Ransom.Win32.TARGETCOMP.YXCKCZ
Win32:RansomX-gen [Ransom] (AVAST)
Windows
恶意软件类型:
Ransomware
有破坏性?:
没有
加密?:
In the Wild:
是的
概要
它以其他恶意软件释放的文件或用户访问恶意网站时不知不觉下载的文件的形式到达系统。
技术详细信息
新病毒详细信息
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
安装
它添加下列进程:
- "%System%\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
- "%System%\cmd.exe" /c bcdedit /set {current} recoveryenabled no
- "%Windows%\sysnative\vssadmin.exe" delete shadows /all /quiet
- taskill -f -im {Stopped Processes}
- sc delete {Deleted Services}
(注意: %Windows% 是 Windows 文件夹,通常位于 C:\WINDOWS 或 C:\WINNT。)
其他系统修改
它修改下列注册表项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PolicyManager\default\Start\
HideShutDown
value = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PolicyManager\default\Start\
HideRestart
value = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PolicyManager\default\Start\
HideSignOut
value = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
shutdownwithoutlogon = 0
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\Terminal Services
MaxConnectionTime = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\Terminal Services
MaxDisconnectionTime = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\Terminal Services
MaxIdleTime = 0
它删除下列注册表键值:
HKEY_CURRENT_USER\SOFTWARE\Raccine
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EventLog\Application\
Raccine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vssadmin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
wmic.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
wbadmin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bcdedit.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
diskshadow.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
net.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
taskkill.exe
进程终止
它终止在受感染的系统内存中运行的下列进程:
- sqlserv.exe
- oracle.exe
- ntdbsmgr.exe
- sqlservr.exe
- sqlwriter.exe
- MsDtsSrvr.exe
- msmdsrv.exe
- ReportingServecesService.exe
- fdhost.exe
- fdlauncher.exe
- mysql.exe
- where (Stopped Processes}
- sqlwriter.exe
- sqlservr.exe
- msmdsrv.exe
- MsDtsSrvr.exe
- sqlceip.exe
- fdlauncher.exe
- Ssms.exe
- SQLAGENT.EXE
- fdhost.exe
- fdlauncher.exe
- sqlservr.exe
- ReportingServicesService.exe
- msftesql.exe
- pg_ctl.exe
- postgres.exe
信息窃取
它收集下列数据:
- Computer Name
- Product Name
- OS Architecture
- Application Privilege
窃取信息
它通过 HTTP POST 将收集的信息发送到下列 URL:
- http://{BLOCKED}.{BLOCKED}.191.141/QWEwqdsvsf/ap.php
其他详细信息
该程序执行以下操作:
- It encrypts files from local drives, removable drives, and network shares.
- It DOES NOT continue to routine if User Default Language ID of the system is any of the following:
- Russian (0x419)
- Kazakh (0x43F)
- Belarusian (0x423)
- Ukrainian (0x422)
- Tatar (0x444)
- It blocks any system shutdown and displays the following the message:
- "Do NOT shutdown OR reboot your PC: this might damage your files permanently !"
- It reverts the following modified registries entries back to its default values after encryption:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Policies\System\shutdownwithoutlogon
- It deletes the following services {Deleted Services}:
- MSSQLFDLauncher
- MSSQLSERVER
- SQLSERVERAGENT
- SQLBrowser
- SQLTELEMETRY
- MsDtsServer130
- SSISTELEMETRY130
- SQLWriter
- MSSQL$VEEAMSQL2012
- SQLAgent$VEEAMSQL2012
- MSSQL
- SQLAgent
- MSSQLServerADHelper100
- MSSQLServerOLAPService
- MsDtsServer100
- ReportServer
- SQLTELEMETRY$HL
- TMBMServer
- MSSQL$PROGID
- MSSQL$WOLTERSKLUWER
- SQLAgent$PROGID
- SQLAgent$WOLTERSKLUWER
- MSSQLFDLauncher$OPTIMA
- MSSQL$OPTIMA
- SQLAgent$OPTIMA
- ReportServer$OPTIMA
- msftesql$SQLEXPRESS
- postgresql-x64-9.4
解决方案
Step 2
对于Windows ME和XP用户,在扫描前,请确认已禁用系统还原功能,才可全面扫描计算机。
Step 3
请注意,在执行此恶意软件/间谍软件/灰色软件期间,并非所有文件、文件夹、注册表项和条目都安装在您的计算机上。这可能是由于安装不完整或其他操作系统条件造成的。如果找不到相同的文件/文件夹/注册表信息,请继续下一步。
Step 4
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator’s help. You may also check out this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
- MaxConnectionTime = 0
- MaxConnectionTime = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
- MaxDisconnectionTime = 0
- MaxDisconnectionTime = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
- MaxIdleTime = 0
- MaxIdleTime = 0
Step 5
Restore these deleted registry keys/values from backup
*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
- In HKEY_CURRENT_USER\SOFTWARE\
- Raccine
- Raccine
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\
- Raccine
- Raccine
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- vssadmin.exe
- vssadmin.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- wmic.exe
- wmic.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- wbadmin.exe
- wbadmin.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- bcdedit.exe
- bcdedit.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- powershell.exe
- powershell.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- diskshadow.exe
- diskshadow.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- net.exe
- net.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- taskkill.exe
- taskkill.exe
Step 6
搜索和删除这些文件
- {Drive Letter:}\FILE RECOVERY.txt
- {Encrypted Directory:}\FILE RECOVERY.txt
- {Drive Letter:}\FILE RECOVERY.txt
- {Encrypted Directory:}\FILE RECOVERY.txt
Step 7
使用趋势科技产品扫描计算机,并删除检测到的Ransom.Win32.TARGETCOMP.YXCKCZ文件 如果检测到的文件已被趋势科技产品清除、删除或隔离,则无需采取进一步措施。可以选择直接删除隔离的文件。请参阅知识库页面了解详细信息。
Step 8
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.