20170709

VBS.Vlerli

VBS.Vlerli
【外部リンク】
https://www.symantec.com/security_response/writeup.jsp?docid=2017-070611-0813-99
Systems Affected:
Windows
Once executed, the worm creates the following files:
%AppData%\Adobe Photoshop\Picture.Png
%AppData%\Adobe PhotoShop\Photo.Jpeg
%AppData%\Adobe PhotoShop\Share\DCIM\Photo.Jpeg
%AppData%\Adobe PhotoShop\Share\MOVIES\Photo.Jpeg
%AppData%\Adobe PhotoShop\Share\MUSIC\Photo.Jpeg
%AppData%\Adobe PhotoShop\Share\VIDEO\Photo.Jpeg
%AppData%\Adobe PhotoShop\Share\XNXX\Photo.Jpeg
%AppData%\Adobe PhotoShop\runsc.exe
%AppData%\Adobe PhotoShop\Startrun.pif
%AppData%\Adobe PhotoShop\Share\DCIM\Pictur.jpg.lnk
%AppData%\Adobe PhotoShop\Share\MOVIES\Movies.Mp4.lnk
%AppData%\Adobe PhotoShop\Share\MUSIC\Music.Mp3.lnk
%AppData%\Adobe PhotoShop\Share\VIDEO\YouTube.Flv.lnk
%AppData%\Adobe PhotoShop\Share\XNXX\Video.Mp4
[ALL DRIVES]\Adobe\Picture.png
[ALL DRIVES]\Adobe\runsc.exe

The worm creates the follwoing registry subkeys so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Adobe PhotoShop
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Adobe PhotoShop

The worm deletes LNK file associations found under the following registry subkey:
HKEY_CURRENT_USER

The worm modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"EnableLUA" = "0"

The worm creates a link to itself in all open shares on the compromised computer.

The worm ends all processes associated with the following folder:
%AppData%\Adobe PhotoShop

Next, the worm ends all processes associated with Smadav and USB Disk Security to allow it to spread onto removable drives.

The worm also ends the following processes:
usbguard.exe
procexp.exe
processhacker.exe

The worm disables security notifications on the compromised computer.

The worm then opens a backdoor on the compromised computer and connects to one or more of the following remote locations:
mr-wolf.[REMOVED]ectme.net:2016
mr-wolf.l[REMOVED]kpc.net:2016
mr-wolf.m[REMOVED]-see.com:2016

Next, the worm gathers the following information and sends it to a remote location:
Installed antivirus product names
Operation system information

The worm may then perform the following actions:
Uninstall itself
Update itself
Execute scripts or commands

The worm spreads via removable drives and network shares.
--

注目の投稿

cURL error 60: SSL certificate problem: unable to get local issuer certificate

cURL error 60: SSL certificate problem: unable to get local issuer certificate 更新失敗: ダウンロードに失敗しました。 cURL error 60: SSL certificate problem: ...

人気の投稿