Trojan.Win32.VICERCON.D

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega las carpetas siguientes:

• %Windows%\Fonts\clientdb
• %Windows%\Fonts\clientdb\ds
• %Windows%\Fonts\clientdb\gt
• %Windows%\Fonts\Swil

(Nota: %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).

Infiltra los archivos siguientes:

• %Windows%\Fonts\clientdb\ds \{Random Numbers}
• %Windows%\Fonts\clientdb\gt \{Random Numbers}
• %Windows%\Fonts\Swil\pro_logs
• %System%\LogFiles\rubescurity.exe -> detected as Coinminer.Win32.MALXMR.TDQ
• %System%\LogFiles\normaliz.dll
• %System%\LogFiles\miscoboeh.exe -> detected as Coinminer.Win32.MALXMR.TIAOODFG

(Nota: %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).

Agrega los procesos siguientes:

• “%System%\LogFiles\miscoboeh.exe” allbit32 wxp|w2003 mwrite:0 ewrite:0 twrite:0 newrun:1 flag:2 c: 3 stopwork:nope “{Defined String}”
• %System%\LogFiles\rubescurity.exe -a yespowersugar –o stratum+tcp”//146.59.217.34:7042 –u sugar1qtcx5933wwh769lvxu5k05w63eszq6epgf075lz -p x –t 1
• “%System%\LogFiles\miscoboeh.exe” allbit32 wxp|w2003 mwrite:0 ewrite:0 twrite:0 newrun:1 flag:2 c: 3 stopwork:nope “{Defined String}”

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

Otras modificaciones del sistema

Agrega las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
sha1 = {Malware Defined Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
notice = {Malware Defined Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
tunnel = {Malware Defined Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
peer = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
intranet = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
comment = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
forward = {Hex Values}

Robo de información

Recopila los siguientes datos:

• Computer Name
• Username
• CPU Information
• Local Time

Otros detalles

Agrega las siguientes entradas de registro como parte de la rutina de instalación:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo

Hace lo siguiente:

• It uses the following uncommon ports:
  • 27930
  • 65083
• It sends UDP packets to any of the following IP addresses within the network range:
  • {BLOCKED}.186.248.1 up to {BLOCKED}.186.248.255
  • {BLOCKED}.187.39.1 up to {BLOCKED}.187.39.255
  • {BLOCKED}.73.246.1 up to {BLOCKED}.73.246.255
  • {BLOCKED}.106.4.1 up to {BLOCKED}.106.4.255
  • {BLOCKED}.66.37.1 up to {BLOCKED}.66.37.255
  • {BLOCKED}.71.202.1 up to {BLOCKED}.71.202.255
  • {BLOCKED}.106.93.1 up to {BLOCKED}.106.93.255
  • {BLOCKED}.39.186.1 up to {BLOCKED}.39.186.255
  • {BLOCKED}.61.81.1 up to {BLOCKED}.61.81.255
  • {BLOCKED}.225.21.1 up to {BLOCKED}.225.21.255
  • {BLOCKED}.120.39.1 up to {BLOCKED}.120.39.255
  • {BLOCKED}.209.73.1 up to {BLOCKED}.209.73.255
  • {BLOCKED}.48.109.1 up to {BLOCKED}.48.109.255
  • {BLOCKED}.206.30.1 up to {BLOCKED}.206.30.255
  • {BLOCKED}.90.201.1 up to {BLOCKED}.90.201.255
  • {BLOCKED}.246.6.1 up to {BLOCKED}.246.6.255
  • {BLOCKED}.150.27.1 up to {BLOCKED}.150.27.255
  • {BLOCKED}.68.198.1 up to {BLOCKED}.68.198.255
  • {BLOCKED}.44.137.1 up to {BLOCKED}.44.137.255
  • {BLOCKED}.76.139.1 up to {BLOCKED}.76.139.255
  • {BLOCKED}.36.184.1 up to {BLOCKED}.36.184.255
  • {BLOCKED}.77.203.1 up to {BLOCKED}.77.203.255
  • {BLOCKED}.193.17.1 up to {BLOCKED}.193.17.255
  • {BLOCKED}.223.128.1 up to {BLOCKED}.223.128.255
  • {BLOCKED}.176.100.1 up to {BLOCKED}.176.100.255
  • {BLOCKED}.69.231.1 up to {BLOCKED}.69.231.255
  • {BLOCKED}.76.51.1 up to {BLOCKED}.76.51.255
  • {BLOCKED}.73.15.1 up to {BLOCKED}.73.15.255
  • {BLOCKED}.165.166.1 up to {BLOCKED}.165.166.255
  • {BLOCKED}.220.1.1 up to {BLOCKED}.220.1.255
  • {BLOCKED}.207.145.1 up to {BLOCKED}.207.145.255
  • {BLOCKED}.88.33.1 up to {BLOCKED}.88.33.255
  • {BLOCKED}.147.83.1 up to {BLOCKED}.147.83.255
  • {BLOCKED}.122.123.1 up to {BLOCKED}.122.123.255
  • {BLOCKED}.160.58.1 up to {BLOCKED}.160.58.255
  • {BLOCKED}.16.6.1 up to {BLOCKED}.16.6.255
  • {BLOCKED}.29.213.1 up to {BLOCKED}.29.213.255
  • {BLOCKED}.47.33.1 up to {BLOCKED}.47.33.255
  • {BLOCKED}.61.168.1 up to {BLOCKED}.61.168.255
  • {BLOCKED}.194.189.1 up to {BLOCKED}.194.189.255
  • {BLOCKED}.111.189.1 up to {BLOCKED}.111.189.255
  • {BLOCKED}.191.125.1 up to {BLOCKED}.191.125.255
  • {BLOCKED}.248.121.1 up to {BLOCKED}.248.121.255
  • {BLOCKED}.72.131.1 up to {BLOCKED}.72.131.255
  • {BLOCKED}.72.194.1 up to {BLOCKED}.72.194.255
  • {BLOCKED}.74.93.1 up to {BLOCKED}.74.93.255
  • {BLOCKED}.82.112.1 up to {BLOCKED}.82.112.255
  • {BLOCKED}.88.218.1 up to {BLOCKED}.88.218.255
  • {BLOCKED}.53.152.1 up to {BLOCKED}.53.152.255
  • {BLOCKED}.44.128.1 up to {BLOCKED}.44.128.255
  • {BLOCKED}.50.235.1 up to {BLOCKED}.50.235.255
  • {BLOCKED}.251.12.1 up to {BLOCKED}.251.12.255
  • {BLOCKED}.71.0.1 up to {BLOCKED}.71.0.255
  • {BLOCKED}.83.31.1 up to {BLOCKED}.83.31.255
  • {BLOCKED}.172.56.1 up to {BLOCKED}.172.56.255
  • {BLOCKED}.126.127.1 up to {BLOCKED}.126.127.255
  • {BLOCKED}.235.34.1 up to {BLOCKED}.235.34.255
  • {BLOCKED}.248.16.1 up to {BLOCKED}.248.16.255
  • {BLOCKED}.91.168.1 up to {BLOCKED}.91.168.255
  • {BLOCKED}.192.80.0 up to {BLOCKED}.192.97.255
  • {BLOCKED}.52.5.0 up to {BLOCKED}.52.15.255
  • {BLOCKED}.126.190.0 up to {BLOCKED}.126.255.255
  • {BLOCKED}.187.25.0 up to {BLOCKED}.187.50.255
  • {BLOCKED}.192.1.0 up to {BLOCKED}.192.25.255
  • {BLOCKED}.156.210.0 up to {BLOCKED}.156.250.255
  • {BLOCKED}.106.1.0 up to {BLOCKED}.106.26.255
  • {BLOCKED}.60.252.0 up to {BLOCKED}.60.255.255
  • {BLOCKED}.89.140.0 up to {BLOCKED}.89.165.255
  • {BLOCKED}.33.60.0 up to {BLOCKED}.33.90.255
  • {BLOCKED}.240.90.0 up to {BLOCKED}.240.115.255
  • {BLOCKED}.32.85.0 up to {BLOCKED}.32.120.255
  • {BLOCKED}.209.60.0 up to {BLOCKED}.209.85.255
  • {BLOCKED}.88.50.0 up to {BLOCKED}.88.60.255
  • {BLOCKED}.64.140.0 up to {BLOCKED}.64.165.255
  • {BLOCKED}.90.150.0 up to {BLOCKED}.90.175.255
  • {BLOCKED}.94.140.0 up to {BLOCKED}.94.165.255
  • {BLOCKED}.164.40.0 up to {BLOCKED}.164.65.255
  • {BLOCKED}.68.185.0 up to {BLOCKED}.68.210.255
  • {BLOCKED}.91.100.0 up to {BLOCKED}.91.110.255
  • {BLOCKED}.147.230.0 up to {BLOCKED}.147.255.255
  • {BLOCKED}.49.200.0 up to {BLOCKED}.49.225.255
  • {BLOCKED}.4.90.0 up to {BLOCKED}.4.115.255
  • {BLOCKED}.219.185.0 up to {BLOCKED}.219.200.255
  • {BLOCKED}.110.5.0 up to {BLOCKED}.110.15.255
  • {BLOCKED}.44.120.0 up to {BLOCKED}.44.150.255
  • {BLOCKED}.61.211.0 up to {BLOCKED}.61.240.255
  • {BLOCKED}.166.85.0 up to {BLOCKED}.166.100.255
  • {BLOCKED}.248.35.0 up to {BLOCKED}.248.75.255
  • {BLOCKED}.244.50.0 up to {BLOCKED}.244.60.255
  • {BLOCKED}.109.70.0 up to {BLOCKED}.109.85.255
  • {BLOCKED}.245.20.0 up to {BLOCKED}.245.38.255
  • {BLOCKED}.160.180.0 up to {BLOCKED}.160.200.255
  • {BLOCKED}.161.140.0 up to {BLOCKED}.161.165.255
  • {BLOCKED}.176.90.0 up to {BLOCKED}.176.110.255
  • {BLOCKED}.165.145.0 up to {BLOCKED}.165.175.255
  • {BLOCKED}.58.220.0 up to {BLOCKED}.58.245.255
  • {BLOCKED}.4.230.0 up to {BLOCKED}.4.255.255
  • {BLOCKED}.91.60.255
  • {BLOCKED}.102.185.0 up to {BLOCKED}.102.200.255
  • {BLOCKED}.220.1.0 up to {BLOCKED}.220.20.255
  • {BLOCKED}.254.65.0 up to {BLOCKED}.254.75.255
  • {BLOCKED}.58.210.0 up to {BLOCKED}.58.240.255
  • {BLOCKED}.147.75.0 up to {BLOCKED}.147.90.255
  • {BLOCKED}.117.150.0 up to {BLOCKED}.117.175.255
  • {BLOCKED}.170.1.0 up to {BLOCKED}.170.15.255
  • {BLOCKED}.19.145.0 up to {BLOCKED}.19.160.255
  • {BLOCKED}.74.150.0 up to {BLOCKED}.74.165.255
  • {BLOCKED}.81.230.0 up to {BLOCKED}.81.255.255
  • {BLOCKED}.234.25.0 up to {BLOCKED}.234.55.255
  • {BLOCKED}.238.50.0 up to {BLOCKED}.238.80.255
  • {BLOCKED}.192.85.0 up to {BLOCKED}.192.115.255
  • {BLOCKED}.203.10.0 up to {BLOCKED}.203.30.255
  • {BLOCKED}.61.155.0 up to {BLOCKED}.61.175.255
  • {BLOCKED}.129.165.0 up to {BLOCKED}.129.185.255
  • {BLOCKED}.251.230.0 up to {BLOCKED}.251.255.255
  • {BLOCKED}.74.85.0 up to {BLOCKED}.74.105.255
  • {BLOCKED}.82.110.0 up to {BLOCKED}.82.130.255
  • {BLOCKED}.61.180.0 up to {BLOCKED}.61.210.255
  • {BLOCKED}.90.155.0 up to {BLOCKED}.90.180.255
  • {BLOCKED}.29.60.0 up to {BLOCKED}.29.70.255
  • {BLOCKED}.88.155.0 up to {BLOCKED}.88.180.255
  • {BLOCKED}.82.152.0 up to {BLOCKED}.82.175.255
  • {BLOCKED}.61.130.0 up to {BLOCKED}.61.165.255
  • {BLOCKED}.45.210.0 up to {BLOCKED}.45.245.255
  • {BLOCKED}.50.220.0 up to {BLOCKED}.50.255.255
  • {BLOCKED}.251.1.0 up to {BLOCKED}.251.25.255
  • {BLOCKED}.254.170.0 up to {BLOCKED}.254.180.255
  • {BLOCKED}.133.40.0 up to {BLOCKED}.133.70.255
  • {BLOCKED}.124.45.0 up to {BLOCKED}.124.65.255
  • {BLOCKED}.235.25.0 up to {BLOCKED}.235.50.255
  • {BLOCKED}.134.190.0 up to {BLOCKED}.134.200.255
  • {BLOCKED}.168.244.143 up to {BLOCKED}.168.244.255
  {BLOCKED}.168.0.70 up to {BLOCKED}.168.0.255
  • {BLOCKED}.168.1.0 up to {BLOCKED}.168.1.255
  • {BLOCKED}.168.2.1 up to {BLOCKED}.168.2.255
  • {BLOCKED}.168.3.1 up to {BLOCKED}.168.3.255
  • {BLOCKED}.168.4.0 up to {BLOCKED}.168.4.255
  • {BLOCKED}.168.5.0 up to {BLOCKED}.168.5.255
  • {BLOCKED}.168.6.0 up to {BLOCKED}.168.6.255
  • {BLOCKED}.168.7.0 up to {BLOCKED}.168.7.255
  • {BLOCKED}.168.8.0 up to {BLOCKED}.168.8.255
  • {BLOCKED}.168.9.0 up to {BLOCKED}.168.9.255
  • {BLOCKED}.168.10.0 up to {BLOCKED}.168.10.255
  • {BLOCKED}.168.11.0 up to {BLOCKED}.168.11.255
  • {BLOCKED}.168.12.0 up to BLOCKED}.168.12.255
• It searches and gather data found in the following files:
  • C:\1f.txt
  • C:\1i.txt
  • C:\1p.txt
  • C:\Windows\1f.txt
  • C:\Windows\1i.txt
  • C:\Windows\1p.txt
  • D:\1f.txt
  • D:\1i.txt
  • D:\1p.txt
  • E:\1f.txt
  • E:\1i.txt
  • E:\1p.txt