Trojan.Win64.WDFLOAD.AB
RDN/Generic.glk (McAfee); HEUR:Trojan.Win64.Agent.gen (Kaspersky); Mal/Generic-L (Sophos); Trojan.Win32.Generic!BT (Sunbelt)
Windows
Threat Type:
Trojan
Destructiveness:
No
Encrypted:
In the wild::
Yes
OVERVIEW
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Elimina archivos para impedir la ejecución correcta de programas y aplicaciones.
TECHNICAL DETAILS
Detalles de entrada
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Otras modificaciones del sistema
Elimina los archivos siguientes:
- %User Temp%\s1oo.0
(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).
)Agrega las siguientes entradas de registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
9132E8B079D080E01D52631690BE18EBC2347C1E
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
AD4C5429E10F4FF6C01840C20ABA344D7401209F
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
DB77E5CFEC34459146748B667C97B185619251BA
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
3D496FA682E65FC122351EC29B55AB94F3BB03FC
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
ED841A61C0F76025598421BC1B00E24189E68D54
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
18DEA4EFA93B06AE997D234411F3FD72A677EECE
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
76A9295EF4343E12DFC5FE05DC57227C1AB00D29
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
A5341949ABE1407DD7BF7DFE75460D9608FBC309
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
5240AB5B05D11B37900AC7712A3C6AE42F377C8C
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
872CD334B7E7B3C3D1C6114CD6B221026D505EAB
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
03D22C9C66915D58C88912B64C1F984B8344EF09
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
FFFA650F2CB2ABC0D80527B524DD3F9FC172C138
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
4420C99742DF11DD0795BC15B7B0ABF090DC84DF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
5DD3D41810F28B2A13E9A004E6412061E28FA48D
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
F83099622B4A9F72CB5081F742164AD1B8D048C9
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
A59CC32724DD07A6FC33F7806945481A2D13CA2F
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
9E3F95577B37C74CA2F70C1E1859E798B7FC6B13
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
1667908C9E22EFBD0590E088715CC74BE4C60884
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
0F684EC1163281085C6AF20528878103ACEFCAAB
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
7457A3793086DBB58B3858D6476889E3311E550E
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
249BDA38A611CD746A132FA2AF995A2D3C941264
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
775B373B33B9D15B58BC02B184704332B97C3CAF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
88AD5DFE24126872B33175D1778687B642323ACF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
FBB42F089AF2D570F2BF6F493D107A3255A9BB1A
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
982D98951CF3C0CA2A02814D474A976CBFF6BDB1
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
373C33726722D3A5D1EDD1F1585D5D25B39BEA1A
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
AD96BB64BA36379D2E354660780C2067B81DA2E0
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
31AC96A6C17C425222C46D55C3CCA6BA12E54DAF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
E22240E837B52E691C71DF248F12D27F96441C00
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
331E2046A1CCA7BFEF766724394BE6112B4CA3F7
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
CDC37C22FE9272D8F2610206AD397A45040326B8
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
DB303C9B61282DE525DC754A535CA2D6A9BD3D87
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
9C43F665E690AB4D486D4717B456C5554D4BCEB5
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
3353EA609334A9F23A701B9159E30CB6C22D4C59
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = "1"
SOLUTION
Step 1
Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.
Step 2
Eliminar este valor del Registro
Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9132E8B079D080E01D52631690BE18EBC2347C1E
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD4C5429E10F4FF6C01840C20ABA344D7401209F
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DB77E5CFEC34459146748B667C97B185619251BA
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3D496FA682E65FC122351EC29B55AB94F3BB03FC
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\ED841A61C0F76025598421BC1B00E24189E68D54
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\18DEA4EFA93B06AE997D234411F3FD72A677EECE
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\76A9295EF4343E12DFC5FE05DC57227C1AB00D29
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A5341949ABE1407DD7BF7DFE75460D9608FBC309
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5240AB5B05D11B37900AC7712A3C6AE42F377C8C
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\872CD334B7E7B3C3D1C6114CD6B221026D505EAB
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\03D22C9C66915D58C88912B64C1F984B8344EF09
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FFFA650F2CB2ABC0D80527B524DD3F9FC172C138
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4420C99742DF11DD0795BC15B7B0ABF090DC84DF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DD3D41810F28B2A13E9A004E6412061E28FA48D
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F83099622B4A9F72CB5081F742164AD1B8D048C9
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A59CC32724DD07A6FC33F7806945481A2D13CA2F
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9E3F95577B37C74CA2F70C1E1859E798B7FC6B13
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1667908C9E22EFBD0590E088715CC74BE4C60884
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\0F684EC1163281085C6AF20528878103ACEFCAAB
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7457A3793086DBB58B3858D6476889E3311E550E
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\249BDA38A611CD746A132FA2AF995A2D3C941264
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\775B373B33B9D15B58BC02B184704332B97C3CAF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\88AD5DFE24126872B33175D1778687B642323ACF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FBB42F089AF2D570F2BF6F493D107A3255A9BB1A
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\982D98951CF3C0CA2A02814D474A976CBFF6BDB1
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\373C33726722D3A5D1EDD1F1585D5D25B39BEA1A
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD96BB64BA36379D2E354660780C2067B81DA2E0
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\31AC96A6C17C425222C46D55C3CCA6BA12E54DAF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E22240E837B52E691C71DF248F12D27F96441C00
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\331E2046A1CCA7BFEF766724394BE6112B4CA3F7
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CDC37C22FE9272D8F2610206AD397A45040326B8
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DB303C9B61282DE525DC754A535CA2D6A9BD3D87
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9C43F665E690AB4D486D4717B456C5554D4BCEB5
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3353EA609334A9F23A701B9159E30CB6C22D4C59
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- DisableAntiSpyware = 1
Step 3
Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como Trojan.Win64.WDFLOAD.AB En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.
Step 4
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
- %User Temp%\s1oo.0
Did this description help? Tell us how we did.