Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Link Tunneling Receiver' = '<SYSTEM32>\sfpfxlmvv.exe'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\Fax Receiver PNRP Audio Print Smart Level SSDP] 'ImagePath' = '<SYSTEM32>\sfpfxlmvv.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Fax Receiver PNRP Audio Print Smart Level SSDP] 'Start' = '00000002'
Вредоносные функции:
Для затруднения выявления своего присутствия в системе
блокирует:
- Центр обеспечения безопасности (Security Center)
Запускает на исполнение:
- '<SYSTEM32>\ptzlnexpq.exe' "<SYSTEM32>\sfpfxlmvv.exe"
- '%WINDIR%\Temp\iadbjybz2nu7lo.exe' -r 27777 tcp
- '%TEMP%\iadbjybgjdaalloogkvhqbv.exe'
- '<SYSTEM32>\sfpfxlmvv.exe'
Изменения в файловой системе:
Создает следующие файлы:
- <SYSTEM32>\pzmdfrnxjuk\run
- <SYSTEM32>\pzmdfrnxjuk\rng
- %WINDIR%\Temp\iadbjybz2nu7lo.exe
- <SYSTEM32>\pzmdfrnxjuk\cfg
- %TEMP%\iadbjybgjdaalloogkvhqbv.exe
- <SYSTEM32>\pzmdfrnxjuk\tst
- <SYSTEM32>\ptzlnexpq.exe
- <SYSTEM32>\sfpfxlmvv.exe
Присваивает атрибут 'скрытый' для следующих файлов:
- <SYSTEM32>\ptzlnexpq.exe
- <SYSTEM32>\sfpfxlmvv.exe
Удаляет следующие файлы:
- %WINDIR%\Temp\iadbjybz2nu7lo.exe
- %TEMP%\iadbjybgjdaalloogkvhqbv.exe
Сетевая активность:
Подключается к:
- 'hi###ear.net':80
- 'lo##grow.ru':80
- 'hi###hank.ru':80
- 'wh###ear.net':80
- 'wi###hank.net':80
- 'lo###ity.net':80
- 'fe###row.net':80
- 'lo###row.net':80
- 'ri###nstorm.net':80
- 'lo####thepings.ru':80
- '18#.#17.73.77':80
- '18#.#06.120.168':80
- 'wh###hank.net':80
- 'hi###hank.net':80
- 'wh###ity.net':80
- 'hi###ity.net':80
TCP:
Запросы HTTP GET:
- http://hi###ear.net/index.php
- http://lo##grow.ru/index.php
- http://hi###hank.ru/index.php
- http://wh###ear.net/index.php
- http://wi###hank.net/index.php
- http://lo###ity.net/index.php
- http://fe###row.net/index.php
- http://lo###row.net/index.php
- http://ri###nstorm.net/index.php
- http://lo####thepings.ru/index.php
- http://18#.#17.73.77/index.php
- http://18#.#06.120.168/index.php
- http://wh###hank.net/index.php
- http://hi###hank.net/index.php
- http://wh###ity.net/index.php
- http://hi###ity.net/index.php
UDP:
- DNS ASK dr###compe.net
- DNS ASK wi###ompe.net
- DNS ASK lo##fell.ru
- DNS ASK th###count.net
- DNS ASK dr###fell.net
- DNS ASK wi###our.net
- DNS ASK dr###hour.ru
- DNS ASK dr###hour.net
- DNS ASK fe###ount.net
- DNS ASK lo###ount.net
- DNS ASK fe###ell.net
- DNS ASK lo###ell.net
- DNS ASK th###hour.net
- DNS ASK th###fell.net
- DNS ASK th###compe.ru
- DNS ASK th###compe.net
- DNS ASK ab####irteen.net
- DNS ASK kn###urry.net
- DNS ASK kn###hirteen.ru
- DNS ASK kn####irteen.net
- DNS ASK so##hope.ru
- DNS ASK so###ope.net
- DNS ASK ab###urry.net
- DNS ASK pi###ope.net
- DNS ASK wi###ount.ru
- DNS ASK wi###ount.net
- DNS ASK wi###ell.net
- DNS ASK dr###count.net
- DNS ASK kn###eft.net
- DNS ASK ab###eft.net
- DNS ASK kn###ope.net
- DNS ASK ab###ope.net
- DNS ASK mo###our.net
- DNS ASK ju###our.net
- DNS ASK mo###ompe.net
- DNS ASK ju###ompe.net
- DNS ASK ju###ell.net
- DNS ASK mo###ount.net
- DNS ASK mo##fell.ru
- DNS ASK mo###ell.net
- DNS ASK si###our.net
- DNS ASK ro###ell.net
- DNS ASK ro##hour.ru
- DNS ASK ro###our.net
- DNS ASK si###ount.ru
- DNS ASK si###ount.net
- DNS ASK si###ell.net
- DNS ASK ro###ount.net
- DNS ASK wh###ount.net
- DNS ASK fe###ompe.net
- DNS ASK hi###ount.ru
- DNS ASK hi###ount.net
- DNS ASK lo##hour.ru
- DNS ASK lo###our.net
- DNS ASK lo###ompe.net
- DNS ASK fe###our.net
- DNS ASK wh###ompe.ru
- DNS ASK wh###ompe.net
- DNS ASK ju###ount.net
- DNS ASK hi###ompe.net
- DNS ASK hi###ell.net
- DNS ASK wh###ell.net
- DNS ASK hi###our.net
- DNS ASK wh###our.net
- DNS ASK lo####irteen.net
- DNS ASK fe###urry.net
- DNS ASK fe###hirteen.ru
- DNS ASK fe####irteen.net
- DNS ASK lo##hope.ru
- DNS ASK th###left.net
- DNS ASK lo###urry.net
- DNS ASK th###hope.net
- DNS ASK wh###urry.ru
- DNS ASK wh###urry.net
- DNS ASK wh####irteen.net
- DNS ASK hi###urry.net
- DNS ASK fe###eft.net
- DNS ASK lo###eft.net
- DNS ASK fe###ope.net
- DNS ASK lo###ope.net
- DNS ASK dr###hurry.net
- DNS ASK wi###urry.net
- DNS ASK dr####hirteen.net
- DNS ASK wi####irteen.net
- DNS ASK ab###ild.net
- DNS ASK kn###une.net
- DNS ASK kn##wild.ru
- DNS ASK kn###ild.net
- DNS ASK th###hurry.net
- DNS ASK dr###hope.net
- DNS ASK th####hirteen.net
- DNS ASK th###hurry.ru
- DNS ASK wi##left.ru
- DNS ASK wi###eft.net
- DNS ASK wi###ope.net
- DNS ASK dr###left.net
- DNS ASK si##left.ru
- DNS ASK si###eft.net
- DNS ASK si###ope.net
- DNS ASK ro###eft.net
- DNS ASK ro###urry.net
- DNS ASK si###urry.net
- DNS ASK ro####irteen.net
- DNS ASK si####irteen.net
- DNS ASK pi####irteen.net
- DNS ASK so####irteen.net
- DNS ASK pi###eft.net
- DNS ASK so###eft.net
- DNS ASK so###urry.net
- DNS ASK ro###ope.net
- DNS ASK pi###urry.ru
- DNS ASK pi###urry.net
- DNS ASK hi###ope.net
- DNS ASK wh###ope.net
- DNS ASK ju###urry.net
- DNS ASK mo###urry.net
- DNS ASK wh###eft.net
- DNS ASK hi####irteen.net
- DNS ASK hi##left.ru
- DNS ASK hi###eft.net
- DNS ASK ju###ope.net
- DNS ASK mo###eft.net
- DNS ASK mo##hope.ru
- DNS ASK mo###ope.net
- DNS ASK ju###hirteen.ru
- DNS ASK ju####irteen.net
- DNS ASK ju###eft.net
- DNS ASK mo####irteen.net
- DNS ASK si###ompe.net
- DNS ASK ab##july.ru
- DNS ASK kn###uly.net
- DNS ASK ab###ish.net
- DNS ASK ab###uly.net
- DNS ASK pi###arch.net
- DNS ASK so###ure.net
- DNS ASK pi###ure.net
- DNS ASK kn###ish.net
- DNS ASK wi###ear.net
- DNS ASK fe###ear.net
- DNS ASK dr###tear.net
- DNS ASK th###city.net
- DNS ASK wi###ity.net
- DNS ASK kn###arch.net
- DNS ASK dr###thank.net
- DNS ASK so###arch.net
- DNS ASK ro###ish.net
- DNS ASK si###arch.net
- DNS ASK ro###arch.net
- DNS ASK si###ish.net
- DNS ASK si###uly.net
- DNS ASK ro###uly.net
- DNS ASK ro##july.ru
- DNS ASK si###ure.net
- DNS ASK so###ish.net
- DNS ASK pi###ish.net
- DNS ASK pi##dish.ru
- DNS ASK pi###uly.net
- DNS ASK si##pure.ru
- DNS ASK ro###ure.net
- DNS ASK so###uly.net
- DNS ASK ab###ure.net
- DNS ASK fe###row.net
- DNS ASK lo##grow.ru
- DNS ASK hi###ear.net
- DNS ASK lo###row.net
- DNS ASK wi###hank.ru
- DNS ASK lo###ity.net
- DNS ASK wi###hank.net
- DNS ASK wh###ear.net
- DNS ASK wh###ity.net
- DNS ASK lo####thepings.ru
- DNS ASK ri###nstorm.net
- DNS ASK hi###ity.net
- DNS ASK hi###hank.ru
- DNS ASK hi###hank.net
- DNS ASK wh###hank.net
- DNS ASK th###grow.net
- DNS ASK dr###grow.ru
- DNS ASK fe###ity.net
- DNS ASK th###thank.net
- DNS ASK lo###ear.net
- DNS ASK th###tear.net
- DNS ASK ab###arch.net
- DNS ASK kn###ure.net
- DNS ASK fe###hank.net
- DNS ASK wi###row.net
- DNS ASK dr###city.net
- DNS ASK dr###grow.net
- DNS ASK lo###hank.net
- DNS ASK fe##city.ru
- DNS ASK lo##tear.ru
- DNS ASK kn###arch.ru
- DNS ASK mo###ure.net
- DNS ASK wi###uly.net
- DNS ASK dr###july.net
- DNS ASK dr###july.ru
- DNS ASK kn###ompe.net
- DNS ASK ab##hour.ru
- DNS ASK kn###our.net
- DNS ASK ab###ompe.net
- DNS ASK wi###ish.net
- DNS ASK wi##pure.ru
- DNS ASK dr###pure.net
- DNS ASK th###july.net
- DNS ASK wi###ure.net
- DNS ASK dr###dish.net
- DNS ASK wi###arch.net
- DNS ASK dr###march.net
- DNS ASK ab###our.net
- DNS ASK so##fell.ru
- DNS ASK pi###ell.net
- DNS ASK so###our.net
- DNS ASK so###ell.net
- DNS ASK ro###ompe.net
- DNS ASK so###ount.net
- DNS ASK pi###ount.net
- DNS ASK pi###our.net
- DNS ASK kn###ount.net
- DNS ASK ab###ell.net
- DNS ASK kn###ell.net
- DNS ASK ab###ount.net
- DNS ASK so###ompe.net
- DNS ASK pi###ompe.net
- DNS ASK pi###ompe.ru
- DNS ASK th###dish.net
- DNS ASK wh###ure.net
- DNS ASK hi###ure.net
- DNS ASK hi##pure.ru
- DNS ASK hi###arch.net
- DNS ASK wh##dish.ru
- DNS ASK hi###ish.net
- DNS ASK wh###arch.net
- DNS ASK ju###uly.net
- DNS ASK mo###arch.net
- DNS ASK ju###ure.net
- DNS ASK ju###arch.ru
- DNS ASK ju###arch.net
- DNS ASK mo###uly.net
- DNS ASK ju###ish.net
- DNS ASK mo###ish.net
- DNS ASK wh###ish.net
- DNS ASK lo##july.ru
- DNS ASK fe###uly.net
- DNS ASK lo###ish.net
- DNS ASK lo###uly.net
- DNS ASK th###dish.ru
- DNS ASK th###march.net
- DNS ASK th###pure.net
- DNS ASK fe###ish.net
- DNS ASK fe###ure.net
- DNS ASK wh###uly.net
- DNS ASK hi###uly.net
- DNS ASK lo###ure.net
- DNS ASK lo###arch.net
- DNS ASK fe###arch.net
- DNS ASK fe###arch.ru
- '23#.#55.255.250':1900
