它會將本身的下列副本放置到受影響的系統並執行它們: %UserProfile%\Start Menu\Programs\Startup\[RANDOM CHARACTERS].exe %UserProfile%\[RANDOM CHARACTERS].log %SystemDrive%\Program Files\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe %ProgramFiles%\MNetwork %CurrentFolder%\[INFECTED FILE NAME]Srv.exe %DriveLetter%\autorun.inf %SystemDrive%\Documents and Settings\All Users\Application Data\[EIGHT PSEUDO-RANDOM CHARACTERS].log %UserProfile%\Application Data\[EIGHT PSEUDO-RANDOM CHARACTERS].exe %UserProfile%\Local Settings\Temp\[EIGHT PSEUDO-RANDOM CHARACTERS].sys %UserProfile%\Local Settings\Temp\[EIGHT PSEUDO-RANDOM CHARACTERS].exe %SystemDrive%\Documents and Settings\All Users\Application Data\[RANDOM FILE NAME].log 檔案感染類型: .exe .dll .htm .html 在任何可移除裝置上創建以下文件: %DriveLetter%\RECYCLER\[GUID]\[RANDOM CHARACTERS].exe %DriveLetter%\RECYCLER\[GUID]\[RANDOM CHARACTERS].cpl %DriveLetter%\autorun.inf %DriveLetter%\Copy of Shortcut to (1).lnk %DriveLetter%\Copy of Shortcut to (2).lnk %DriveLetter%\Copy of Shortcut to (3).lnk %DriveLetter%\Copy of Shortcut to (4).lnk 遠端利用以下漏洞: Microsoft Windows快捷方式“LNK / PIF”文件自動文件執行漏洞(CVE-2010-2568) Oracle Java SE遠程執行代碼漏洞(CVE-2013-1493) Oracle Java運行時環境多個遠程執行代碼漏洞(CVE-2013-0422) 新增下列登錄機碼與登錄項目: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\W32.Ramnit!dr HKEY_LOCAL_MACHINE\SOFTWARE\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ’1′ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “3948550101? HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “xas” HKEY_CURRENT_USER\Software\W32.Ramnit!dr 在受感染的電腦上打開後門,允許其接收大約包括以下內容: 1.上傳Cookie 2.收集機敏資訊 3.截圖 HiNet SOC 建議您勿瀏覽可疑或惡意網站以及開啟任何可疑的檔案或郵件,定期備份重要檔案,為應用軟體和作業系統安裝修補程式,將其更新至最新版本,與安裝防毒軟體且更新至最新病毒碼來降低受駭風險。 |