Trojan.Win32.VICERCON.D
Trojan.Win64.Miner.alad (KASPERSKY); Trojan.Win64.Zapchast (VBA32)
Windows
Tipo di minaccia informatica:
Trojan
Distruttivo?:
No
Crittografato?:
No
In the wild::
Sì
Panoramica e descrizione
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Dettagli tecnici
Detalles de entrada
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Instalación
Agrega las carpetas siguientes:
- %Windows%\Fonts\clientdb
- %Windows%\Fonts\clientdb\ds
- %Windows%\Fonts\clientdb\gt
- %Windows%\Fonts\Swil
(Nota: %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).
)Infiltra los archivos siguientes:
- %Windows%\Fonts\clientdb\ds \{Random Numbers}
- %Windows%\Fonts\clientdb\gt \{Random Numbers}
- %Windows%\Fonts\Swil\pro_logs
- %System%\LogFiles\rubescurity.exe -> detected as Coinminer.Win32.MALXMR.TDQ
- %System%\LogFiles\normaliz.dll
- %System%\LogFiles\miscoboeh.exe -> detected as Coinminer.Win32.MALXMR.TIAOODFG
(Nota: %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).
. %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).)Agrega los procesos siguientes:
- “%System%\LogFiles\miscoboeh.exe” allbit32 wxp|w2003 mwrite:0 ewrite:0 twrite:0 newrun:1 flag:2 c: 3 stopwork:nope “{Defined String}”
- %System%\LogFiles\rubescurity.exe -a yespowersugar –o stratum+tcp”//146.59.217.34:7042 –u sugar1qtcx5933wwh769lvxu5k05w63eszq6epgf075lz -p x –t 1
- “%System%\LogFiles\miscoboeh.exe” allbit32 wxp|w2003 mwrite:0 ewrite:0 twrite:0 newrun:1 flag:2 c: 3 stopwork:nope “{Defined String}”
(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).
)Otras modificaciones del sistema
Agrega las siguientes entradas de registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
sha1 = {Malware Defined Values}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
notice = {Malware Defined Values}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
tunnel = {Malware Defined Values}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
peer = {Hex Values}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
intranet = {Hex Values}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
comment = {Hex Values}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
forward = {Hex Values}
Robo de información
Recopila los siguientes datos:
- Computer Name
- Username
- CPU Information
- Local Time
Otros detalles
Agrega las siguientes entradas de registro como parte de la rutina de instalación:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
Hace lo siguiente:
- It uses the following uncommon ports:
- 27930
- 65083
- It sends UDP packets to any of the following IP addresses within the network range:
- {BLOCKED}.186.248.1 up to {BLOCKED}.186.248.255
- {BLOCKED}.187.39.1 up to {BLOCKED}.187.39.255
- {BLOCKED}.73.246.1 up to {BLOCKED}.73.246.255
- {BLOCKED}.106.4.1 up to {BLOCKED}.106.4.255
- {BLOCKED}.66.37.1 up to {BLOCKED}.66.37.255
- {BLOCKED}.71.202.1 up to {BLOCKED}.71.202.255
- {BLOCKED}.106.93.1 up to {BLOCKED}.106.93.255
- {BLOCKED}.39.186.1 up to {BLOCKED}.39.186.255
- {BLOCKED}.61.81.1 up to {BLOCKED}.61.81.255
- {BLOCKED}.225.21.1 up to {BLOCKED}.225.21.255
- {BLOCKED}.120.39.1 up to {BLOCKED}.120.39.255
- {BLOCKED}.209.73.1 up to {BLOCKED}.209.73.255
- {BLOCKED}.48.109.1 up to {BLOCKED}.48.109.255
- {BLOCKED}.206.30.1 up to {BLOCKED}.206.30.255
- {BLOCKED}.90.201.1 up to {BLOCKED}.90.201.255
- {BLOCKED}.246.6.1 up to {BLOCKED}.246.6.255
- {BLOCKED}.150.27.1 up to {BLOCKED}.150.27.255
- {BLOCKED}.68.198.1 up to {BLOCKED}.68.198.255
- {BLOCKED}.44.137.1 up to {BLOCKED}.44.137.255
- {BLOCKED}.76.139.1 up to {BLOCKED}.76.139.255
- {BLOCKED}.36.184.1 up to {BLOCKED}.36.184.255
- {BLOCKED}.77.203.1 up to {BLOCKED}.77.203.255
- {BLOCKED}.193.17.1 up to {BLOCKED}.193.17.255
- {BLOCKED}.223.128.1 up to {BLOCKED}.223.128.255
- {BLOCKED}.176.100.1 up to {BLOCKED}.176.100.255
- {BLOCKED}.69.231.1 up to {BLOCKED}.69.231.255
- {BLOCKED}.76.51.1 up to {BLOCKED}.76.51.255
- {BLOCKED}.73.15.1 up to {BLOCKED}.73.15.255
- {BLOCKED}.165.166.1 up to {BLOCKED}.165.166.255
- {BLOCKED}.220.1.1 up to {BLOCKED}.220.1.255
- {BLOCKED}.207.145.1 up to {BLOCKED}.207.145.255
- {BLOCKED}.88.33.1 up to {BLOCKED}.88.33.255
- {BLOCKED}.147.83.1 up to {BLOCKED}.147.83.255
- {BLOCKED}.122.123.1 up to {BLOCKED}.122.123.255
- {BLOCKED}.160.58.1 up to {BLOCKED}.160.58.255
- {BLOCKED}.16.6.1 up to {BLOCKED}.16.6.255
- {BLOCKED}.29.213.1 up to {BLOCKED}.29.213.255
- {BLOCKED}.47.33.1 up to {BLOCKED}.47.33.255
- {BLOCKED}.61.168.1 up to {BLOCKED}.61.168.255
- {BLOCKED}.194.189.1 up to {BLOCKED}.194.189.255
- {BLOCKED}.111.189.1 up to {BLOCKED}.111.189.255
- {BLOCKED}.191.125.1 up to {BLOCKED}.191.125.255
- {BLOCKED}.248.121.1 up to {BLOCKED}.248.121.255
- {BLOCKED}.72.131.1 up to {BLOCKED}.72.131.255
- {BLOCKED}.72.194.1 up to {BLOCKED}.72.194.255
- {BLOCKED}.74.93.1 up to {BLOCKED}.74.93.255
- {BLOCKED}.82.112.1 up to {BLOCKED}.82.112.255
- {BLOCKED}.88.218.1 up to {BLOCKED}.88.218.255
- {BLOCKED}.53.152.1 up to {BLOCKED}.53.152.255
- {BLOCKED}.44.128.1 up to {BLOCKED}.44.128.255
- {BLOCKED}.50.235.1 up to {BLOCKED}.50.235.255
- {BLOCKED}.251.12.1 up to {BLOCKED}.251.12.255
- {BLOCKED}.71.0.1 up to {BLOCKED}.71.0.255
- {BLOCKED}.83.31.1 up to {BLOCKED}.83.31.255
- {BLOCKED}.172.56.1 up to {BLOCKED}.172.56.255
- {BLOCKED}.126.127.1 up to {BLOCKED}.126.127.255
- {BLOCKED}.235.34.1 up to {BLOCKED}.235.34.255
- {BLOCKED}.248.16.1 up to {BLOCKED}.248.16.255
- {BLOCKED}.91.168.1 up to {BLOCKED}.91.168.255
- {BLOCKED}.192.80.0 up to {BLOCKED}.192.97.255
- {BLOCKED}.52.5.0 up to {BLOCKED}.52.15.255
- {BLOCKED}.126.190.0 up to {BLOCKED}.126.255.255
- {BLOCKED}.187.25.0 up to {BLOCKED}.187.50.255
- {BLOCKED}.192.1.0 up to {BLOCKED}.192.25.255
- {BLOCKED}.156.210.0 up to {BLOCKED}.156.250.255
- {BLOCKED}.106.1.0 up to {BLOCKED}.106.26.255
- {BLOCKED}.60.252.0 up to {BLOCKED}.60.255.255
- {BLOCKED}.89.140.0 up to {BLOCKED}.89.165.255
- {BLOCKED}.33.60.0 up to {BLOCKED}.33.90.255
- {BLOCKED}.240.90.0 up to {BLOCKED}.240.115.255
- {BLOCKED}.32.85.0 up to {BLOCKED}.32.120.255
- {BLOCKED}.209.60.0 up to {BLOCKED}.209.85.255
- {BLOCKED}.88.50.0 up to {BLOCKED}.88.60.255
- {BLOCKED}.64.140.0 up to {BLOCKED}.64.165.255
- {BLOCKED}.90.150.0 up to {BLOCKED}.90.175.255
- {BLOCKED}.94.140.0 up to {BLOCKED}.94.165.255
- {BLOCKED}.164.40.0 up to {BLOCKED}.164.65.255
- {BLOCKED}.68.185.0 up to {BLOCKED}.68.210.255
- {BLOCKED}.91.100.0 up to {BLOCKED}.91.110.255
- {BLOCKED}.147.230.0 up to {BLOCKED}.147.255.255
- {BLOCKED}.49.200.0 up to {BLOCKED}.49.225.255
- {BLOCKED}.4.90.0 up to {BLOCKED}.4.115.255
- {BLOCKED}.219.185.0 up to {BLOCKED}.219.200.255
- {BLOCKED}.110.5.0 up to {BLOCKED}.110.15.255
- {BLOCKED}.44.120.0 up to {BLOCKED}.44.150.255
- {BLOCKED}.61.211.0 up to {BLOCKED}.61.240.255
- {BLOCKED}.166.85.0 up to {BLOCKED}.166.100.255
- {BLOCKED}.248.35.0 up to {BLOCKED}.248.75.255
- {BLOCKED}.244.50.0 up to {BLOCKED}.244.60.255
- {BLOCKED}.109.70.0 up to {BLOCKED}.109.85.255
- {BLOCKED}.245.20.0 up to {BLOCKED}.245.38.255
- {BLOCKED}.160.180.0 up to {BLOCKED}.160.200.255
- {BLOCKED}.161.140.0 up to {BLOCKED}.161.165.255
- {BLOCKED}.176.90.0 up to {BLOCKED}.176.110.255
- {BLOCKED}.165.145.0 up to {BLOCKED}.165.175.255
- {BLOCKED}.58.220.0 up to {BLOCKED}.58.245.255
- {BLOCKED}.4.230.0 up to {BLOCKED}.4.255.255
- {BLOCKED}.91.60.255
- {BLOCKED}.102.185.0 up to {BLOCKED}.102.200.255
- {BLOCKED}.220.1.0 up to {BLOCKED}.220.20.255
- {BLOCKED}.254.65.0 up to {BLOCKED}.254.75.255
- {BLOCKED}.58.210.0 up to {BLOCKED}.58.240.255
- {BLOCKED}.147.75.0 up to {BLOCKED}.147.90.255
- {BLOCKED}.117.150.0 up to {BLOCKED}.117.175.255
- {BLOCKED}.170.1.0 up to {BLOCKED}.170.15.255
- {BLOCKED}.19.145.0 up to {BLOCKED}.19.160.255
- {BLOCKED}.74.150.0 up to {BLOCKED}.74.165.255
- {BLOCKED}.81.230.0 up to {BLOCKED}.81.255.255
- {BLOCKED}.234.25.0 up to {BLOCKED}.234.55.255
- {BLOCKED}.238.50.0 up to {BLOCKED}.238.80.255
- {BLOCKED}.192.85.0 up to {BLOCKED}.192.115.255
- {BLOCKED}.203.10.0 up to {BLOCKED}.203.30.255
- {BLOCKED}.61.155.0 up to {BLOCKED}.61.175.255
- {BLOCKED}.129.165.0 up to {BLOCKED}.129.185.255
- {BLOCKED}.251.230.0 up to {BLOCKED}.251.255.255
- {BLOCKED}.74.85.0 up to {BLOCKED}.74.105.255
- {BLOCKED}.82.110.0 up to {BLOCKED}.82.130.255
- {BLOCKED}.61.180.0 up to {BLOCKED}.61.210.255
- {BLOCKED}.90.155.0 up to {BLOCKED}.90.180.255
- {BLOCKED}.29.60.0 up to {BLOCKED}.29.70.255
- {BLOCKED}.88.155.0 up to {BLOCKED}.88.180.255
- {BLOCKED}.82.152.0 up to {BLOCKED}.82.175.255
- {BLOCKED}.61.130.0 up to {BLOCKED}.61.165.255
- {BLOCKED}.45.210.0 up to {BLOCKED}.45.245.255
- {BLOCKED}.50.220.0 up to {BLOCKED}.50.255.255
- {BLOCKED}.251.1.0 up to {BLOCKED}.251.25.255
- {BLOCKED}.254.170.0 up to {BLOCKED}.254.180.255
- {BLOCKED}.133.40.0 up to {BLOCKED}.133.70.255
- {BLOCKED}.124.45.0 up to {BLOCKED}.124.65.255
- {BLOCKED}.235.25.0 up to {BLOCKED}.235.50.255
- {BLOCKED}.134.190.0 up to {BLOCKED}.134.200.255
- {BLOCKED}.168.244.143 up to {BLOCKED}.168.244.255 {BLOCKED}.168.0.70 up to {BLOCKED}.168.0.255
- {BLOCKED}.168.1.0 up to {BLOCKED}.168.1.255
- {BLOCKED}.168.2.1 up to {BLOCKED}.168.2.255
- {BLOCKED}.168.3.1 up to {BLOCKED}.168.3.255
- {BLOCKED}.168.4.0 up to {BLOCKED}.168.4.255
- {BLOCKED}.168.5.0 up to {BLOCKED}.168.5.255
- {BLOCKED}.168.6.0 up to {BLOCKED}.168.6.255
- {BLOCKED}.168.7.0 up to {BLOCKED}.168.7.255
- {BLOCKED}.168.8.0 up to {BLOCKED}.168.8.255
- {BLOCKED}.168.9.0 up to {BLOCKED}.168.9.255
- {BLOCKED}.168.10.0 up to {BLOCKED}.168.10.255
- {BLOCKED}.168.11.0 up to {BLOCKED}.168.11.255
- {BLOCKED}.168.12.0 up to BLOCKED}.168.12.255
- C:\1f.txt
- C:\1i.txt
- C:\1p.txt
- C:\Windows\1f.txt
- C:\Windows\1i.txt
- C:\Windows\1p.txt
- D:\1f.txt
- D:\1i.txt
- D:\1p.txt
- E:\1f.txt
- E:\1i.txt
- E:\1p.txt
Soluzioni
Step 2
Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.
Step 3
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 4
Reiniciar en modo seguro
Step 5
Eliminar este valor del Registro
Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SHTinfo
- sha1 = {Malware Defined Values}
- sha1 = {Malware Defined Values}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SHTinfo
- notice = {Malware Defined Values}
- notice = {Malware Defined Values}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SHTinfo
- tunnel = {Malware Defined Values}
- tunnel = {Malware Defined Values}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SHTinfo
- peer = {Hex Values}
- peer = {Hex Values}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SHTinfo
- intranet = {Hex Values}
- intranet = {Hex Values}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SHTinfo
- comment = {Hex Values}
- comment = {Hex Values}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SHTinfo
- forward = {Hex Values}
- forward = {Hex Values}
Step 6
Eliminar esta clave del Registro
Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SHTinfo
Step 7
Buscar y eliminar este archivo
- %Windows%\Fonts\clientdb\ds \{Random Numbers}
- %Windows%\Fonts\clientdb\gt \{Random Numbers}
- %Windows%\Fonts\Swil\pro_logs
- %System%\LogFiles\rubescurity.exe
- %System%\LogFiles\normaliz.dll
- %System%\LogFiles\miscoboeh.exe
Step 8
Buscar y eliminar esta carpeta
- %Windows%\Fonts\clientdb
- %Windows%\Fonts\clientdb\ds
- %Windows%\Fonts\clientdb\gt
- %Windows%\Fonts\Swil
Step 9
Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como Trojan.Win32.VICERCON.D En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.
Sondaggio