PUA.Win32.ActivityMonitor.B

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Elimina archivos para impedir la ejecución correcta de programas y aplicaciones. Elimina entradas de registro para causar el funcionamiento incorrecto de aplicaciones y programas.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %Windows%\system\sys\syssettings\config.ini
• %Windows%\system\sys\syscon\Fport.exe
• %Windows%\system\sys\syscon\ipseccmd.exe
• %Windows%\system\sys\syscon\ipsecpol.exe
• %Windows%\system\sys\syscon\text2pol.dll
• %Windows%\system\sys\syscon\ipsecutil.dll
• %User Temp%\Low\sysinfo.bat → execute system info
• %User Temp%\Low\systeminfo.txt → Output of system info
• %User Temp%\DB\soft_run.tbl → software database
• %User Temp%\Low\dev_old.cfg → list of hardware installed
• %User Temp%\Low\dev_new.cfg → list of hardware installed
• %User Temp%\Low\soft_old.cfg → list of software installed
• %User Temp%\Low\soft_new.cfg → list of software installed
• %User Temp%\Low\soft_mini.cfg → list of software installed
• %User Temp%\Low\software.cfg → list of software installed
• %User Temp%\Low\sysinfo.cfg → Output of system info
• %User Temp%\Low\clipboard\{date}.cfg → Logging of clipboard data
• %User Temp%\Low\itech.ini → instant messaging config
• %User Temp%\Low\syslog\{date}.cfg → system event logs
• %User Temp%\Low\config.ini → config file
• %User Temp%\Low\calsum\{date}.ini → File/Data security logs
• %User Temp%\Low\SCREEN\{datetime}.jpg → snapshot
• %User Temp%\Low\alarm\{date}.cfg
• %User Temp%\Low\netstat.bat → execute netstat
• %User Temp%\Low\tasklist.bat → execute tasklist
• %User Temp%\Low\nconnections.bat → execute netstat
• %User Temp%\Low\netshare.bat → execute net share
• %User Temp%\Low\sc.bat → execute sc query
• %User Temp%\Low\syscsv.bat → execute systeminfo
• %User Temp%\Low\diskspace.bat → execute WMIC to gather logical disk information
• %User Temp%\Low\wmicsoftware.bat → execute WMIC to gather all installed application
• %User Temp%\Low\netshare.txt → output of netshare.bat
• %User Temp%\Low\tasklist.txt → output of tasklist.bat
• %User Temp%\Low\diskspace.txt → output of diskspace.bat
• %User Temp%\Low\sc.txt → output of sc.bat
• %User Temp%\Low\netstat.txt → output of netstat.bat
• %User Temp%\Low\nconnections.txt → output of nconnections.bat
• %User Temp%\Low\wmicsoftware.txt → output of wmicsoftware.bat
• %User Temp%\Low\syscsv.txt → output of syscsv.bat
• %User Temp%\Low\{date}traffic.ini → network traffic logs

(Nota: %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).

Agrega los procesos siguientes:

• cmd /c %User Temp%\Low\sysinfo.bat
• systeminfo > "%User Temp%\Low\systeminfo.txt"
• mspts.exe
• enumdev.exe
• cmd /c %User Temp%\Low\netstat.bat
• cmd /c %User Temp%\Low\tasklist.bat
• cmd /c %User Temp%\Low\nconnections.bat
• cmd /c %User Temp%\Low\netshare.bat
• cmd /c %User Temp%\Low\sc.bat
• cmd /c %User Temp%\Low\syscsv.bat
• cmd /c %User Temp%\Low\diskspace.bat
• cmd /c %User Temp%\Low\wmicsoftware.bat
• WMIC LOGICALDISK GET DESCRIPTION,DEVICEID,FILESYSTEM,SIZE,FREESPACE > "%User Temp%\Low\diskspace.txt"
• netstat -bt > "%User Temp%\Low\nconnections.txt"
• net share > "%User Temp%\Low\netshare.txt"
• netstat -e > "%User Temp%\Low\netstat.txt"
• sc query > "%User Temp%\Low\sc.txt"
• systeminfo > "%User Temp%\Low\syscsv.txt"
• tasklist > "%User Temp%\Low\tasklist.txt"
• WMIC product get name,version > "%User Temp%\Low\wmicsoftware.txt"

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Crea las carpetas siguientes:

• %User Temp%\Low
• %User Temp%\Low\reg_backup
• %User Temp%\Low\smtp_file
• %User Temp%\Low\pop3_file
• %User Temp%\Low\attendance
• %User Temp%\Low\file_transfer_backup
• %User Temp%\Low\outlook
• %User Temp%\Low\agentupgrade
• %User Temp%\Low\SCREEN
• %User Temp%\Low\appfiles
• %User Temp%\Low\alarm
• %User Temp%\Low\calsum
• %User Temp%\Low\clipboard
• %User Temp%\Low\sc
• %User Temp%\Low\SCREEN
• %User Temp%\Low\syslog
• %User Temp%\DB

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Agrega las siguientes exclusiones mutuas para garantizar que solo se ejecuta una de sus copias en todo momento:

• EagleEye 1.5 - EagleEye 2005.11.04

Otras modificaciones del sistema

Elimina los archivos siguientes:

• %Application Data%\imonitor\ProcGuard.exe
• %Application Data%\imonitor\Client.exe
• %System Root%\Client.exe
• %System Root%\ProcGuard.exe
• %Windows%\system\sys\syscon\Client.exe
• %User Temp%\Low\websitedownload.cfg
• %User Temp%\Low\websitesearch.cfg
• %User Temp%\Low\site.cfg
• %User Temp%\Low\websiteurl.cfg
• %User Temp%\Low\ss_client.log
• %User Temp%\Low\outlook.log
• %User Temp%\Low\eamusb.txt
• %User Temp%\DB\soft_run.tbl
• %User Temp%\Low\run_proc.cfg
• %System Root%\sip.bat

(Nota: %Application Data% es la carpeta Application Data del usuario activo, que en el caso de Windows 98 y ME suele estar ubicada en C:\Windows\Profiles\{nombre de usuario}\Application Data, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}\Application Data, en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) en C:\Documents and Settings\{nombre de usuario}\Local Settings\Application Data y en el caso de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Roaming.).

Agrega las siguientes entradas de registro:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\LockSeting
lock_flag = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\LockSeting
device = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\LockSeting
software = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\OutDevice
usb = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\OutDevice
comm = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\OutDevice
bing = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\OutDevice
cdrom = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\OutDevice
softdisk = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting
autostart_client = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting
enable_procrule = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting
incoming = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting
outgoing = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting
LMOUSE = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting
RMOUSE = {string}

Elimina las siguientes entradas de registro:

SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
ProcGuard =

Otros detalles

Agrega las siguientes entradas de registro como parte de la rutina de instalación:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\LockSeting

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\FileSetting

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\OutDevice

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\Printer