Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt] 'DLLName' = 'crypts.dll'
Вредоносные функции:
Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Explorer.EXE' = '%WINDIR%\Explorer.EXE:*:Enabled:ipsec'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Полный путь к вирусу>' = '<Полный путь к вирусу>:*:Enabled:ipsec'
Для затруднения выявления своего присутствия в системе
блокирует:
- Средство контроля пользовательских учетных записей (UAC)
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\ctfmon.exe
- %WINDIR%\Explorer.EXE
большое количество пользовательских процессов.
Изменения в файловой системе:
Создает следующие файлы:
- %TEMP%\6D94.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\bt[3].php
- %TEMP%\w77ba4.exe
- %TEMP%\we8eea.exe
- %TEMP%\5FC9.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\bt[3].php
- %TEMP%\527B.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\bt[3].php
- %TEMP%\5912.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\bt[4].php
- %TEMP%\93D9.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\bt[4].php
- %TEMP%\9B6B.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\bt[5].php
- %TEMP%\8D32.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\bt[4].php
- %TEMP%\809F.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\bt[4].php
- %TEMP%\86E9.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\bt[1].php
- %TEMP%\14C6.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\bt[1].php
- %TEMP%\23CA.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\bt[1].php
- <SYSTEM32>\crypts.dll
- %TEMP%\eta04a.exe
- %TEMP%\E951.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\bt[1].php
- %TEMP%\2F05.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\bt[2].php
- %TEMP%\4607.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\bt[3].php
- %TEMP%\4C41.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\bt[2].php
- %TEMP%\38E8.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\bt[2].php
- %TEMP%\3F12.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\bt[2].php
Удаляет следующие файлы:
- %TEMP%\we8eea.exe
- %TEMP%\w77ba4.exe
- %TEMP%\5FC9.tmp
- %TEMP%\6D94.tmp
- %TEMP%\809F.tmp
- %TEMP%\93D9.tmp
- %TEMP%\9B6B.tmp
- %TEMP%\86E9.tmp
- %TEMP%\8D32.tmp
- %TEMP%\5912.tmp
- %TEMP%\23CA.tmp
- %TEMP%\2F05.tmp
- %TEMP%\E951.tmp
- %TEMP%\14C6.tmp
- %TEMP%\38E8.tmp
- %TEMP%\4C41.tmp
- %TEMP%\527B.tmp
- %TEMP%\3F12.tmp
- %TEMP%\4607.tmp
Сетевая активность:
Подключается к:
- 'pz#k.ru':80
- '89.##9.227.194':80
- 'it###rying.com':80
- 'localhost':1036
- 'li####soring.com':80
TCP:
Запросы HTTP GET:
- pz#k.ru/img/logo4.gif?26########################
- 89.##9.227.194/tratata/?27########################
- li####soring.com/bt.php?mo##################################################
- it###rying.com/bt.php?mo##################################################
UDP:
- DNS ASK pz#k.ru
- DNS ASK it###rying.com
- DNS ASK li####soring.com
- '21#.#13.115.134':5147
- '21#.#5.104.120':4314
- '89.##2.182.33':7530
- '19#.#14.128.108':5565
- '89.##.125.37':6930
- '90.##7.110.89':7086
- '81.##8.221.221':5080
- '91.##9.163.180':6475
- '93.##.76.240':6470
- '19#.#9.246.235':3995
- '82.##0.97.190':5469
- '89.##.10.114':7030
- '83.##8.88.250':5435
- '92.##4.173.178':7400
- '77.#1.71.91':4599
- '86.##7.193.41':6689
- '20#.#4.11.79':5670
- '78.##9.156.61':5147
- '89.#3.85.91':6085
- '24.##.208.27':5760
- '85.#5.4.147':6120
- '82.##9.204.125':6618
- '12#.#09.132.78':4824
- '85.##7.35.234':7084
- '75.##.245.176':7310
- '78.##.109.84':7240
- '19#.#54.0.201':6520
- '81.##0.155.10':4512
- '86.##6.68.197':4536
- '12#.#62.44.215':6902
- '81.##1.19.73':4824
- '89.##.218.33':5305
- '97.##.124.230':5530
- '19#.#7.150.38':7170
- '78.#8.91.66':7455
- '83.##8.198.80':4875
- '86.##7.29.23':8135
- '62.##6.105.132':5238
- '12.##9.208.155':5619
- '19#.#.90.204':6440
- '89.#8.28.22':5976
- '62.##7.122.19':6384
- '89.##.107.196':9130
- '87.##5.58.94':4930
- '92.##4.190.46':9674
- '21#.#48.33.12':6039
- '19#.#9.246.70':3995
- '84.##5.171.229':6930
- '86.##7.230.147':7471
- '91.##6.51.114':6520
- '78.##.130.116':6462
- '79.##8.202.178':5305
- '70.##4.85.176':5975
- '21#.#62.245.83':6475
- '67.##.149.219':5670
- '77.##0.45.103':39864
- '19#.#6.139.254':4860
- '21#.#.154.207':7874
- '69.##8.141.142':7128
- '78.##.194.240':7650
- '84.##9.115.221':4930
- '19#.#3.67.71':6932
- '68.#.38.54':5886
- '88.##6.33.250':5837
- '82.##2.166.166':4680
- '83.##.174.222':7720
- '18#.#3.92.10':8472
- '92.##.38.175':6520
- '92.##4.199.74':6628
- '78.##2.54.237':5703
- '84.##9.119.249':5435
- '68.##3.90.152':4412
- '91.##6.149.57':6085
- '87.##8.178.30':4728
- '82.##.165.29':6807
- '87.##7.117.85':5184
- '89.#4.88.38':4930
- '79.##3.184.17':7160
- '21#.#34.167.125':5007
- '81.##1.99.214':5569
- '86.##.202.201':5980
- '77.##1.207.93':5280
- '85.##7.57.166':7874
- '85.##3.14.117':6440
- '79.##2.224.227':4480
- '79.##6.81.216':5832
- '62.##5.82.237':6976
- '12#.#63.23.145':9674
- '19#.#58.222.23':6930
- '84.#7.30.60':4630
- '83.##8.200.75':7554
- '21#.#33.213.93':5370
- '22#.95.63.5':5703
- '86.##5.95.127':8218
- '82.##6.165.106':7320
- '89.##.220.93':8136
- '78.##.92.192':7716
- '89.##.142.104':6408
- '78.##9.156.34':8190
- '89.##7.66.63':5305
- '89.##.36.202':5305
- '86.##6.242.59':6048
- '85.##6.127.133':7115
- '89.#8.16.73':5084
- '78.#6.71.2':6926
- '62.##8.178.93':6624
- '89.##2.28.252':5435
- '86.##4.203.132':6440
- '90.##9.190.10':41208
- '92.##4.227.69':5370
- '19#.#22.93.119':7230
- '89.##.105.22':6475
- '89.##6.112.65':5755
- '86.##.111.197':5292
- '68.##.186.250':9000
- '90.##0.232.149':6605
- '83.##.19.124':5517
- '86.##3.176.84':5517
- '16#.#.101.249':5517
- '18#.#8.58.176':8040
- '89.##9.236.171':5517
- '20#.#0.57.62':5517
- '10#.#2.38.78':5517
- '58.##.150.204':5517
- '37.##.182.68':5517
- '24#.#2.113.228':5517
- '48.#.73.23':5517
- '81.##0.94.112':6724
- '77.##.50.229':5305
- '79.##2.141.17':5196
- '81.##0.143.203':7605
- '89.##.202.144':5955
- '75.##2.207.230':4951
- '89.#3.212.6':4564
- '20#.#5.100.171':6820
- '77.##2.85.173':4956
- '21#.#0.126.141':5630
- '98.##9.67.154':9674
- '89.##9.67.154':9674
- '87.##0.213.32':6410
- '24.##2.60.201':7310
- '92.##5.203.173':4780
- '89.##.23.155':5636
- '80.##5.188.82':7880
- '81.##.169.166':7605
- '84.#08.26.3':5435
- '89.##5.156.133':5160
- '21#.#33.234.98':6945
- '69.##5.72.34':7132
- '89.##.56.252':4720
- '83.##4.146.228':6186
- '68.##.41.126':4446
- '82.##1.160.147':6976
- '77.##0.70.73':4755
- '89.##9.242.253':4920
- '67.##7.114.71':5370
- '72.##0.213.62':6865
- '89.#1.2.112':6410
- '91.##6.35.115':4650
- '79.##9.163.232':4564
- '89.#7.32.54':6520
- '77.##.254.210':5565
- '89.#6.131.4':5370
- '84.##4.15.248':6452
- '87.##.236.132':7476
- '20#.#55.102.202':6048
- '77.##1.128.177':6120
- '19#.#3.255.106':7005
- '87.##0.194.79':7548
- '19#.#16.4.248':4545
- '78.##.16.184':5670
- '79.##3.167.215':6263
- '91.##7.85.35':5016
- '65.##.111.218':5530
- '89.#5.24.92':4525
- '89.##.216.229':6393
- '67.##8.207.194':4902
- '86.##7.92.228':4330
- '82.##4.173.153':7056
- '70.##0.205.151':5147
- '89.##.100.146':4968
- '85.##0.45.113':4265
- '68.#5.151.9':6630
- '89.##.215.100':4460
- '19#.#0.9.179':6768
