCKED}.220.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.1.0 up to {BLOCKED}.{BLOCKED}.25.255
  • {BLOCKED}.{BLOCKED}.170.0 up to {BLOCKED}.{BLOCKED}.180.255
  • {BLOCKED}.{BLOCKED}.40.0 up to {BLOCKED}.{BLOCKED}.70.255
  • {BLOCKED}.{BLOCKED}.45.0 up to {BLOCKED}.{BLOCKED}.65.255
  • {BLOCKED}.{BLOCKED}.25.0 up to {BLOCKED}.{BLOCKED}.50.255
  • {BLOCKED}.{BLOCKED}.190.0 up to {BLOCKED}.{BLOCKED}.200.255
• It searches and gather data found in the following files:
  • C:\1f.txt
  • C:\1i.txt
  • C:\1p.txt
  • C:\Windows\1f.txt
  • C:\Windows\1i.txt
  • C:\Windows\1p.txt
  • D:\1f.txt
  • D:\1i.txt
  • D:\1p.txt