Trojan.BAT.TOGGLEDEFENDER.A
Trojan:BAT/ToggleDefender.LK!MTB (MICROSOFT)
Windows
Tipo di minaccia informatica:
Trojan
Distruttivo?:
No
Crittografato?:
In the wild::
Sì
Panoramica e descrizione
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Dettagli tecnici
Detalles de entrada
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Instalación
Infiltra los archivos siguientes:
- %User Temp%\MpCmdRun.log
(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).
)Agrega los procesos siguientes:
- cmd.exe powershell -nop -win 1 -c iex ([io.file])::ReadAllText($env:0))
- sc.exe qc windefend
- whoami.exe /groups
- net1.exe start TrustedInstaller
Otras modificaciones del sistema
Agrega las siguientes entradas de registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\MpEngine
MpCloudBlockLevel = 2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Spynet
SpyNetReporting = 2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Spynet
SubmitSamplesConsent = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
PUAProtection = 1
HKEY_CURRENT_USER\Volatile Environment
ToggleDefend = {script of the batch file} → Deletes afterward
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Edge\ExemptDomainFileTypePairsFromFileTypeDownloadWarning
1 = {"file_extension":"exe","domains":["*"]}
Agrega las siguientes claves de registro como parte de la rutina de instalación:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Security Center\
Notification
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\UX Configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\MpEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Spynet
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Edge
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Edge\ExemptDomainFileTypePairsFromFileTypeDownloadWarning
Elimina las siguientes claves de registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableRoutinelyTakingAction =
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
RealtimeScanDirection =
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
PUAProtection =
Otros detalles
Hace lo siguiente:
- Display the following message box:
- It enables/disables Windows Defender:
- If enabled:
- Deletes the following registry values:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications
- DisableNotifications
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration
- Notification_Suppress
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration
- UILockdown
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
- DisableNotifications
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration
- Notification_Suppress
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration
- UILockdown
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
- EnableSmartScreen
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
- DisableRealtimeMonitoring
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- DisableAntiSpyware
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
- DisableAntiSpyware
- Modifies the following registry values:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
- ShellSmartScreenLevel = Warn
- HKEY_Users\S-1-5-21{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost
- EnableWebContentEvaluation = 1
- HKEY_Users\S-1-5-21{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost
- PreventOverride = 0
- HKEY_Users\S-1-5-21{SID}\SOFTWARE\Microsoft\Edge\SmartScreenEnabled
- (Default) = 1
- HKEY_Users\S-1-5-21{SID}\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled
- (Default) = 1
- Adds the following processes:
- sc.exe config windefend depend= RpcsSs
- net1 start windefend
- MpCmdRun.exe -EnableService
- If disabled:
- Modifies the following registry values:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications
- DisableNotifications = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration
- Notification_Suppress = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration
- UILockdown = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
- DisableNotifications = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration
- Notification_Suppress = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration
- UILockdown = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
- EnableSmartScreen = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
- ShellSmartScreenLevel = Warn
- HKEY_Users\S-1-5-21{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost
- EnableWebContentEvaluation = 0
- HKEY_Users\S-1-5-21{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost
- PreventOverride = 0
- KEY_Users\S-1-5-21{SID}\SOFTWARE\Microsoft\Edge\SmartScreenEnabled
- (Default) = 0
- HKEY_Users\S-1-5-21{SID}\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled
- (Default) = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter
- EnabledV9 = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
- DisableRealtimeMonitoring = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- DisableAntiSpyware = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
- DisableAntiSpyware = 1
- Adds the following processes:
- net1 stop windefend
- sc.exe config windefend depend= RpcSs- TOGGLE
- MpCmdRun.exe -DisableService
- Deletes the following file:
- %ProgramData%\Microsoft\Windows Defender\mpengine.db
- Deletes the following directory:
- %ProgramData%\Microsoft\Windows Defender\Scans\History\Service
Soluzioni
Step 1
Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Eliminar esta clave del Registro
Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Security Center
- Notification
- Notification
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- UX Configuration
- UX Configuration
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- MpEngine
- MpEngine
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- Spynet
- Spynet
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- Real-Time Protection
- Real-Time Protection
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
- Edge
- Edge
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge
- ExemptDomainFileTypePairsFromFileTypeDownloadWarning
- ExemptDomainFileTypePairsFromFileTypeDownloadWarning
Step 4
Eliminar este valor del Registro
Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine
- MpCloudBlockLevel = 2
- MpCloudBlockLevel = 2
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
- SpyNetReporting = 2
- SpyNetReporting = 2
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
- SubmitSamplesConsent = 0
- SubmitSamplesConsent = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- PUAProtection = 1
- PUAProtection = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExemptDomainFileTypePairsFromFileTypeDownloadWarning
- 1 = {file_extension:exe,domains:[*]}
- 1 = {file_extension:exe,domains:[*]}
Step 5
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator’s help. You may also check out this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications
- From DisableNotifications = 1
- To DisableNotifications = 0
- From DisableNotifications = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration
- From Notification_Suppress = 1
- To Notification_Suppress = 0
- From Notification_Suppress = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration
- From UILockdown = 0
- To UILockdown = 1
- From UILockdown = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
- From DisableNotifications = 1
- To DisableNotifications = 0
- From DisableNotifications = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration
- From Notification_Suppress = 1
- To Notification_Suppress = 0
- From Notification_Suppress = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
- From EnableSmartScreen = 0
- To EnableSmartScreen = 1
- From EnableSmartScreen = 0
- In HKEY_Users\S-1-5-21{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost
- From EnableWebContentEvaluation = 0
- To EnableWebContentEvaluation = 1
- From EnableWebContentEvaluation = 0
- In HKEY_Users\S-1-5-21{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost
- From PreventOverride = 0
- To PreventOverride = 1
- From PreventOverride = 0
- In HKEY_Users\S-1-5-21{SID}\SOFTWARE\Microsoft\Edge\SmartScreenEnabled
- From (Default) = 0
- To (Default) = 1
- From (Default) = 0
- In HKEY_Users\S-1-5-21{SID}\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled
- From (Default) = 0
- To (Default) = 1
- From (Default) = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter
- From EnabledV9 = 0
- To EnabledV9 = 1
- From EnabledV9 = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
- From DisableRealtimeMonitoring = 1
- To DisableRealtimeMonitoring = 0
- From DisableRealtimeMonitoring = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- From DisableAntiSpyware = 1
- To DisableAntiSpyware = 0
- From DisableAntiSpyware = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
- From DefenderDisableAntiSpyware = 1
- To DefenderDisableAntiSpyware = 0
- From DefenderDisableAntiSpyware = 1
Step 6
Restore these deleted registry keys/values from backup
*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- DisableRoutinelyTakingAction
- DisableRoutinelyTakingAction
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
- RealtimeScanDirection
- RealtimeScanDirection
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- PUAProtection
- PUAProtection
Step 7
Buscar y eliminar este archivo
- %User Temp%\MpCmdRun.log
Step 8
Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como Trojan.BAT.TOGGLEDEFENDER.A En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.
Sondaggio