TROJ_COINMINE.WIPC

Utiliza el Programador de tareas de Windows para crear una tarea programada que ejecute las copias que infiltra.

Se conecta a determinados sitios Web para enviar y recibir información.

Instalación

Crea las siguientes copias de sí mismo en el sistema afectado:

• %ProgramData%\UpdateService\UpdateService.exe
• %All Users Profile%\UpdateService\UpdateService.exe

Infiltra los archivos siguientes:

• %ProgramData%\UpdateService\UpdateService.exe.config
• %ProgramData%\UpdateService\settings.dat
• %All Users Profile%\UpdateService\UpdateService.exe.config
• %All Users Profile%\UpdateService\settings.dat
• %System%\Tasks\UpdateService ← scheduled task

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows XP y Server 2003 en C:\Windows\System32).

Agrega los procesos siguientes:

• %ProgramData%\UpdateService\UpdateService.exe
• "%System%\schtasks.exe" /Delete /TN "UpdateService" /F;
• "%System%\schtasks.exe" /Create /RU SYSTEM /SC ONSTART /TN "UpdateService" /TR "\"C:\ProgramData\UpdateService\UpdateService.exe\" -t
• "%System%\schtasks.exe" /Run /TN "UpdateService"
• taskeng.exe %ProgramData%\UpdateService\UpdateService.exe -t
• "%Windows%\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"%AppDataLocal%\Temp\{random}.cmdline"

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows XP y Server 2003 en C:\Windows\System32).

Utiliza el Programador de tareas de Windows para crear una tarea programada que ejecute las copias que infiltra.

Crea las carpetas siguientes:

• %ProgramData%\UpdateService
• %All Users Profile%\UpdateService

Agrega las siguientes exclusiones mutuas para garantizar que solo se ejecuta una de sus copias en todo momento:

• Global\CLR_CASOFF_MUTEX
• Global\d3091c53-b5db-4e3a-a345-c8a648bd6f1b
• Global\.net clr networking

Técnica de inicio automático

La tarea programada ejecuta el malware con cada:

• At every startup

Otros detalles

Se conecta al sitio Web siguiente para enviar y recibir información:

• http://{BLOCKED}.118.135/system/info.php?url=/update/check
• http://{BLOCKED}.118.135/system/log.php?url=/update/check
• http://{BLOCKED}defincas.org/wp-includes/class-wp-info.php?url=/update/check
• http://{BLOCKED}defincas.org/wp-includes/class-wp-log.php?url=/update/check
• http://{BLOCKED}ans.com/Nueva/kickstart/plugins/system/{BLOCKED}/content_log.php?url=/update/check
• http://{BLOCKED}ka.ru/administrator/components/com_k2/views/settings/content_log.php?url=/update/check
• http://{BLOCKED}.ru/administrator/{BLOCKED}/com_sh404sef/{BLOCKED}/wizard/content_log.php?url=/update/check
• http://{BLOCKED}.co.uk/wp-includes/info.php?url=/update/check
• http://{BLOCKED}.co.uk/wp-includes/log.php?url=/update/check
• http://beta.{BLOCKED}.com/cg-bn/content_log.php?url=/update/check
• http://beta.{BLOCKED}.com/cg-bn/modules_info.php?url=/update/check
• http://{BLOCKED}.ru/{BLOCKED}/logs/info.php?url=/update/check
• http://{BLOCKED}.ru/{BLOCKED}/logs/log.php?url=/update/check
• http://{BLOCKED}-club.com/wp-{BLOCKED}/js/{BLOCKED}/plugins/wpeditimage/content_log.php?url=/update/check
• http://{BLOCKED}.com.ua/image/cache/data/kuvez/reanimationplace/content_log.php?url=/update/check
• http://{BLOCKED}.com.ua/image/cache/data/kuvez/reanimationplace/modules_info.php?url=/update/check
• http://{BLOCKED}.com/administrator/components/com_akeeba/language/nb-NO/content_log.php?url=/update/check
• http://{BLOCKED}.net/wp-content/plugins/all-in-one-wp-security-and-firewall/admin/general/content_log.php?url=/update/check
• http://{BLOCKED}.codafarm.com/lvg/lbkgf/e8df/robiw/papkr342/content_log.php?url=/update/check
• http://{BLOCKED}dia.{BLOCKED}.com/lvg/lbkgf/e8df/robiw/papkr342/modules_info.php?url=/update/check
• http://{BLOCKED}-trunk.de/templates/{BLOCKED}/html/com_content/featured/content_log.php?url=/update/check
• http://clearsky{BLOCKED}.com/administrator/{BLOCKED}/com_contenthistory/views/history/content_log.php?url=/update/check
• http://{BLOCKED}-online.de/vertrieb/{BLOCKED}/o2/Data/content_log.php?url=/update/check
• http://cop{BLOCKED}.hu/plugins/{BLOCKED}/logout/info.php?url=/update/check
• http://cop{BLOCKED}.hu/plugins/{BLOCKED}/logout/log.php?url=/update/check
• http://desire{BLOCKED}.com/fs8474v/pagesp{BLOCKED}/content_log.php?url=/update/check
• http://{BLOCKED}den.se/wp-includes/js/tinymce/plugins/wpdialogs/js/info.php?url=/update/check
• http://{BLOCKED}den.se/wp-includes/js/tinymce/plugins/wpdialogs/js/log.php?url=/update/check
• http://evil{BLOCKED}.org/wp-includes/js/tinymce/plugins/lists/content_log.php?url=/update/check
• http://{BLOCKED}orth.com/info?url=/update/check
• http://{BLOCKED}orth.com/log?url=/update/check
• http://f{BLOCKED}s.dp.ua/js/modules/{BLOCKED}/plugins/clipboard/content_log.php?url=/update/check
• http://gesundheits{BLOCKED}-suhl.de/administrator/{BLOCKED}/com_xcloner-backupandrestore/classes/phpseclib/content_log.php?url=/update/check
• http://{BLOCKED}andtyler.com/cg-bn/content_log.php?url=/update/check
• http://holli{BLOCKED}.com/cg-bn/modules_info.php?url=/update/check
• http://{BLOCKED}-voin.ru/wp-info.php?url=/update/check
• http://{BLOCKED}-voin.ru/wp-log.php?url=/update/check
• http://{BLOCKED}.org.ua/cgi-bin/content_log.php?url=/update/check
• http://{BLOCKED}.org.ua/cgi-bin/modules_info.php?url=/update/check
• http://jf-{BLOCKED}.de/components/com_weblinks/views/form/tmpl/content_log.php?url=/update/check
• http://mebel-{BLOCKED}.com.ua/wp-admin/wp-info.php?url=/update/check
• http://mebel-{BLOCKED}.com.ua/wp-admin/wp-log.php?url=/update/check
• http://narko{BLOCKED}.ru/templates/beez3/html/com_contact/contact/content_log.php?url=/update/check
• http://{BLOCKED}-nvkz.ru/administrator/components/com_menus/views/items/content_log.php?url=/update/check
• http://{BLOCKED}.dinkumnet.com/w/wp-content/themes/twentysixteen/inc/content_log.php?url=/update/check
• http://podaro{BLOCKED}.ru/admin/servis/sale/info.php?url=/update/check
• http://podaro{BLOCKED}.ru/admin/servis/sale/log.php?url=/update/check
• http://print{BLOCKED}.ru/bitrix/js/main/amcharts/3.0/content_log.php?url=/update/check
• http://pro{BLOCKED}.at/sites/all/modules/mailchimp/modules/content_log.php?url=/update/check
• http://prodam-{BLOCKED}.by/mmm/wp-content/plugins/Ultimate_VC_Addons/languages/content_log.php?url=/update/check
• http://{BLOCKED}.ru/components/{BLOCKED}/templates/default/order/content_log.php?url=/update/check
• http://reklama-{BLOCKED}.ru/components/{BLOCKED}/views/comment/tmpl/content_log.php?url=/update/check
• http://ru{BLOCKED}.com/administrator/components/com_templates/views/source/content_log.php?url=/update/check
• http://strategisk{BLOCKED}ledelse.dk/wp-content/{BLOCKED}/info.php?url=/update/check
• http://strategisk{BLOCKED}ledelse.dk/wp-content/{BLOCKED}/log.php?url=/update/check
• http://{BLOCKED}-sas.ru/templates/jsn_epic_free/html/com_wrapper/wrapper/content_log.php?url=/update/check
• http://{BLOCKED}.com.ua/{BLOCKED}/ie/log.php?url=/update/check
• http://{BLOCKED}.com.ua/{BLOCKED}/ie/style.php?url=/update/check
• http://{BLOCKED}pub.com/!{BLOCKED}/zkt/lbkgf/vgu/content_log.php?url=/update/check
• http://www.{BLOCKED}bwin.com/uf666/plugins/bower_components/jquery/dist/content_log.php?url=/update/check
• http://www.es{BLOCKED}s.com/{BLOCKED}/content_log.php?url=/update/check
• http://{BLOCKED}.ru/libraries/cms/schema/{BLOCKED}/info.php?url=/update/check
• http://{BLOCKED}.ru/libraries/cms/schema/{BLOCKED}/log.php?url=/update/check