Trojan.StartPage.63866

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DD20621B-4285-4D3F-ABDF-98AFB552ED5B}] 'Exec' = 'http://dy1.qdal.cn'
[<HKLM>\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E32C4654-8650-42E3-AD1C-9597BF7D32B1}] 'Exec' = 'http://www.baidu.com/index.php?tn=qdsjr_pg'
[<HKLM>\SOFTWARE\Microsoft\Internet Explorer\Extensions\{35871651-58D1-4D0C-84CB-D0F1D0940CAA}] 'Exec' = 'http://www.qdal.cn'
[<HKLM>\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B3F38EFC-CE02-4F11-9DB7-67C2BE490337}] 'Exec' = 'http://www.qd89.com'

Malicious functions:

Creates and executes the following:

'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\mspmsnsv.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\wdata32.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\update.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\Enamsnq.nls /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\KbProtect.sys /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\qmgr.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\npptools.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\temp\wpcap.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\temp\WanPacket.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\wpcap.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\WanPacket.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\Packet.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\nspass0.sys /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\TcpFilter.sys /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\ssdtti.sys /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\nspass4.sys /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\nspass3.sys /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\nspass1.sys /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\LocaSync.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\appmgmts.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\bbns.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\fuck.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\kisl.sys /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly <SYSTEM32>\func.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\temp\Packet.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %PROGRAM_FILES%\WinRAR\ntserver.dat /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %PROGRAM_FILES%\WinRAR\myrar.txt /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %PROGRAM_FILES%\WinRAR\probe2.bin /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\aboy.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\phpq.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\phpi.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly c:\sam.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%update.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %APPDATA%\d3.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %PROGRAM_FILES%\WinRAR\com.run /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly c:\system.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly c:\autorun.inf /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %TEMP%\acpidisk.sys /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %TEMP%\dosss11.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %TEMP%\urlm0n.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\temp\npptools.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %TEMP%\Migsni.sys /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %TEMP%\tmp.tmp /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\stin.bat /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\Dll.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\winyyy.sys /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %TEMP%\TempFile.sys /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\linkinfo.dll /perm /setowner=
'<SYSTEM32>\qdal.dll' /Noverbose /file=directoriesonly %WINDIR%\SearchInfo.dll /perm /setowner=

Executes the following:

'<SYSTEM32>\cacls.exe' c:\MyRARwork /d everyone
'<SYSTEM32>\cacls.exe' c:\MyRARwork /c /p Everyone:r
'<SYSTEM32>\cacls.exe' %CommonProgramFiles%\Microsoft /c /p Everyone:r
'<SYSTEM32>\cacls.exe' %WINDIR%\Minidump /c /p Everyone:r
'<SYSTEM32>\cacls.exe' %CommonProgramFiles%\Microsoft /d everyone
'<SYSTEM32>\cacls.exe' <SYSTEM32>\cursors /d everyone
'%WINDIR%\regedit.exe' /pid=2896
'<SYSTEM32>\cacls.exe' /pid=2860
'<SYSTEM32>\cacls.exe' %PROGRAM_FILES%\windows NT\system /c /p Everyone:r
'<SYSTEM32>\cacls.exe' <SYSTEM32>\cursors /c /p Everyone:r
'<SYSTEM32>\cacls.exe' %PROGRAM_FILES%\windows NT\system /d everyone
'<SYSTEM32>\cacls.exe' %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Жф¶Ї Internet Explorer дЇААЖч.lnk /d everyone
'<SYSTEM32>\cacls.exe' %WINDIR%\amd /d everyone
'<SYSTEM32>\cacls.exe' %HOMEPATH%\Start Menu\Programs\Internet Explorer.lnk /d everyone
'%WINDIR%\regedit.exe' /s %TEMP%\qdal.reg
'<SYSTEM32>\cacls.exe' %ALLUSERSPROFILE%\Start Menu\Programs\Internet Explorer.lnk /d everyone
'<SYSTEM32>\cacls.exe' %WINDIR%\amd /c /p Everyone:r
'<SYSTEM32>\cacls.exe' %PROGRAM_FILES%\marvell\install /c /p Everyone:r
'<SYSTEM32>\cacls.exe' %WINDIR%\Minidump /d everyone
'<SYSTEM32>\cacls.exe' %PROGRAM_FILES%\marvell\install /d everyone
'<SYSTEM32>\cacls.exe' %PROGRAM_FILES%\marvell /d everyone
'<SYSTEM32>\cacls.exe' %PROGRAM_FILES%\marvell /c /p Everyone:r

Injects code into

the following system processes:

<SYSTEM32>\cmd.exe

Terminates or attempts to terminate

the following system processes:

<SYSTEM32>\alg.exe

the following user processes:

ntvdm.exe

Sets a new unauthorized home page for Windows Internet Explorer.

Modifies file system :

Creates the following files:

%TEMP%\autC.tmp
%TEMP%\autD.tmp
%TEMP%\autE.tmp
%TEMP%\autB.tmp
%TEMP%\aut8.tmp
%TEMP%\aut9.tmp
%TEMP%\autA.tmp
%TEMP%\aut12.tmp
%HOMEPATH%\Start Menu\Programs\Internet Explorer.lnk
%TEMP%\aut13.tmp
%ALLUSERSPROFILE%\Start Menu\Programs\Internet Explorer.lnk
%TEMP%\autF.tmp
%TEMP%\aut10.tmp
%TEMP%\aut11.tmp
%TEMP%\aut3.tmp
<SYSTEM32>\qdal.dll
%TEMP%\aut4.tmp
%TEMP%\qdal.reg
%TEMP%\aut1.tmp
%TEMP%\Ot
%TEMP%\aut2.tmp
<SYSTEM32>\wbem\shop.ico
%TEMP%\aut7.tmp
<SYSTEM32>\wbem\bd.ico
%TEMP%\aut6.tmp
<SYSTEM32>\wbem\ie.ico
%TEMP%\aut5.tmp
<SYSTEM32>\wbem\mv.ico

Deletes the following files:

%TEMP%\autD.tmp
%TEMP%\autE.tmp
%TEMP%\autC.tmp
%TEMP%\autA.tmp
%TEMP%\autB.tmp
%TEMP%\aut12.tmp
%TEMP%\aut13.tmp
%TEMP%\aut11.tmp
%TEMP%\autF.tmp
%TEMP%\aut10.tmp
%TEMP%\aut9.tmp
%TEMP%\aut3.tmp
%TEMP%\qdal.reg
%TEMP%\aut2.tmp
%TEMP%\aut1.tmp
%TEMP%\Ot
%TEMP%\aut7.tmp
%TEMP%\aut8.tmp
%TEMP%\aut6.tmp
%TEMP%\aut4.tmp
%TEMP%\aut5.tmp

Miscellaneous:

Searches for the following windows:

ClassName: 'RegEdit_RegEdit' WindowName: '(null)'

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial