Trojan.JS.NODSTER.A

2019年10月1日

分(fēn)析者: John Anthony Banes

平台:

Windows

总體(tǐ)风险等级:

潜在破坏:

潜在分(fēn)布:

感染次数:

信息暴露:

恶意软件类型:
Trojan
有(yǒu)破坏性？:
没有(yǒu)
加密？:
没有(yǒu)
In the Wild:
是的

概要

感染途徑: 从互联网上下载，或由其他(tā)恶意软件释放。

它以其他(tā)恶意软件释放的文(wén)件或用(yòng)户访问恶意网站时不知不觉下载的文(wén)件的形式到达系统。它开始执行然后再删除。

技(jì )术详细信息

文(wén)件大小(xiǎo): 486,593 bytes

报告日期: JS

内存驻留: 是的

初始樣本接收日期: 2019年9月30日

Payload: 连接到 URL/Ip, 下载文(wén)件, 显示窗口

新(xīn)病毒详细信息

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

它可(kě)能(néng)是由下列恶意软件/灰色软件/间谍软件从遠(yuǎn)程站点下载而来：

Trojan.Win32.Novter.A

安(ān)装(zhuāng)

它植入下列文(wén)件：

%System%\IsAdm.txt - to test the user if it has admin privileges, deleted afterwards if successful.

(注意: %System% 是 Windows 的 system 文(wén)件夹，通常位于 C:\Windows\System (Windows 98 和 ME)、C:\WINNT\System32 (Windows NT 和 2000) 和 C:\WINDOWS\system32 (Windows 2000(32-bit)、XP、Server 2003(32-bit)、Vista、7、8、8.1、2008(64-bit),2012(64bit) 和 10(64-bit))。)

其他(tā)详细信息

该程序执行以下操作(zuò)：

On Windows 7, it downloads and installs the following Windows update saved as {Malware Path}\SystemInfoConfig\Windows6.1-KB3033929-{x86|x64}.msu from the following URLs:
- https://download.{BLOCKED}ft.com/download/C/8/7/C87AE67E-A228-48FB-8F02-B2A9A1238099/Windows6.1-KB3033929-x64.msu
- https://download.{BLOCKED}ft.com/download/3/7/4/37473F39-5728-4153-9A25-64C09DE9ED52/Windows6.1-KB3033929-x86.msu
If executed as admin and the value of HKLM\Software\ttl\ttl is not 64, it executes the following commands:
- netsh.exe interface tcp set heuristics ws=disabled
- reg.exe add HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters /v DefaultTTL /t REG_DWORD /d 0x40 /f
- reg.exe add HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters /v Tcp1323Opts /t REG_DWORD /d 0x02 /f
- reg.exe add HKLM\Software\ttl /v ttl /t REG_DWORD /d 0x40 /f
To apply the changes done by this malware, it displays the ff. message and shuts down the computer after two minutes:
It downloads node.exe from https://{BLOCKED}js.org/dist/latest-v10.x/win-x86/node.exe and saved as {malware path}\SystemInfoConfig\node.exe
It checks for the following presence of files:
- {malware path}\SystemInfoConfig\app.js
- {malware path}\SystemInfoConfig\divergent.exe
- {malware path}\SystemInfoConfig\mdivergent.exe
- {malware path}\SystemInfoConfig\WinDivert.dll
- {malware path}\SystemInfoConfig\WinDivert32.sys
- {malware path}\SystemInfoConfig\WinDivert64.sys
If one of the files is absent, it drops {malware path}\SystemInfoConfig\{numbers}.zip containing the following files and folders:
- {current or malware path}\SystemInfoConfig\node_modules
- {current or malware path}\SystemInfoConfig\app.js
- {current or malware path}\SystemInfoConfig\constants.js
- {current or malware path}\SystemInfoConfig\divergent.exe
- {current or malware path}\SystemInfoConfig\mdivergent.exe
- {current or malware path}\SystemInfoConfig\socks4a.js
- {current or malware path}\SystemInfoConfig\WinDivert.dll
- {current or malware path}\SystemInfoConfig\WinDivert32.sys
- {current or malware path}\SystemInfoConfig\WinDivert64.sys
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\lib
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\lib\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\lib\manager.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\lib\on.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\lib\socket.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\lib\url.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\after
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\arraybuffer.slice
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\backo2
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\base64-arraybuffer
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\better-assert
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\callsite
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-bind
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-emitter
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-inherit
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-parser
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-binary2
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-cors
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\indexof
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\isarray
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ms
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\object-component
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseqs
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseuri
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\safe-buffer
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\socket.io-parser
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\to-array
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ultron
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\yeast
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\after\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\after\.travis.yml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\after\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\after\LICENCE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\after\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\after\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\after\test
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\after\test\after-test.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\arraybuffer.slice\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\arraybuffer.slice\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\arraybuffer.slice\LICENCE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\arraybuffer.slice\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\arraybuffer.slice\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\arraybuffer.slice\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\arraybuffer.slice\test
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\arraybuffer.slice\test\slice-buffer.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\.travis.yml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage\coverage.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage\lcov-report
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage\lcov.info
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage\lcov-report\async-throttle
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage\lcov-report\base.css
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage\lcov-report\index.html
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage\lcov-report\prettify.css
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage\lcov-report\prettify.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage\lcov-report\sort-arrow-sprite.png
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage\lcov-report\sorter.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage\lcov-report\async-throttle\index.html
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\async-limiter\coverage\lcov-report\async-throttle\index.js.html
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\backo2\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\backo2\component.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\backo2\History.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\backo2\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\backo2\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\backo2\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\backo2\Readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\backo2\test
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\backo2\test\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\base64-arraybuffer\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\base64-arraybuffer\.travis.yml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\base64-arraybuffer\lib
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\base64-arraybuffer\LICENSE-MIT
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\base64-arraybuffer\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\base64-arraybuffer\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\base64-arraybuffer\lib\base64-arraybuffer.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\better-assert\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\better-assert\example.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\better-assert\History.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\better-assert\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\better-assert\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\better-assert\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\better-assert\Readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\.idea
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\.zuul.yml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\component.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\test
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\.idea\blob.iml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\.idea\inspectionProfiles
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\.idea\markdown-navigator
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\.idea\markdown-navigator.xml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\.idea\modules.xml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\.idea\vcs.xml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\.idea\workspace.xml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\.idea\inspectionProfiles\profiles_settings.xml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\.idea\markdown-navigator\profiles_settings.xml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\blob\test\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\callsite\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\callsite\History.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\callsite\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\callsite\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\callsite\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\callsite\Readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-bind\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-bind\component.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-bind\History.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-bind\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-bind\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-bind\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-bind\Readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-emitter\History.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-emitter\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-emitter\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-emitter\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-emitter\Readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-inherit\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-inherit\component.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-inherit\History.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-inherit\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-inherit\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-inherit\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-inherit\Readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-inherit\test
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\component-inherit\test\inherit.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\.coveralls.yml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\.eslintrc
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\.travis.yml
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\CHANGELOG.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\karma.conf.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\node.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\src
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\src\browser.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\src\debug.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\src\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\debug\src\node.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\engine.io.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\lib
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\lib\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\lib\socket.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\lib\transport.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\lib\transports
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\lib\xmlhttprequest.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\lib\transports\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\lib\transports\polling-jsonp.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\lib\transports\polling-xhr.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\lib\transports\polling.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-client\lib\transports\websocket.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-parser\lib
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-parser\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-parser\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-parser\Readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-parser\lib\browser.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-parser\lib\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-parser\lib\keys.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\engine.io-parser\lib\utf8.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-binary2\History.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-binary2\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-binary2\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-binary2\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-binary2\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-cors\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-cors\component.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-cors\History.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-cors\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-cors\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-cors\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-cors\Readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\has-cors\test.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\indexof\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\indexof\component.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\indexof\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\indexof\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\indexof\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\indexof\Readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\isarray\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\isarray\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\isarray\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ms\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ms\license.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ms\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ms\readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\object-component\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\object-component\component.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\object-component\History.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\object-component\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\object-component\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\object-component\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\object-component\Readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\object-component\test
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\object-component\test\object.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseqs\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseqs\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseqs\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseqs\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseqs\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseqs\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseqs\test.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseuri\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseuri\History.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseuri\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseuri\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseuri\Makefile
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseuri\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseuri\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\parseuri\test.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\safe-buffer\index.d.ts
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\safe-buffer\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\safe-buffer\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\safe-buffer\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\safe-buffer\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\socket.io-parser\binary.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\socket.io-parser\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\socket.io-parser\is-buffer.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\socket.io-parser\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\socket.io-parser\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\socket.io-parser\Readme.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\to-array\.npmignore
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\to-array\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\to-array\LICENCE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\to-array\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\to-array\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ultron\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ultron\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ultron\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ultron\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib\.DS_Store
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib\BufferUtil.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib\Constants.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib\ErrorCodes.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib\EventTarget.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib\Extensions.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib\PerMessageDeflate.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib\Receiver.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib\Sender.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib\Validation.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib\WebSocket.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\ws\lib\WebSocketServer.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\autotest.watchr
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\example
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\lib
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\README.md
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\tests
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\example\demo.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\lib\XMLHttpRequest.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\tests\test-constants.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\tests\test-events.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\tests\test-exceptions.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\tests\test-headers.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\tests\test-redirect-302.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\tests\test-redirect-303.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\tests\test-redirect-307.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\tests\test-request-methods.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\tests\test-request-protocols.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\xmlhttprequest-ssl\tests\testdata.txt
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\yeast\index.js
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\yeast\LICENSE
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\yeast\package.json
- {current or malware path}\SystemInfoConfig\node_modules\socket.io-client\node_modules\yeast\README.md
Once the files are extracted and the updates are installed, it executes the following commands:
- {divergent.exe | mdivergent.exe}
- node.exe .\app.js {base-64 encoded address = {BLOCKED}.{BLOCKED}.117.194}

解决方案

最小(xiǎo)扫描引擎: 9.850

First VSAPI Pattern File: 15.400.08

VSAPI 第一样式发布日期: 2019年9月30日

VSAPI OPR样式版本: 15.401.00

VSAPI OPR样式发布日期: 2019年10月1日

Step 1

对于Windows ME和XP用(yòng)户，在扫描前，请确认已禁用(yòng)系统还原功能(néng)，才可(kě)全面扫描计算机。

Step 2

请注意，在执行此恶意软件/间谍软件/灰色软件期间，并非所有(yǒu)文(wén)件、文(wén)件夹、注册表项和条目都安(ān)装(zhuāng)在您的计算机上。这可(kě)能(néng)是由于安(ān)装(zhuāng)不完整或其他(tā)操作(zuò)系统条件造成的。如果找不到相同的文(wén)件/文(wén)件夹/注册表信息，请继续下一步。

Step 3

确定和终止Trojan.JS.NODSTER.A检测到的文(wén)件

[ 更多(duō) ]

对于Windows 98和ME用(yòng)户，Windows任務(wù)管理(lǐ)器可(kě)能(néng)不显示所有(yǒu)运行进程。在此情况下，请使用(yòng)第三方进程查看程序（推荐Process Explorer）终止恶意软件/灰色软件/间谍软件文(wén)件。您可(kě)以从处下载上述工(gōng)具(jù)。
如果检测到的文(wén)件出现在Windows任務(wù)管理(lǐ)器或Process Explorer中(zhōng)但不能(néng)删除，请重启计算机进入安(ān)全模式。请参阅该链接了解完整步骤。
如果检测到的文(wén)件未在Windows任務(wù)管理(lǐ)器或Process Explorer中(zhōng)出现，请继续下列步骤。

Step 4

删除该注册表值

[ 更多(duō) ]

注意事项：错误编辑Windows注册表会导致不可(kě)挽回的系统故障。只有(yǒu)在您掌握后或在系统管理(lǐ)员的帮助下才能(néng)完成这步。或者，请先阅读Microsoft文(wén)章，然后再修改计算机注册表。

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
- DefaultTTL = 64
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
- Tcp1323Opts = 2
In HKEY_LOCAL_MACHINE\SOFTWARE\ttl
- ttl = 64

Step 5

搜索和删除这一文(wén)件夹

[ 更多(duō) ]

请确认在高级选项中(zhōng)已选中(zhōng)搜索隐藏文(wén)件和文(wén)件夹复选框，使查找结果包括所有(yǒu)隐藏文(wén)件夹。;
{malware path}\SystemInfoConfig

删除恶意软件/灰色软件/间谍软件文(wén)件夹：

右键单击然后搜索...或查找...（具(jù)體(tǐ)取决于您运行的Windows版本）。

在“要搜索的文(wén)件或文(wén)件夹名(míng)為(wèi)”输入框，输入：

{malware path}\SystemInfoConfig

在查找范围下拉列表中(zhōng)，选择
我的電(diàn)脑
然后回車(chē)确认。
一旦找到，请选择文(wén)件夹，然后按下SHIFT+DELETE彻底删除文(wén)件夹。

Step 6

使用(yòng)亚信安(ān)全产(chǎn)品扫描计算机，并删除检测到的Trojan.JS.NODSTER.A文(wén)件如果检测到的文(wén)件已被亚信安(ān)全产(chǎn)品清除、删除或隔离，则无需采取进一步措施。可(kě)以选择直接删除隔离的文(wén)件。请参阅知识库页(yè)面了解详细信息。