FÜR NUTZER

Schließen

Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Suche
Suche

Support
Support 24/7 | Regeln zur Anfragenübermittlung

Schreiben Sie uns

Online-Formular

Telefon

+49 (0) 170 488 40 28

Forum

Ihre Anfragen

Neue Anfrage

Rufen Sie uns an

+7 (495) 789-45-86

Profil

DE

RU CN DE EN ES FR IT JP KZ UZ PL BY ID
Schließen
Services
Scanner
Dr.Web vxCube
Testversion
Analyse von virenabhängigen Vorfällen
Virenbibliothek
Wissensdatenbank

Technologies

Begriffe

Schulung und Training

Mythen

News

Trojan.Siggen17.65080

Added to the Dr.Web virus database: 2022-06-04

Virus description added:

Technical Information

To ensure autorun and distribution
Creates or modifies the following files
  • <SYSTEM32>\tasks\restart terminal services
Sets the following service settings
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\TermService] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\SVCM] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\SVCM] 'ImagePath' = '"c:\Siemens\svcmain.exe"'
Creates the following services
  • 'SVCM' "c:\Siemens\svcmain.exe"
  • 'SVCM' c:\Siemens\svcmain.exe
  • 'umbus' system32\DRIVERS\umbus.sys
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
  • User Account Control (UAC)
  • System File Checker (SFC)
  • Windows Security Center
Executes the following
  • '<SYSTEM32>\net.exe' STOP TerminalService
  • '<SYSTEM32>\net.exe' STOP SVCM
  • '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 80" dir=out action=allow protocol=TCP localport=80
  • '<SYSTEM32>\netsh.exe' firewall add portopening TCP 3389 "Terminal Server" enable all
  • '<SYSTEM32>\netsh.exe' advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private
  • '<SYSTEM32>\netsh.exe' firewall set service remotedesktop enable
  • '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389
  • '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 3389" dir=out action=allow protocol=TCP localport=3389
  • '<SYSTEM32>\netsh.exe' firewall add portopening TCP 443 "HTTPS" enable all
  • '<SYSTEM32>\netsh.exe' firewall add portopening TCP 80 "HTTP" enable all
  • '<SYSTEM32>\netsh.exe' advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
  • '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 443" dir=in action=allow protocol=TCP localport=443
  • '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 443" dir=out action=allow protocol=TCP localport=443
  • '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
  • '<SYSTEM32>\net.exe' STOP PcaSvc
  • '%WINDIR%\syswow64\net.exe' stop SVCM /y
Injects code into
the following system processes:
  • <SYSTEM32>\svchost.exe
Modifies file system
Creates the following files
  • %TEMP%\7zs4ba0.tmp\install_tsplus.bat
  • <SYSTEM32>\microsoft\protect\s-1-5-20\65ad305e-f533-49a3-9242-82c710ffcc1d
  • C:\siemens\restartterminalservices.bat
  • %TEMP%\restartterminalservices.bat
  • C:\siemens\supportlog04-06-2022-07.txt
  • C:\siemens\svcm.dll
  • %TEMP%\aut74d4.tmp
  • C:\siemens\svcmain.exe
  • %TEMP%\aut72e0.tmp
  • C:\siemens\siemensserver.exe
  • %TEMP%\aut6623.tmp
  • %ALLUSERSPROFILE%\uninstall\uninstall.exe
  • %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
  • %APPDATA%\microsoft\windows\cookies\low\index.dat
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\nl33qpvz\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\w6jfma29\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\nbv2cukz\desktop.ini
  • %TEMP%\aut646d.tmp
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\a3j310zw\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
  • %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
  • C:\tmp\setup_versions.txt
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
  • %TEMP%\uac.reg
  • nul
  • %TEMP%\7zs4ba0.tmp\svcm.dll
  • %TEMP%\7zs4ba0.tmp\svcmain.exe
  • %TEMP%\7zs4ba0.tmp\setup-siemens.exe
  • <SYSTEM32>\microsoft\protect\s-1-5-20\preferred
  • %ALLUSERSPROFILE%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
Sets the 'hidden' attribute to the following files
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\a3j310zw\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\nbv2cukz\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\w6jfma29\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\nl33qpvz\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
Deletes the following files
  • C:\tmp\setup_versions.txt
  • %TEMP%\aut646d.tmp
  • %TEMP%\aut6623.tmp
  • %TEMP%\aut72e0.tmp
  • %TEMP%\aut74d4.tmp
  • %TEMP%\uac.reg
  • %TEMP%\7zs4ba0.tmp\install_tsplus.bat
  • %TEMP%\7zs4ba0.tmp\setup-siemens.exe
  • %TEMP%\7zs4ba0.tmp\svcm.dll
  • %TEMP%\7zs4ba0.tmp\svcmain.exe
Substitutes the following files
  • %ALLUSERSPROFILE%\ntuser.pol
  • %HOMEPATH%\ntuser.pol
Network activity
Connects to
  • 'up####.dl-files.com':80
TCP
HTTP GET requests
  • http://up####.dl-files.com/update/svcmain/versions.txt
UDP
  • DNS ASK up####.dl-files.com
Miscellaneous
Creates and executes the following
  • '%TEMP%\7zs4ba0.tmp\setup-siemens.exe' /LicenseKey SIEM-ENS0-5349-454D
  • 'C:\siemens\svcmain.exe'
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c NET START SVCM' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c sc config TermService start= auto' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c sc config TermService depend= RPCSS/TermDD/SVCM' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c sc description SVCM "If this service is disabled, any services that explicitly depend on it will fail to start."' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c NET STOP SVCM' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c NET STOP TerminalService' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c netsh firewall set service remotedesktop enable' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 443 "HTTPS" enable all' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 80 "HTTP" enable all' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 80" dir=out action=allow protocol=TCP localport=80' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 3389 "Terminal Server" enable all' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 443" dir=out action=allow protocol=TCP localport=443' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 443" dir=in action=allow protocol=TCP localport=443' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c NET STOP PcaSvc' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 3389" dir=out action=allow protocol=TCP localport=3389' (with hidden window)
Executes the following
  • '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\7zS4BA0.tmp\Install_TSPlus.bat" "
  • '<SYSTEM32>\cmd.exe' /c NET START SVCM
  • '<SYSTEM32>\cmd.exe' /c NET STOP PcaSvc
  • '%WINDIR%\syswow64\reg.exe' restore HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System "%TEMP%\UAC.reg"
  • '<SYSTEM32>\net.exe' START SVCM
  • '<SYSTEM32>\net1.exe' START SVCM
  • '%WINDIR%\syswow64\reg.exe' delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxDisconnectionTime /f
  • '<SYSTEM32>\net1.exe' STOP PcaSvc
  • '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v InitialProgram /d "" /f
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 80" dir=out action=allow protocol=TCP localport=80
  • '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableTimeZoneRedirection /t REG_DWORD /d 0 /f
  • '%WINDIR%\syswow64\schtasks.exe' /Create /RU "SYSTEM" /rl highest /SC ONSTART /TN "Restart Terminal Services" /TR "'<SYSTEM32>\cmd.exe' /C C:\Siemens\RestartTerminalServices.bat > C:\Siemens\RestartTerminalServices.log" /F
  • '%WINDIR%\syswow64\gpupdate.exe' /force
  • '<SYSTEM32>\gpscript.exe' /RefreshSystemParam
  • '%WINDIR%\syswow64\timeout.exe' 3
  • '%WINDIR%\syswow64\net1.exe' stop SVCM /y
  • '<SYSTEM32>\raserver.exe' /offerraupdate
  • '%WINDIR%\syswow64\net.exe' start SVCM
  • '%WINDIR%\syswow64\net1.exe' start SVCM
  • '<SYSTEM32>\cmd.exe' /c sc config TermService start= auto
  • '<SYSTEM32>\sc.exe' config TermService start= auto
  • '<SYSTEM32>\sc.exe' config TermService depend= RPCSS/TermDD/SVCM
  • '<SYSTEM32>\cmd.exe' /c sc config TermService depend= RPCSS/TermDD/SVCM
  • '<SYSTEM32>\sc.exe' description SVCM "If this service is disabled, any services that explicitly depend on it will fail to start."
  • '%WINDIR%\syswow64\reg.exe' save HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System "%TEMP%\UAC.reg" /y
  • '<SYSTEM32>\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 443" dir=in action=allow protocol=TCP localport=443
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 443" dir=out action=allow protocol=TCP localport=443
  • '%WINDIR%\syswow64\net.exe' start TermService
  • '%WINDIR%\syswow64\icacls.exe' C:\Siemens\ /inheritance:r /grant:r *S-1-5-18:(OI)(CI)F /grant:r *S-1-5-32-545:(OI)(CI)RX /grant:r *S-1-5-32-544:(OI)(CI)F
  • '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 3389 "Terminal Server" enable all
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 3389" dir=out action=allow protocol=TCP localport=3389
  • '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 443 "HTTPS" enable all
  • '<SYSTEM32>\cmd.exe' /c netsh firewall set service remotedesktop enable
  • '<SYSTEM32>\cmd.exe' /c NET STOP TerminalService
  • '<SYSTEM32>\cmd.exe' /c NET STOP SVCM
  • '<SYSTEM32>\net1.exe' STOP TerminalService
  • '<SYSTEM32>\net1.exe' STOP SVCM
  • '<SYSTEM32>\cmd.exe' /c sc description SVCM "If this service is disabled, any services that explicitly depend on it will fail to start."
  • '%WINDIR%\syswow64\reg.exe' add HKLM\SOFTWARE\Siemens\syngo /v TS+ /t REG_DWORD /d 1 /f
  • '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 80 "HTTP" enable all
  • '%WINDIR%\syswow64\net1.exe' start TermService

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play