Avira 病毒搜索

TR/Razy.yhtwk

  • 名称
    TR/Razy.yhtwk
  • 发现日期
    2017年7月18日
  • 类型
    Malware
  • 影响
     
  • 报告的感染
     
  • 操作系统
    Windows
  • VDF 版本
    7.14.17.236 (2017-07-18 18:40)

术语“TR”指的是能够窥探数据、侵犯您的隐私或对系统进行不需要的修改的特洛伊木马。

  • VDF
    7.14.17.236 (2017-07-18 18:40)
  • 文件
    更改以下文件:
    • %APPDATA%\Microsoft\Protect\CREDHIST
    • %APPDATA%\Microsoft\Protect\S-1-5-21-602162358-879983540-682003330-1003\Preferred
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    创建以下文件:
    • %APPDATA%\Microsoft\Protect\S-1-5-21-602162358-879983540-682003330-1003\a92a20c8-c321-421b-9ee4-ca2d9e5a2bbc
    • %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-602162358-879983540-682003330-1003\9d1627c087e30ee6fe8c9cce3c77e841_43055624-2155-436a-a244-4fe4e5b10e24
    • %APPDATA%\BitTorrent\settings.dat.new
    • %TEMPDIR%\HYD1.tmp
    • %TEMPDIR%\HYD1.tmp.1500399985\index.hta.log
    • %USERPROFILE%\Cookies\biluta@localhost[1].txt
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\install.1500399985.zip
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\index.hta
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\uninstall.hta
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\3rdparty\FS.dll
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\3rdparty\FS.ocx
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\i18n\br.json
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\i18n\de.json
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\i18n\en.json
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\i18n\es.json
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\i18n\fr.json
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\i18n\it.json
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\i18n\ko.json
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\i18n\pt.json
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\i18n\ru.json
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\images\bt_icon_48px.png
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\images\loading.gif
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\images\main_bittorrent.ico
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\images\main_icon.png
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\images\main_utorrent.ico
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\scripts\common.js
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\scripts\es5-shim.js
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\scripts\initialize.js
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\scripts\install.js
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\scripts\uninstall.js
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\shell_scripts\check_if_cscript_is_working.js
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\shell_scripts\shell_install_offer.js
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\shell_scripts\shell_ping_after_close.js
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\styles\common.css
    • %TEMPDIR%\HYD1.tmp.1500399985\HTA\styles\installer.css
    • %USERPROFILE%\Cookies\biluta@localhost[2].txt
    重命名以下文件:
    • %APPDATA%\BitTorrent\settings.dat.new
    删除以下文件:
    • %TEMPDIR%\HYD1.tmp
    • %USERPROFILE%\Cookies\biluta@localhost[1].txt
  • 注入
    • %SYSDIR%\svchost.exe{<-\RPC Control\DNSResolver}
    • %SYSDIR%\lsass.exe{<-\RPC Control\protected_storage}
    • %SYSDIR%\services.exe{<-\RPC Control\ntsvcs}
    • %SYSDIR%\svchost.exe{<-\RPC Control\IcaApi}
  • 注册表
    会添加以下注册表项目:
    • [HKEY_CLASSES_ROOT\FalconBetaAccount] "remote_access_client_id" = "5361761192"
    • [HKEY_CLASSES_ROOT\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0] @ = "ActiveBinderProj Library"
    • [HKEY_CLASSES_ROOT\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\FLAGS] @ = "2"
    • [HKEY_CLASSES_ROOT\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\0\win32] @ = "%TEMPDIR%\HYD1.tmp.1500399985\HTA\3rdparty\FS.ocx"
    • [HKEY_CLASSES_ROOT\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\HELPDIR] @ = "%TEMPDIR%\HYD1.tmp.1500399985\HTA\3rdparty\"
    • [HKEY_CLASSES_ROOT\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}] @ = "FS"
    • [HKEY_CLASSES_ROOT\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid] @ = "{00020424-0000-0000-C000-000000000046}"
    • [HKEY_CLASSES_ROOT\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid32] @ = "{00020424-0000-0000-C000-000000000046}"
    • [HKEY_CLASSES_ROOT\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib] @ = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}" "Version" = "1.0"
    • [HKEY_CLASSES_ROOT\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}] @ = "IActiveBinderXEvents"
    • [HKEY_CLASSES_ROOT\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid] @ = "{00020420-0000-0000-C000-000000000046}"
    • [HKEY_CLASSES_ROOT\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid32] @ = "{00020420-0000-0000-C000-000000000046}"
    • [HKEY_CLASSES_ROOT\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib] @ = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}" "Version" = "1.0"
    • [HKEY_CLASSES_ROOT\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}] @ = "ActiveBinderX Control"
    • [HKEY_CLASSES_ROOT\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32] @ = "%TEMPDIR%\HYD1.tmp.1500399985\HTA\3rdparty\FS.ocx" "ThreadingModel" = "Apartment"
    • [HKEY_CLASSES_ROOT\FS.ActiveBinderX] @ = "ActiveBinderX Control"
    • [HKEY_CLASSES_ROOT\FS.ActiveBinderX\Clsid] @ = "{4E120188-0CAC-468C-B2D9-9D1F079EBC25}"
    • [HKEY_CLASSES_ROOT\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ProgID] @ = "FS.ActiveBinderX"
    • [HKEY_CLASSES_ROOT\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Version] @ = "1.0"
    • [HKEY_CLASSES_ROOT\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\TypeLib] @ = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"
    • [HKEY_CLASSES_ROOT\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus] @ = "0"
    • [HKEY_CLASSES_ROOT\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus\1] @ = "205201"
    • [HKEY_CLASSES_ROOT\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ToolboxBitmap32] @ = "%TEMPDIR%\HYD1.tmp.1500399985\HTA\3rdparty\FS.ocx,1"
    • [HKEY_CLASSES_ROOT\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Control] @ = ""
    • [HKEY_CLASSES_ROOT\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb] @ = ""
    • [HKEY_CLASSES_ROOT\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb\0] @ = "Properties,0,2"
  • HTTP 请求
    • i*****.com/json?callback=jQuery19107599283328536606_1500399995900&_=1500399995901
  • 别名
    G Data: Gen:Variant.Razy.203901

将可疑文件/URL 送予我们分析,帮助构建更加安全的网站。

提交您的文件/URL 或者 转到 Avira 疑难解答

为何提交可疑文件?

如果您遇到不在我们数据库中的可疑文件或网站,我们将对其进行分析,确定其是否有害。我们的分析结果将惠及数百万用户,并将纳入下一次病毒数据库更新。如果您已经拥有 Avira,则会获取此更新。尚未拥有 Avira? 请前往 获取

什么是 Avira 疑难解答?

这是我们大力发展的社区,由专业技术人员和兼职专家通力合作,为广大用户解决技术问题。这一 Avira 用户社群是提出问题的绝佳场所。