FÜR NUTZER

Schließen

Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Suche
Suche

Support
Support 24/7 | Regeln zur Anfragenübermittlung

Schreiben Sie uns

Online-Formular

Telefon

+49 (0) 170 488 40 28

Forum

Ihre Anfragen

Neue Anfrage

Rufen Sie uns an

+7 (495) 789-45-86

Profil

DE

RU CN DE EN ES FR IT JP KZ UZ PL BY ID
Schließen
Services
Scanner
Dr.Web vxCube
Testversion
Analyse von virenabhängigen Vorfällen
Virenbibliothek
Wissensdatenbank

Technologies

Begriffe

Schulung und Training

Mythen

News

Trojan.Siggen30.51154

Added to the Dr.Web virus database: 2025-01-17

Virus description added:

Technical Information

To ensure autorun and distribution
Creates or modifies the following files
  • %APPDATA%\microsoft\windows\start menu\programs\startup\rest.bat
Sets the following service settings
  • [HKLM\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'
Malicious functions
Executes the following
  • '<SYSTEM32>\net.exe' stop ??ecurity Center??
  • '<SYSTEM32>\net.exe' user 13056 3007 /add
  • '<SYSTEM32>\net.exe' user 4686 9067 /add
  • '<SYSTEM32>\net.exe' user 15393 7818 /add
  • '<SYSTEM32>\net.exe' user 32670 22948 /add
  • '<SYSTEM32>\net.exe' user 20802 8461 /add
  • '<SYSTEM32>\net.exe' user 30379 11267 /add
  • '<SYSTEM32>\net.exe' user 6615 21879 /add
  • '<SYSTEM32>\net.exe' user 18224 10341 /add
  • '<SYSTEM32>\net.exe' user 13596 17318 /add
  • '<SYSTEM32>\net.exe' user 26859 31138 /add
  • '<SYSTEM32>\net.exe' user 11353 29265 /add
  • '<SYSTEM32>\net.exe' user 9517 32559 /add
  • '<SYSTEM32>\net.exe' user 32221 9190 /add
  • '<SYSTEM32>\net.exe' user 8191 2658 /add
  • '<SYSTEM32>\net.exe' user 27752 29528 /add
  • '<SYSTEM32>\net.exe' user 21964 18649 /add
  • '<SYSTEM32>\net.exe' user 24550 19410 /add
  • '<SYSTEM32>\net.exe' user 12233 7141 /add
  • '<SYSTEM32>\net.exe' user 8697 14639 /add
  • '<SYSTEM32>\net.exe' user 7468 17034 /add
  • '<SYSTEM32>\net.exe' user 13278 31564 /add
  • '<SYSTEM32>\net.exe' user 21424 31659 /add
  • '<SYSTEM32>\net.exe' user 30899 18781 /add
  • '<SYSTEM32>\net.exe' user 19465 16952 /add
  • '<SYSTEM32>\net.exe' user 4223 20704 /add
  • '<SYSTEM32>\net.exe' user 23140 16519 /add
  • '<SYSTEM32>\net.exe' user 16535 18995 /add
  • '<SYSTEM32>\net.exe' user 32355 9141 /add
  • '<SYSTEM32>\net.exe' user 9461 13154 /add
  • '<SYSTEM32>\net.exe' user 24146 9592 /add
  • '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Port 1122 TCP" dir=in action=allow protocol=TCP localport=Restarted
  • '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Port 1122 UDP" dir=in action=allow protocol=UDP localport=Restarted
  • '<SYSTEM32>\net.exe' user 17004 9176 /add
  • '<SYSTEM32>\net.exe' user 30407 28693 /add
  • '<SYSTEM32>\net.exe' user 26317 28649 /add
  • '<SYSTEM32>\net.exe' user 3382 18977 /add
  • '<SYSTEM32>\net.exe' user 22749 4188 /add
  • '<SYSTEM32>\net.exe' user 25145 22854 /add
  • '<SYSTEM32>\net.exe' user 27940 18853 /add
  • '<SYSTEM32>\net.exe' user 8771 27321 /add
  • '<SYSTEM32>\net.exe' user 1106 24776 /add
  • '<SYSTEM32>\net.exe' user 2328 27331 /add
  • '<SYSTEM32>\netsh.exe' firewall set opmode mode=disable
  • '<SYSTEM32>\net.exe' user 15070 7277 /add
  • '<SYSTEM32>\net.exe' user 15340 23607 /add
  • '<SYSTEM32>\net.exe' user 4239 17804 /add
  • '<SYSTEM32>\net.exe' user 15220 14930 /add
  • '<SYSTEM32>\net.exe' user 32359 2251 /add
  • '<SYSTEM32>\net.exe' user 23457 27467 /add
  • '<SYSTEM32>\net.exe' user 18748 22600 /add
  • '<SYSTEM32>\net.exe' user 375 20517 /add
  • '<SYSTEM32>\net.exe' user 24026 32305 /add
  • '<SYSTEM32>\net.exe' user 23737 28329 /add
  • '<SYSTEM32>\net.exe' user 11186 27072 /add
  • '<SYSTEM32>\net.exe' user 9994 17405 /add
  • '<SYSTEM32>\net.exe' user 32033 13933 /add
  • '<SYSTEM32>\net.exe' user 11917 3697 /add
  • '<SYSTEM32>\net.exe' user 5392 25531 /add
  • '<SYSTEM32>\net.exe' user 25715 8399 /add
Launches a large number of processes
Terminates or attempts to terminate
the following user processes:
  • firefox.exe
Modifies file system
Creates the following files
  • %TEMP%\7667.tmp\7668.tmp\7669.bat
  • nul
  • %TEMP%\7d4a.tmp\7d4b.tmp\7d4c.bat
  • <Current directory>\windowswimn32.bat
  • <Current directory>\9k21jm10b.log
  • <Current directory>\restart.bat
  • <Current directory>\bsod.cmd
  • <Current directory>\kill.txt
  • <Current directory>\rest.bat
  • C:\users\default\appdata\roaming\microsoft\windows\start menu\programs\startup
Sets the 'hidden' attribute to the following files
  • <Current directory>\9k21jm10b.log
  • <Current directory>\bsod.cmd
Deletes the following files
  • <Current directory>\rest.bat
Network activity
TCP
Other
  • '34.##9.100.209':443
UDP
  • 'localhost':52746
  • 'localhost':53595
Miscellaneous
Restarts the analyzed sample
Executes the following
  • '<SYSTEM32>\cmd.exe' /c "%TEMP%\7667.tmp\7668.tmp\7669.bat <Full path to file>"
  • '<SYSTEM32>\net1.exe' user 25145 22854 /add
  • '<SYSTEM32>\net1.exe' user 27940 18853 /add
  • '<SYSTEM32>\net1.exe' user 8771 27321 /add
  • '<SYSTEM32>\net1.exe' user 1106 24776 /add
  • '<SYSTEM32>\net1.exe' user 2328 27331 /add
  • '<SYSTEM32>\net1.exe' user 375 20517 /add
  • '<SYSTEM32>\net1.exe' user 22749 4188 /add
  • '<SYSTEM32>\net1.exe' user 3382 18977 /add
  • '<SYSTEM32>\net1.exe' user 4239 17804 /add
  • '<SYSTEM32>\net1.exe' user 15220 14930 /add
  • '<SYSTEM32>\net1.exe' user 32359 2251 /add
  • '<SYSTEM32>\net1.exe' user 23457 27467 /add
  • '<SYSTEM32>\net1.exe' user 18748 22600 /add
  • '<SYSTEM32>\net1.exe' user 15070 7277 /add
  • '<SYSTEM32>\net1.exe' user 15340 23607 /add
  • '<SYSTEM32>\attrib.exe' +h +s 9K21JM10B.log
  • '<SYSTEM32>\net1.exe' user 11917 3697 /add
  • '<SYSTEM32>\mode.com' 1000
  • '<SYSTEM32>\attrib.exe' +h +s 1.vbs
  • '<SYSTEM32>\attrib.exe' +h +s 2.vbs
  • '<SYSTEM32>\cmd.exe' /K bsod.cmd
  • '<SYSTEM32>\net.exe' user user /delete
  • '<SYSTEM32>\net1.exe' user user /delete
  • '<SYSTEM32>\net1.exe' user 17004 9176 /add
  • '<SYSTEM32>\net1.exe' user 26317 28649 /add
  • '<SYSTEM32>\net1.exe' user 30407 28693 /add
  • '<SYSTEM32>\ipconfig.exe'
  • '<SYSTEM32>\find.exe' /i "IPv4"
  • '<SYSTEM32>\wbem\wmic.exe' diskdrive get size
  • '<SYSTEM32>\wbem\wmic.exe' cpu get name
  • '<SYSTEM32>\systeminfo.exe'
  • '<SYSTEM32>\scrnsave.scr' /s
  • '<SYSTEM32>\netsh.exe' wlan show profiles
  • '<SYSTEM32>\attrib.exe' +h +s bsod.cmd
  • '<SYSTEM32>\net1.exe' user 24026 32305 /add
  • '<SYSTEM32>\net1.exe' user 32033 13933 /add
  • '<SYSTEM32>\net1.exe' user 23140 16519 /add
  • '<SYSTEM32>\net1.exe' user 16535 18995 /add
  • '<SYSTEM32>\net1.exe' user 27752 29528 /add
  • '<SYSTEM32>\net1.exe' user 21964 18649 /add
  • '<SYSTEM32>\net1.exe' user 24550 19410 /add
  • '<SYSTEM32>\net1.exe' user 11353 29265 /add
  • '<SYSTEM32>\net1.exe' user 8191 2658 /add
  • '<SYSTEM32>\net1.exe' user 12233 7141 /add
  • '<SYSTEM32>\net1.exe' user 13278 31564 /add
  • '<SYSTEM32>\net1.exe' user 21424 31659 /add
  • '<SYSTEM32>\net1.exe' user 30899 18781 /add
  • '<SYSTEM32>\net1.exe' user 19465 16952 /add
  • '<SYSTEM32>\net1.exe' user 4223 20704 /add
  • '<SYSTEM32>\net1.exe' user 8697 14639 /add
  • '<SYSTEM32>\net1.exe' user 7468 17034 /add
  • '<SYSTEM32>\net1.exe' user 11186 27072 /add
  • '<SYSTEM32>\net1.exe' user 23737 28329 /add
  • '<SYSTEM32>\net1.exe' user 18224 10341 /add
  • '<SYSTEM32>\net1.exe' user 24146 9592 /add
  • '<SYSTEM32>\net1.exe' user 9461 13154 /add
  • '<SYSTEM32>\net1.exe' user 32355 9141 /add
  • '<SYSTEM32>\net1.exe' user 9517 32559 /add
  • '<SYSTEM32>\net1.exe' user 13596 17318 /add
  • '<SYSTEM32>\net1.exe' user 9994 17405 /add
  • '<SYSTEM32>\net1.exe' user 26859 31138 /add
  • '<SYSTEM32>\net1.exe' user 32221 9190 /add
  • '<SYSTEM32>\net1.exe' user 32670 22948 /add
  • '<SYSTEM32>\net1.exe' user 20802 8461 /add
  • '<SYSTEM32>\net1.exe' user 30379 11267 /add
  • '<SYSTEM32>\net1.exe' user 6615 21879 /add
  • '<SYSTEM32>\net1.exe' user 13056 3007 /add
  • '<SYSTEM32>\net1.exe' user 4686 9067 /add
  • '<SYSTEM32>\net1.exe' user 15393 7818 /add
  • '<SYSTEM32>\tskill.exe' /A offg*
  • '<SYSTEM32>\tskill.exe' /A norm*
  • '<SYSTEM32>\tskill.exe' /A avas*
  • '<SYSTEM32>\tskill.exe' /A ewid*
  • '<SYSTEM32>\tskill.exe' /A aswupdsv
  • '<SYSTEM32>\tskill.exe' /A ash*
  • '<SYSTEM32>\tskill.exe' /A avg*
  • '<SYSTEM32>\tskill.exe' /A kav
  • '<SYSTEM32>\tskill.exe' /A def*
  • '<SYSTEM32>\tskill.exe' /A ZONEALARM
  • '<SYSTEM32>\tskill.exe' /A KAV*
  • '<SYSTEM32>\tskill.exe' /A ESAFE
  • '<SYSTEM32>\tskill.exe' /A F-*
  • '<SYSTEM32>\tskill.exe' /A nav*
  • '<SYSTEM32>\tskill.exe' /A nv*
  • '<SYSTEM32>\tskill.exe' /A OUTPOST
  • '<SYSTEM32>\tskill.exe' /A SAFEWEB
  • '<SYSTEM32>\tskill.exe' /A BLACKICE
  • '<SYSTEM32>\tskill.exe' /A cle
  • '<SYSTEM32>\cacls.exe' "<SYSTEM32>\config\system"
  • '<SYSTEM32>\tskill.exe' /A fire*
  • '<SYSTEM32>\cmd.exe' /S /D /c" echo N"
  • '<SYSTEM32>\cmd.exe' /C "<Full path to file>" Restarted
  • '<SYSTEM32>\cmd.exe' /c "%TEMP%\7D4A.tmp\7D4B.tmp\7D4C.bat <Full path to file> Restarted"
  • '<SYSTEM32>\reg.exe' add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
  • '<SYSTEM32>\tskill.exe' /A guar*
  • '<SYSTEM32>\reg.exe' add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
  • '<SYSTEM32>\tskill.exe' /A gcasDt*
  • '<SYSTEM32>\cmd.exe' /S /D /c" start "" /WAIT cmd.exe /C "<Full path to file>" Restarted 1>NUL"
  • '<SYSTEM32>\tskill.exe' /A anti*
  • '<SYSTEM32>\tskill.exe' /A spy*
  • '<SYSTEM32>\tskill.exe' /A bullguard
  • '<SYSTEM32>\tskill.exe' /A PersFw
  • '<SYSTEM32>\net1.exe' stop ??ecurity Center??
  • '<SYSTEM32>\net1.exe' user 5392 25531 /add
  • '<SYSTEM32>\tskill.exe' /A av*
  • '<SYSTEM32>\tskill.exe' /A guard*
  • '<SYSTEM32>\tskill.exe' /A mcafe*
  • '<SYSTEM32>\tskill.exe' /A pop*
  • '<SYSTEM32>\tskill.exe' /A padmin
  • '<SYSTEM32>\tskill.exe' /A panda*
  • '<SYSTEM32>\tskill.exe' /A avsch*
  • '<SYSTEM32>\tskill.exe' /A msmp*
  • '<SYSTEM32>\tskill.exe' /A sche*
  • '<SYSTEM32>\tskill.exe' /A issvc
  • '<SYSTEM32>\tskill.exe' /A pav*
  • '<SYSTEM32>\tskill.exe' /A virus*
  • '<SYSTEM32>\tskill.exe' /A scan*
  • '<SYSTEM32>\tskill.exe' /A ad-*
  • '<SYSTEM32>\tskill.exe' /A safe*
  • '<SYSTEM32>\tskill.exe' /A syman*
  • '<SYSTEM32>\tskill.exe' /A tmn*
  • '<SYSTEM32>\tskill.exe' /A realm*
  • '<SYSTEM32>\tskill.exe' /A sweep*
  • '<SYSTEM32>\tskill.exe' /A pcc*
  • '<SYSTEM32>\tskill.exe' /A mghtml
  • '<SYSTEM32>\tskill.exe' /A cpd*
  • '<SYSTEM32>\tskill.exe' /A isafe
  • '<SYSTEM32>\tskill.exe' /A zap*
  • '<SYSTEM32>\tskill.exe' /A zauinst
  • '<SYSTEM32>\tskill.exe' /A tmp*
  • '<SYSTEM32>\tskill.exe' /A minilog
  • '<SYSTEM32>\tskill.exe' /A upd*
  • '<SYSTEM32>\tskill.exe' /A msiexec
  • '<SYSTEM32>\tskill.exe' /A norton*
  • '<SYSTEM32>\tskill.exe' /A ccc*
  • '<SYSTEM32>\tskill.exe' /A npfmn*
  • '<SYSTEM32>\tskill.exe' /A loge*
  • '<SYSTEM32>\tskill.exe' /A nisum*
  • '<SYSTEM32>\tskill.exe' /A cc*
  • '<SYSTEM32>\net1.exe' user 25715 8399 /add
  • '<SYSTEM32>\tskill.exe' /A norton au*
  • '<SYSTEM32>\cmd.exe' /c "%TEMP%\7D4A.tmp\7D4B.tmp\7D4C.bat <Full path to file> Restarted"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "%TEMP%\7667.tmp\7668.tmp\7669.bat <Full path to file>"' (with hidden window)

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play