Trojan.Win64.VALLEYRAT.THHBGBD

它以文(wén)件的形式出现在系统中(zhōng)，可(kě)能(néng)是其他(tā)恶意软件投放的，或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

新(xīn)病毒详细信息

它以文(wén)件的形式出现在系统中(zhōng)，可(kě)能(néng)是其他(tā)恶意软件投放的，或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

安(ān)装(zhuāng)

它添加下列进程：

• Invoke-Command -Command {Add-MpPreference -ExclusionPath {Root drive of the malware path}

它添加下列互斥条目，确保一次只会运行一个副本：

• TEST

自启动技(jì )术

它将下列文(wén)件植入 Windows 用(yòng)户启动文(wén)件夹，以便在系统每次启动时自动执行：

• %User Startup%\CompMgmtLauncher.lnk
• %User Startup%\eventvwr.lnk

(注意: %User Startup% 是当前用(yòng)户的启动文(wén)件夹，通常位于 C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup (Windows 98 和 ME)、C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup (Windows NT)、C:\Documents and Settings\{User name}\Start Menu\Programs\Startup (Windows 2003(32-bit)、XP、2000(32-bit)) 和 C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit))。)

其他(tā)系统修改

它修改下列注册表项：

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\
kingsoft\antivirus\Windhunter
WindhunterLevel = 4

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\
kingsoft\antivirus\Windhunter
WindhunterSwitch = 0

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\
kingsoft\antivirus\KSetting
kxesc = 0

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\
kingsoft\antivirus\KAVReport
AutoStart = 0

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\
Tencent\QQPCMgr
autostart = 0

它删除下列注册表键值:

HKEY_CURRENT_USER\Console\IpDate

HKEY_CURRENT_USER\Software\Classes\
mscfile

HKEY_CURRENT_USER\Software\Classes\
ms-settings

HKEY_CURRENT_USER\Software\Classes\
.pwn

进程终止

它终止在受感染的系统内存中(zhōng)运行的下列进程：

• 360Sd.exe
• 360leakfixer.exe
• safesvr.exe
• MultiTip.exe
• 360Tray.exe
• 360tray.exe
• 360Safe.exe
• 360safe.exe
• ZhuDongFangYu.exe
• kscan.exe
• kwsprotect64.exe
• kxescore.exe
• kxetray.exe
• HipsMain.exe
• HipsTray.exe
• QMDL.exe
• QMPersonalCenter.exe
• QQPCPatch.exe
• QQPCRealTimeSpeedup.exe
• QQPCRTP.exe
• QQPCTray.exe

其他(tā)详细信息

该程序执行以下操作(zuò)：

• After the process termination, it checks again for the following processes to see if they are still running in the system.
  • kxetray.exe
  • 360sd.exe
  • 360Tray.exe
  • 360tray.exe
  • 360Safe.exe
  • 360safe.exe
  • QQPCTray.exe
  • MsMpEng.exe
  • HipsTray.exe
  • If any of these processes are still running, it will do the following:
  • Injects a shellcode into a running lsass process.
  • It terminates the following processes if found running in the affected system:
  • 360Sd.exe
  • 360tray.exe
  • 360Safe.exe
  • 360safe.exe
  • HipsMain.exe
  • HipsTray.exe
  • QMDL.exe
  • QQPCTray.exe
  • QQPCRTP.exe
• If the following processes within its list are still found running in the system, the malware process displays an “ERROR” message box and terminates.
  
• It checks for the presence of the following files:
  • %User Profile%\wwlib.dll
  • %User Profile%\WinWord.exe
• It checks the following registry entries related to popular communication applications.
  • HKEY_CURRENT_USER\Software\Tencent\Wechat
  • HKEY_CURRENT_USER\Software\Dingtalk
• It retrieves the URL of the C2 server stored in this registry entry by the main loader:
  • HKEY_CURRENT_USER\Console
  IpDateInfo
  • It will connect to the following URL after successfully retrieving the information.