Infostealer.Newplayer trójai

CH azonosító

Angol cím

Felfedezés dátuma

Súlyosság

Érintett rendszerek

Érintett verziók

Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

Összefoglaló

A Infostealer.Newplayer egy trójai típusú kártevő, amely adatokat lop el a fertőzött számítógépről.

Leírás

A trójai egy szoftver csomagban érkezik más programok mellett, és azt állítja magáról, hogy ő egy médialejátszó szoftver.

A trójai létrehozza a következő mappákat:

• %UserProfile%Local SettingsApplication Datanewplayer
• %UserProfile%Local SettingsApplication Datanewplayerconfig
• %UserProfile%Local SettingsApplication DatanewplayerPlaylists
• %UserProfile%Local SettingsApplication DatanewplayerSnap
• %UserProfile%Start MenuProgramsNewPlayer

Ezután létrehozza a következő fájlokat:

• %UserProfile%Local SettingsApplication Datanewplayerconfigconfig.ini
• %UserProfile%Local SettingsApplication Datanewplayerlog.txt
• %UserProfile%DesktopNewPlayer.lnk
• %UserProfile%Start MenuProgramsNewPlayerNewPlayer.lnk
• %UserProfile%Start MenuProgramsNewPlayerUninstall.lnk
• %ProgramFiles%NewPlayerdotNetFx40_Full_setup.exe
• %ProgramFiles%NewPlayericon.ico
• %ProgramFiles%NewPlayerLanguages
• %ProgramFiles%NewPlayerLanguagesArabic.ini
• %ProgramFiles%NewPlayerLanguagesBulgarian.ini
• %ProgramFiles%NewPlayerLanguagesCatalan.ini
• %ProgramFiles%NewPlayerLanguagesChineseS.ini
• %ProgramFiles%NewPlayerLanguagesChineseT.ini
• %ProgramFiles%NewPlayerLanguagesCzech.ini
• %ProgramFiles%NewPlayerLanguagesDanish.ini
• %ProgramFiles%NewPlayerLanguagesDutch.ini
• %ProgramFiles%NewPlayerLanguagesEnglish.ini
• %ProgramFiles%NewPlayerLanguagesEstonian.ini
• %ProgramFiles%NewPlayerLanguagesFinnish.ini
• %ProgramFiles%NewPlayerLanguagesFrench.ini
• %ProgramFiles%NewPlayerLanguagesGerman.ini
• %ProgramFiles%NewPlayerLanguagesGreek.ini
• %ProgramFiles%NewPlayerLanguagesHaitianCreole.ini
• %ProgramFiles%NewPlayerLanguagesHebrew.ini
• %ProgramFiles%NewPlayerLanguagesHindi.ini
• %ProgramFiles%NewPlayerLanguagesHungarian.ini
• %ProgramFiles%NewPlayerLanguagesIndonesian.ini
• %ProgramFiles%NewPlayerLanguagesItalian.ini
• %ProgramFiles%NewPlayerLanguagesJapanese.ini
• %ProgramFiles%NewPlayerLanguagesKorean.ini
• %ProgramFiles%NewPlayerLanguagesLatvian.ini
• %ProgramFiles%NewPlayerLanguagesLithuanian.ini
• %ProgramFiles%NewPlayerLanguagesNorwegian.ini
• %ProgramFiles%NewPlayerLanguagesPolish.ini
• %ProgramFiles%NewPlayerLanguagesPortuguese.ini
• %ProgramFiles%NewPlayerLanguagesRomanian.ini
• %ProgramFiles%NewPlayerLanguagesRussian.ini
• %ProgramFiles%NewPlayerLanguagesSlovak.ini
• %ProgramFiles%NewPlayerLanguagesSlovenian.ini
• %ProgramFiles%NewPlayerLanguagesSpanish.ini
• %ProgramFiles%NewPlayerLanguagesSwedish.ini
• %ProgramFiles%NewPlayerLanguagesThai.ini
• %ProgramFiles%NewPlayerLanguagesTurkish.ini
• %ProgramFiles%NewPlayerLanguagesUkrainian.ini
• %ProgramFiles%NewPlayerLanguagesVietnamese.ini
• %ProgramFiles%NewPlayerLTV.exe
• %ProgramFiles%NewPlayerNewPlayer.exe
• %ProgramFiles%NewPlayerNewPlayerUpdater.exe
• %ProgramFiles%NewPlayerNewPlayerUpdaterService.exe
• %ProgramFiles%NewPlayerNewPlayerUpdaterService.InstallLog
• %ProgramFiles%NewPlayerNewPlayerUpdaterService.InstallState
• %ProgramFiles%NewPlayerNewtonsoft.Json.dll
• %ProgramFiles%NewPlayerPhotoLoader.dll
• %ProgramFiles%NewPlayerpolicy.2.0.taglib-sharp.config
• %ProgramFiles%NewPlayerpolicy.2.0.taglib-sharp.dll
• %ProgramFiles%NewPlayerreferences
• %ProgramFiles%NewPlayerreferencesextaudio.png
• %ProgramFiles%NewPlayerreferencesextvideo.png
• %ProgramFiles%NewPlayerreferencesffmpeg.exe
• %ProgramFiles%NewPlayerreferencesfolder.png
• %ProgramFiles%NewPlayerreferencesInterop.SHDocVw.dll
• %ProgramFiles%NewPlayerreferenceslibreria.png
• %ProgramFiles%NewPlayerreferencesNDde.dll
• %ProgramFiles%NewPlayerreferencesNewPlayerChecker.exe
• %ProgramFiles%NewPlayerreferencesNewtonsoft.Json.dll
• %ProgramFiles%NewPlayerreferencesPhotoLoader.dll
• %ProgramFiles%NewPlayerreferencespolicy.2.0.taglib-sharp.config
• %ProgramFiles%NewPlayerreferencespolicy.2.0.taglib-sharp.dll
• %ProgramFiles%NewPlayerreferencestaglib-sharp.dll
• %ProgramFiles%NewPlayerreferencesThumbs.db
• %ProgramFiles%NewPlayertaglib-sharp.dll
• %ProgramFiles%NewPlayeruninstall.exe
• %ProgramFiles%NewPlayerWindows
• %ProgramFiles%NewPlayerWindowsicon-play.ico
• %ProgramFiles%NewPlayerWindowsifishplayer-icon.ico
• %ProgramFiles%NewPlayerWindowsThumbs.db

A trójai létrehozza a kövekező bejegyzéseket a regisztráció adatbázisban:

• HKEY_CLASSES_ROOTApplicationsNewPlayer.exe”FriendlyAppName” = „NewPlayer”
• HKEY_CLASSES_ROOTApplicationsNewPlayer.exeshellPlaycommand”Default” = „”%ProgramFiles%NewPlayerNewPlayer.exe”” /m „”%1″”””””
• HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPlayerTasksNowPlaying”InitFlags” = „1”
• HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPreferencesProxySettingsHTTP”ProxyBypass” = „0”
• HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPreferencesProxySettingsHTTP”ProxyPort” = „50”
• HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPreferencesProxySettingsHTTP”ProxyStyle” = „1”
• HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPreferencesProxySettingsRTSP”ProxyBypass” = „0”
• HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPreferencesProxySettingsRTSP”ProxyPort” = „22a”
• HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPreferencesProxySettingsRTSP”ProxyStyle” = „0”
• HKEY_CURRENT_USERSoftwareMicrosoftWindows MediaWMSDKGeneral”ComputerName” = „STARFLEE-205AC0”
• HKEY_CURRENT_USERSoftwareMicrosoftWindows MediaWMSDKGeneral”UniqueID” = „{8E1E74B2-D6AA-4830-91CE-B40F6B11D30C}”
• HKEY_CURRENT_USERSoftwareMicrosoftWindows MediaWMSDKGeneral”VolumeSerialNumber” = „104bd201”
• HKEY_CURRENT_USERSoftwareMicrosoftWindows ScriptSettings”JITDebug” = „0”
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0-9888-006097DEACF9}CountHRZR_EHACNGU” = „P” = „Qbphzragf naq FrggvatfNqzvavfgengbeQrfxgbc”ArjCynlreFrghc.rkr” = „[HEXADECIMAL VALUE]”
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0-9888-006097DEACF9}CountHRZR_EHACVQY:%pfvqy2%ArjCynlre”ArjCynlre.yax” = „[HEXADECIMAL VALUE]”
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0-9888-006097DEACF9}CountHRZR_EHACVQY:%pfvqy2%ArjCynlre”Havafgnyy.yax” = „[HEXADECIMAL VALUE]”
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExtStats{D27CDB6E-AE6D-11CF-96B8-444553540000}iexplore”Count” = „3”
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExtStats{D27CDB6E-AE6D-11CF-96B8-444553540000}iexplore”Flags” = „0”
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExtStats{D27CDB6E-AE6D-11CF-96B8-444553540000}iexplore”Time” = „[HEXADECIMAL VALUE]”
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExtStats{D27CDB6E-AE6D-11CF-96B8-444553540000}iexplore”Type” = „1”
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exe”FriendlyAppName” = „NewPlayer”
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeshellPlaycommand”Default” = „”%ProgramFiles%NewPlayerNewPlayer.exe”” /m „”%1″”””””
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallNewPlayer”DisplayIcon” = „%ProgramFiles%NewPlayerNewPlayer.exe”
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallNewPlayer”DisplayName” = „NewPlayer”
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallNewPlayer”DisplayVersion” = „v2.1.1.9”
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallNewPlayer”EstimatedSize” = „7a1d”
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallNewPlayer”UninstallString” = „%ProgramFiles%NewPlayeruninstall.exe”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_NEWPLAYERUPDATERSERVICE000″Class” = „LegacyDriver”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_NEWPLAYERUPDATERSERVICE000″ClassGUID” = „{8ECC055D-047F-11D1-A537-0000F8753ED1}”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_NEWPLAYERUPDATERSERVICE000″ConfigFlags” = „0”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_NEWPLAYERUPDATERSERVICE000Control”*NewlyCreated*” = „0”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_NEWPLAYERUPDATERSERVICE000Control”ActiveService” = „NewPlayerUpdaterService”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_NEWPLAYERUPDATERSERVICE000″DeviceDesc” = „NewPlayer Updater Service”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_NEWPLAYERUPDATERSERVICE000″Legacy” = „1
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_NEWPLAYERUPDATERSERVICE000″Service” = „NewPlayerUpdaterService”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_NEWPLAYERUPDATERSERVICE”NextInstance” = „1”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_RASMAN000Control”ActiveService” = „RasMan”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_TAPISRV000Control”ActiveService” = „TapiSrv”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_WPFFONTCACHE_V0400000″Class” = „LegacyDriver”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_WPFFONTCACHE_V0400000″ClassGUID” = „{8ECC055D-047F-11D1-A537-0000F8753ED1}”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_WPFFONTCACHE_V0400000″ConfigFlags” = „0”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_WPFFONTCACHE_V0400000Control”*NewlyCreated*” = „0”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_WPFFONTCACHE_V0400000Control”ActiveService” = „WPFFontCache_v0400”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_WPFFONTCACHE_V0400000″DeviceDesc” = „Windows Presentation Foundation Font Cache 4.0.0.0”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_WPFFONTCACHE_V0400000″Legacy” = „1”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_WPFFONTCACHE_V0400000″Service” = „WPFFontCache_v0400”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
• LEGACY_WPFFONTCACHE_V0400″NextInstance” = „1”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlog
• ApplicationNewPlayerUpdaterService”EventMessageFile” = „[HEXADECIMAL VALUE]”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlog
• ApplicationService1″EventMessageFile” = „[HEXADECIMAL VALUE]”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNewPlayerUpdaterService”Description” = „NewPlayer Updater Service”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNewPlayerUpdaterService
• „DisplayName” = „NewPlayer Updater Service”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNewPlayerUpdaterServiceEnum
• „Count” = „1”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNewPlayerUpdaterServiceEnum
• „NextInstance” = „1”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNewPlayerUpdaterService
• „ErrorControl” = „1”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNewPlayerUpdaterService”ImagePath” = „[HEXADECIMAL VALUE]”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNewPlayerUpdaterService”ObjectName” = „LocalSystem”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNewPlayerUpdaterServiceSecurity”Security” = „[HEXADECIMAL VALUE]”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNewPlayerUpdaterService”Start” = „2”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNewPlayerUpdaterService”Type” = „10”
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftMediaPlayerPlayerTasksNowPlaying”InitFlags” = „1”
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftMediaPlayerPreferencesProxySettingsHTTP”ProxyBypass” = „0”
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftMediaPlayerPreferencesProxySettingsHTTP”ProxyPort” = „50”
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftMediaPlayerPreferencesProxySettingsHTTP”ProxyStyle” = „1”
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftMediaPlayerPreferencesProxySettingsRTSP”ProxyBypass” = „0”
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftMediaPlayerPreferencesProxySettingsRTSP”ProxyPort” = „22a”
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftMediaPlayerPreferencesProxySettingsRTSP”ProxyStyle” = „0”
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftWindows MediaWMSDKGeneral”ComputerName” = „STARFLEE-205AC0”
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftWindows MediaWMSDKGeneral”UniqueID” = „{8E1E74B2-D6AA-4830-91CE-B40F6B11D30C}”
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftWindows MediaWMSDKGeneral”VolumeSerialNumber” = „104bd201”

A további bejegyzéseket is létrehozza:

• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftMediaPlayerPreferencesProxySettingsRTSPProxyExclude
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftMediaPlayerPreferencesProxySettingsRTSPProxyName
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftMediaPlayerPreferencesProxySettingsHTTPProxyExclude
• HKEY_USERSS-1-5-21-1316737702-3227248519-3113389456-500SoftwareMicrosoftMediaPlayerPreferencesProxySettingsHTTPProxyName
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNewPlayerUpdaterServiceEnum
• 0:RootLEGACY_NEWPLAYERUPDATERSERVICE000
• HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPreferencesProxySettingsHTTPProxyExclude
• HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPreferencesProxySettingsHTTPProxyName
• HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPreferencesProxySettingsRTSPProxyExclude
• HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPreferencesProxySettingsRTSPProxyName
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeDefault
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.3gp
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.aac
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.aif
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.avi
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.divx
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.flv
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.mkv
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.mov
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.mp3
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.mp4
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.mpeg
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.mpg
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.wav
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.wma
• HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsNewPlayer.exeSupportedTypes.wmv
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTProcessNewPlayerDEBUGTrace Level
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallNewPlayerPublisher

Végezetül a trójai kéri a bankkártya adatait ahhoz, hogy teljes regisztrációt végre tudja hajtani. 

A trójai figyeli a felhasználó internet-böngészési tevékenységét, majd megjeleníti a célzott felugró hirdetéseket a fertőzött számítógépen. 

Megoldás

Frissítse a víruskereső adatbázisát.

Támadás típusa

Hatás

Szükséges hozzáférés

Hivatkozások

Egyéb referencia: www.symantec.com