Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PnP-X Gateway AuthIP Office Parental Audio' = 'C:\ekqqece\fsf9uuj.exe'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\Font Server Alerts Web Receiver] 'ImagePath' = 'C:\ekqqece\fsf9uuj.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Font Server Alerts Web Receiver] 'Start' = '00000002'
Изменения в файловой системе:
Создает следующие файлы:
- C:\ekqqece\fsf9uuj.exe
- C:\ekqqece\rfepsiktamyiq.exe
- C:\ekqqece\dhgbsqojznut
- %WINDIR%\ekqqece\vvlrire
- C:\ekqqece\vvlrire
- C:\ekqqece\rvwfljls2umvnljqfpnta.exe
Присваивает атрибут 'скрытый' для следующих файлов:
- C:\ekqqece\rfepsiktamyiq.exe
- C:\ekqqece\fsf9uuj.exe
Удаляет следующие файлы:
- C:\ekqqece\rvwfljls2umvnljqfpnta.exe
- %WINDIR%\ekqqece\vvlrire
Подменяет следующие файлы:
- %WINDIR%\ekqqece\vvlrire
Сетевая активность:
Подключается к:
- 'gr#####ledonaldson.net':80
- 'ma#####nedonaldson.net':80
- 'gr#####leconstable.net':80
- 'si#####testrudwick.net':80
- 'gr#####leharoldson.net':80
- 'ma#####neharoldson.net':80
- 'ma#####neconstable.net':80
- 'je#####teharoldson.net':80
- 'ki#####eydonaldson.net':80
- 'je#####tedonaldson.net':80
- 'gr#####lestrudwick.net':80
- 'ma#####nestrudwick.net':80
- 'ki#####eyharoldson.net':80
- 'me#####hersackville.net':80
- 'ca#####nepettigrew.net':80
- 'me#####herpettigrew.net':80
- 'ca#####nehoneycutt.net':80
- 'me#####herhoneycutt.net':80
- 'ca#####nesackville.net':80
- 'st#####iaharoldson.net':80
- 'st#####iaconstable.net':80
- 'si#####teconstable.net':80
- 'st#####iastrudwick.net':80
- 'si#####teharoldson.net':80
- 'st#####iadonaldson.net':80
- 'si#####tedonaldson.net':80
- 'ki#####eyconstable.net':80
- 'ka#####naconstable.net':80
- 'br#####nnstrudwick.net':80
- 'ka#####nastrudwick.net':80
- 'br#####nndonaldson.net':80
- 'ka#####nadonaldson.net':80
- 'br#####nnconstable.net':80
- 'sy#####erharoldson.net':80
- 'sy#####erconstable.net':80
- 'wi#####edconstable.net':80
- 'sy#####erstrudwick.net':80
- 'wi#####edharoldson.net':80
- 'sy#####erdonaldson.net':80
- 'wi#####eddonaldson.net':80
- 'gw#####ynharoldson.net':80
- 'ha#####teharoldson.net':80
- 'gw#####yndonaldson.net':80
- 'je#####teconstable.net':80
- 'ki#####eystrudwick.net':80
- 'je#####testrudwick.net':80
- 'ha#####tedonaldson.net':80
- 'ha#####testrudwick.net':80
- 'br#####nnharoldson.net':80
- 'ka#####naharoldson.net':80
- 'gw#####ynconstable.net':80
- 'ha#####teconstable.net':80
- 'gw#####ynstrudwick.net':80
TCP:
Запросы HTTP GET:
- http://gr#####ledonaldson.net/index.php
- http://ma#####nedonaldson.net/index.php
- http://gr#####leconstable.net/index.php
- http://si#####testrudwick.net/index.php
- http://gr#####leharoldson.net/index.php
- http://ma#####neharoldson.net/index.php
- http://ma#####neconstable.net/index.php
- http://je#####teharoldson.net/index.php
- http://ki#####eydonaldson.net/index.php
- http://je#####tedonaldson.net/index.php
- http://gr#####lestrudwick.net/index.php
- http://ma#####nestrudwick.net/index.php
- http://ki#####eyharoldson.net/index.php
- http://me#####hersackville.net/index.php
- http://ca#####nepettigrew.net/index.php
- http://me#####herpettigrew.net/index.php
- http://ca#####nehoneycutt.net/index.php
- http://me#####herhoneycutt.net/index.php
- http://ca#####nesackville.net/index.php
- http://st#####iaharoldson.net/index.php
- http://st#####iaconstable.net/index.php
- http://si#####teconstable.net/index.php
- http://st#####iastrudwick.net/index.php
- http://si#####teharoldson.net/index.php
- http://st#####iadonaldson.net/index.php
- http://si#####tedonaldson.net/index.php
- http://ki#####eyconstable.net/index.php
- http://ka#####naconstable.net/index.php
- http://br#####nnstrudwick.net/index.php
- http://ka#####nastrudwick.net/index.php
- http://br#####nndonaldson.net/index.php
- http://ka#####nadonaldson.net/index.php
- http://br#####nnconstable.net/index.php
- http://sy#####erharoldson.net/index.php
- http://sy#####erconstable.net/index.php
- http://wi#####edconstable.net/index.php
- http://sy#####erstrudwick.net/index.php
- http://wi#####edharoldson.net/index.php
- http://sy#####erdonaldson.net/index.php
- http://wi#####eddonaldson.net/index.php
- http://gw#####ynharoldson.net/index.php
- http://ha#####teharoldson.net/index.php
- http://gw#####yndonaldson.net/index.php
- http://je#####teconstable.net/index.php
- http://ki#####eystrudwick.net/index.php
- http://je#####testrudwick.net/index.php
- http://ha#####tedonaldson.net/index.php
- http://ha#####testrudwick.net/index.php
- http://br#####nnharoldson.net/index.php
- http://ka#####naharoldson.net/index.php
- http://gw#####ynconstable.net/index.php
- http://ha#####teconstable.net/index.php
- http://gw#####ynstrudwick.net/index.php
UDP:
- DNS ASK gr#####ledonaldson.net
- DNS ASK ma#####nedonaldson.net
- DNS ASK gr#####leconstable.net
- DNS ASK si#####testrudwick.net
- DNS ASK gr#####leharoldson.net
- DNS ASK ma#####neharoldson.net
- DNS ASK ma#####neconstable.net
- DNS ASK je#####teharoldson.net
- DNS ASK ki#####eydonaldson.net
- DNS ASK je#####tedonaldson.net
- DNS ASK gr#####lestrudwick.net
- DNS ASK ma#####nestrudwick.net
- DNS ASK ki#####eyharoldson.net
- DNS ASK st#####iastrudwick.net
- DNS ASK ca#####nesackville.net
- DNS ASK me#####hersackville.net
- DNS ASK ca#####nepettigrew.net
- DNS ASK me#####herfairchild.net
- DNS ASK ca#####nehoneycutt.net
- DNS ASK me#####herhoneycutt.net
- DNS ASK me#####herpettigrew.net
- DNS ASK si#####tedonaldson.net
- DNS ASK st#####iaconstable.net
- DNS ASK si#####teconstable.net
- DNS ASK st#####iaharoldson.net
- DNS ASK si#####teharoldson.net
- DNS ASK st#####iadonaldson.net
- DNS ASK ka#####naconstable.net
- DNS ASK br#####nnstrudwick.net
- DNS ASK ka#####nastrudwick.net
- DNS ASK br#####nndonaldson.net
- DNS ASK ka#####nadonaldson.net
- DNS ASK br#####nnconstable.net
- DNS ASK sy#####erharoldson.net
- DNS ASK sy#####erconstable.net
- DNS ASK wi#####edconstable.net
- DNS ASK sy#####erstrudwick.net
- DNS ASK wi#####edharoldson.net
- DNS ASK sy#####erdonaldson.net
- DNS ASK wi#####eddonaldson.net
- DNS ASK ka#####naharoldson.net
- DNS ASK je#####testrudwick.net
- DNS ASK gw#####ynharoldson.net
- DNS ASK ha#####teharoldson.net
- DNS ASK ki#####eyconstable.net
- DNS ASK je#####teconstable.net
- DNS ASK ki#####eystrudwick.net
- DNS ASK gw#####yndonaldson.net
- DNS ASK gw#####ynstrudwick.net
- DNS ASK ha#####testrudwick.net
- DNS ASK br#####nnharoldson.net
- DNS ASK ha#####tedonaldson.net
- DNS ASK gw#####ynconstable.net
- DNS ASK ha#####teconstable.net
Другое:
Создает и запускает на исполнение:
- 'C:\ekqqece\rfepsiktamyiq.exe' "c:\ekqqece\fsf9uuj.exe"
- 'C:\ekqqece\fsf9uuj.exe'
- 'C:\ekqqece\rvwfljls2umvnljqfpnta.exe'
