�� esetnod32.ru [��: msil/injector.vof]

msil/injector.vof

Sat, 18 Jun 2022 14:27:37 +0300

msil/injector.vof � �� .
��,
��
http://forum.esetnod32.ru/forum9/topic10688/
18.06.2022 14:27:37, santy.

msil/injector.vof

Fri, 17 Jun 2022 22:56:13 +0300

msil/injector.vof � �� .
Adware
https://ru.wikipedia.org/wiki/Adware

�� - �� .
17.06.2022 22:56:13, RP55 RP55.

msil/injector.vof

Fri, 17 Jun 2022 19:54:35 +0300

msil/injector.vof � �� .
��;�� ;�� ;��;��;��;��;��;��;��
18.06.2022 0:51:37;�� HTTP;��;https://powerain.biz/sw/w1s.js;JS/Adware.Adport.A ��;�� ;��-��\��;�� : C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe (1B8EE52629D4862281DF2503EBAE777FA42C05AA).;4766683F463207DB2C8F642EA3AF9C321DB88086;
17.06.2022 19:54:35, rusik ens.

msil/injector.vof

Fri, 17 Jun 2022 19:50:34 +0300

msil/injector.vof � �� .
��, ��
17.06.2022 19:50:34, rusik ens.

msil/injector.vof

Fri, 17 Jun 2022 19:18:38 +0300

msil/injector.vof � �� .
� �� "dialerstager"?
�� , �� . �� 2-3. �� 1-2 �� ELC, �� , �� .
17.06.2022 19:18:38, santy.

msil/injector.vof

Fri, 17 Jun 2022 19:14:34 +0300

msil/injector.vof � �� .
dialersvc32.job ��, �� c:\windows\system32\tasks\GoogleUpdateTaskMachineQC �� , �� MicrosoftEdgeUpdateTaskMachineCore, �� , dialerstager � ��
17.06.2022 19:14:34, rusik ens.

msil/injector.vof

Fri, 17 Jun 2022 18:12:52 +0300

msil/injector.vof � �� .
�� -�� , �� .
Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)

�� :
(�� )
HKEY_LOCAL_MACHINE\SOFTWARE\dialerstager
�� .
17.06.2022 18:12:52, santy.

msil/injector.vof

Fri, 17 Jun 2022 18:10:09 +0300

msil/injector.vof � �� .
�� : https://www.comss.ru/page.php?id=10578
�� simplix... �� 24.02.22... ( �� : �� ... )
17.06.2022 18:10:09, RP55 RP55.

msil/injector.vof

Fri, 17 Jun 2022 17:44:39 +0300

msil/injector.vof � �� .
��, ��
"��" = "c:\windows\system32\tasks\GoogleUpdateTaskMachineQC" ( 5: �� ) ;
"�� " = "c:\program Files\Chrome\updater.exe" ( 5: �� ) ;
17.06.2022 17:44:39, santy.

msil/injector.vof

Fri, 17 Jun 2022 17:33:05 +0300

msil/injector.vof � �� .
�� : https://vms.drweb.ru/virus/?i=25075592

�� FILES\CHROME\UPDATER.EXE
�� UPDATER.EXE
��. ��

��
��

��. ��
�� C:\PROGRAM
CmdLine FILES\CHROME\UPDATER.EXE

��
�� C:\WINDOWS\SYSTEM32\TASKS\GOOGLEUPDATETASKMACHINEQC
17.06.2022 17:33:05, RP55 RP55.

msil/injector.vof

Fri, 17 Jun 2022 17:29:09 +0300

msil/injector.vof � �� .
+ �� :
"��" = "c:\windows\tasks\dialersvc32.job" ( 5: �� ) ;
"�� " = "powershell" ( 5: �� ) ;
17.06.2022 17:29:09, santy.

msil/injector.vof

Fri, 17 Jun 2022 17:23:05 +0300

msil/injector.vof � �� .
�� uVS:
- �� ;
- �� uVS(start.exe), �� : �� , �� - �� - �� ;
- �� ;
�� - �� _�� "��"
====code====


;uVS v4.12 [http://dsrt.dyndns.org:8888]
;Target OS: NTv6.1
v400c
OFFSGNSAVE
hide %Sys32%\DRIVERS\SMARTDEFRAGDRIVER.SYS
;------------------------autoscript---------------------------

delref {471EED5F-7417-4BC0-BC48-C58AA835E4AD}\[TASK]
delref HTTPS://FASTPROXY.APP/SERVICE/UPDATE2/CRX?PARTNER=01?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DGJAOJBKKFPEDGEFIDKAGJEIBCBFNAKKE%26INSTALLSOURCE%3DONDEMAND%26UC
apply


deltmp
delref %SystemDrive%\PROGRAM FILES (X86)\IOBIT\DRIVER BOOSTER\DRIVERBOOSTER.EXE
delref %SystemDrive%\PROGRAM
delref {23E5D772-327A-42F5-BDEE-C65C6796BB2A}\[CLSID]
delref {177AFECE-9599-46CF-90D7-68EC9EEB27B4}\[CLSID]
delref {CEF51277-5358-477B-858C-4E14F0C80BF7}\[CLSID]
delref {59116E30-02BD-4B84-BA1E-5D77E809B1A2}\[CLSID]
delref D:\PROGRAM FILES\WINDOWS DEFENDER\MPCMDRUN.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\IOBIT\SMART DEFRAG\AUTODEFRAG.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\IOBIT\SMART DEFRAG\SMARTDEFRAG.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\IOBIT\SMART DEFRAG\AUTOUPDATE.EXE
delref %SystemRoot%\SYSWOW64\PEERDISTSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\NDIS.SYS
delref %SystemRoot%\SYSWOW64\RDPCORETS.DLL
delref %SystemRoot%\SYSWOW64\UMPO.DLL
delref %SystemRoot%\SYSWOW64\IPHLPSVC.DLL
delref %SystemRoot%\SYSWOW64\CSCSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\RDVGKMD.SYS
delref %SystemRoot%\SYSWOW64\PNRPSVC.DLL
delref %SystemRoot%\SYSWOW64\DRIVERS\PACER.SYS
delref %SystemRoot%\SYSWOW64\LSM.EXE
delref {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\[CLSID]
delref {166B1BCA-3F9C-11CF-8075-444553540000}\[CLSID]
delref {233C1507-6A77-46A4-9443-F871F945D258}\[CLSID]
delref {4063BE15-3B08-470D-A0D5-B37161CFFD69}\[CLSID]
delref {88D969C0-F192-11D4-A65F-0040963251E5}\[CLSID]
delref {88D969C1-F192-11D4-A65F-0040963251E5}\[CLSID]
delref {88D969C2-F192-11D4-A65F-0040963251E5}\[CLSID]
delref {88D969C3-F192-11D4-A65F-0040963251E5}\[CLSID]
delref {88D969C4-F192-11D4-A65F-0040963251E5}\[CLSID]
delref {88D969C5-F192-11D4-A65F-0040963251E5}\[CLSID]
delref {8AD9C840-044E-11D1-B3E9-00805F499D93}\[CLSID]
delref {CA8A9780-280D-11CF-A24D-444553540000}\[CLSID]
delref {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}\[CLSID]
delref {D27CDB6E-AE6D-11CF-96B8-444553540000}\[CLSID]
delref %SystemRoot%\SYSWOW64\WIN32K.SYS
delref %SystemRoot%\SYSWOW64\BLANK.HTM
delref {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\[CLSID]
delref %Sys32%\DRIVERS\RDVGKMD.SYS
delref %Sys32%\DRIVERS\TPM.SYS
delref %Sys32%\MSSPELLCHECKINGFACILITY.DLL
delref %Sys32%\BLANK.HTM
delref HELPSVC\[SERVICE]
delref SACSVR\[SERVICE]
delref TBS\[SERVICE]
delref VMMS\[SERVICE]
delref MESSENGER\[SERVICE]
delref RDSESSMGR\[SERVICE]
delref %SystemRoot%\XHUNTER1.SYS
delref %Sys32%\PSXSS.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE\1.3.161.35\PSMACHINE_64.DLL
delref %Sys32%\SHAREMEDIACPL.CPL
delref %SystemDrive%\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE\1.3.157.61\PSMACHINE_64.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE\1.3.161.35\PSMACHINE.DLL
delref %SystemDrive%\PROGRAM FILES (X86)\MICROSOFT\EDGEUPDATE\1.3.157.61\PSMACHINE.DLL
delref %SystemDrive%\PROGRAMDATA\MALWAREBYTES' ANTI-MALWARE (PORTABLE)\MBAMDOR.EXE
delref %SystemDrive%\PROGRAM FILES\PROCESS HACKER 2\PROCESSHACKER.EXE
delref %SystemDrive%\PROGRAM FILES (X86)\IOBIT\SMART DEFRAG\UNINS000.EXE
;-------------------------------------------------------------

restart

=============
��, �� .
------------
��,
��
http://forum.esetnod32.ru/forum9/topic10688/
17.06.2022 17:23:05, santy.

msil/injector.vof

Fri, 17 Jun 2022 17:20:46 +0300

msil/injector.vof � �� .
�� ?)
17.06.2022 17:20:46, rusik ens.

msil/injector.vof

Fri, 17 Jun 2022 17:19:14 +0300

msil/injector.vof � �� .
�� :"��" = "c:\windows\system32\tasks\dialersvc32" ( 5: �� ) ;
"�� " = "powershell "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"" ( 5: �� ) ;

====quote====
�� {471EED5F-7417-4BC0-BC48-C58AA835E4AD}\[TASK]
�� [TASK]
��. ��

��
��

��
�� HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{471EED5F-7417-4BC0-BC48-C58AA835E4AD}\
Task \dialersvc32

=============

17.06.2022 17:19:14, santy.

msil/injector.vof

Fri, 17 Jun 2022 17:13:16 +0300

msil/injector.vof � �� .

====quote====
santy ��:
�� uVS:
- �� ;
- �� uVS(start.exe), �� : �� , �� - �� - �� ;
- �� ;
�� - �� _�� "��"
====code====

 ;uVS v4.12 [http://dsrt.dyndns.org:8888]
;Target OS: NTv6.1
v400c
OFFSGNSAVE
regt 39
regt 41
restart

=============
��, ��, ��, �� .
------------
=============

��-��_2022-06-17_22-02-48_v4.12.7z
17.06.2022 17:13:16, rusik ens.

msil/injector.vof

Fri, 17 Jun 2022 16:57:51 +0300

msil/injector.vof � �� .
�� , � �� ...
17.06.2022 16:57:51, rusik ens.

msil/injector.vof

Fri, 17 Jun 2022 16:47:32 +0300

msil/injector.vof � �� .
�� : 2-3 �� .
17.06.2022 16:47:32, santy.

msil/injector.vof

Fri, 17 Jun 2022 16:44:53 +0300

msil/injector.vof � �� .
�� uVS:
- �� ;
- �� uVS(start.exe), �� : �� , �� - �� - �� ;
- �� ;
�� - �� _�� "��"
====code====


;uVS v4.12 [http://dsrt.dyndns.org:8888]
;Target OS: NTv6.1
v400c
OFFSGNSAVE
regt 39
regt 41
restart

=============
��, ��, ��, �� .
------------
17.06.2022 16:44:53, santy.

msil/injector.vof

Fri, 17 Jun 2022 16:44:03 +0300

msil/injector.vof � �� .
MSIL/Injector.VOF trojan cleaned �� , �� , ��
17.06.2022 16:44:03, rusik ens.

msil/injector.vof

Fri, 17 Jun 2022 16:42:40 +0300

msil/injector.vof � �� .
�� ESVC:
Vulnerable SMBv1 protocol is enabled. To disable it, please check "How to remove SMBv1" at:
https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3#how-to-remove-smbv1

Logon events auditing is probably partially (or fully) disabled.
To enable it, launch secpol.msc and in Local Policies -> Audit Policy -> Audit logon events, check both Success and Failure.

A tool that might have been misused by hackers to uninstall or disable ESET was detected:
- Process Hacker 2.39 (r124) (installed on 08.05.2022 18:52:58)

The following critical patches are missing:
- MS16-032 (https://technet.microsoft.com/en-us/library/security/MS16-032)
17.06.2022 16:42:40, santy.

msil/injector.vof

Fri, 17 Jun 2022 16:42:15 +0300

msil/injector.vof � �� .
��) � �� , � �� , ��
17.06.2022 16:42:15, rusik ens.

msil/injector.vof

Fri, 17 Jun 2022 16:37:41 +0300

msil/injector.vof � �� .
17.06.2022 8:57:19 Advanced memory scanner file Operating memory � powershell.exe(1532) a variant of MSIL/Injector.VOF trojan cleaned - contained infected files 02BF98C88F11F998F15E6418695A17EC2FD51618
17.06.2022 2:56:36 Advanced memory scanner file Operating memory � powershell.exe(1620) a variant of MSIL/Injector.VOF trojan cleaned - contained infected files 02BF98C88F11F998F15E6418695A17EC2FD51618

====quote====
27.05.2022 14:43:16 Advanced memory scanner file Operating memory � taskeng.exe(1984) a variant of Win64/Rootkit.Agent.AZ trojan cleaned (after the next restart) - contained infected files 7DE35EDDF40ED09D65E6DC2122BE85D78DA83773
27.05.2022 14:43:15 Advanced memory scanner file Operating memory � taskeng.exe(2772) a variant of Win64/Rootkit.Agent.AZ trojan cleaned (after the next restart) - contained infected files 2BF64E68A5CB864127D1BC4DE3D65B759ACCDB81
27.05.2022 14:43:15 Advanced memory scanner file Operating memory � CCleaner64.exe(384) a variant of Win64/Rootkit.Agent.AZ trojan cleaned (after the next restart) - contained infected files 5437FA266CCB37ABD17D332120D4FBCDD53EB4BF
27.05.2022 14:43:14 Advanced memory scanner file Operating memory � dllhost.exe(4004) a variant of Win64/Rootkit.Agent.AZ trojan unable to clean 9F213E2E081104D00D7927D623251674309FB057

=============

�� ?
17.06.2022 16:37:41, santy.

msil/injector.vof

Fri, 17 Jun 2022 16:31:17 +0300

msil/injector.vof � �� .
�� )
eis_logs.zip
ESVC_��-��_20220617212445.zip
17.06.2022 16:31:17, rusik ens.

msil/injector.vof

Fri, 17 Jun 2022 16:24:10 +0300

msil/injector.vof � �� .
�� ESETLogCollector https://www.sendspace.com/file/holtqp ��
17.06.2022 16:24:10, rusik ens.

msil/injector.vof

Fri, 17 Jun 2022 14:40:56 +0300

msil/injector.vof � �� .
�� - �� .
�� .

+
�� ESETLogCollector
�� , ��
https://forum.esetnod32.ru/forum9/topic10671/
+
�� ESVC:
�� ESETSysVulnCheck[/B] �� (�� IE)
https://ftp.eset.sk/samples/svchecker/ESETSysVulnCheck.exe
� �� .
�� , �� , �� - �� "SysVulnCheck_out.zip".
�� .

! �� : �� .
17.06.2022 14:40:56, RP55 RP55.

msil/injector.vof

Fri, 17 Jun 2022 12:44:23 +0300

msil/injector.vof � �� .
��. �� , �� msil/injector.vof �� powershell.exe
�� uvs https://www.sendspace.com/file/ns06v7
17.06.2022 12:44:23, rusik ens.

����� esetnod32.ru [����: msil/injector.vof]

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

msil/injector.vof

�� esetnod32.ru [��: msil/injector.vof]