Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\.ipsec] 'ImagePath' = '\?'
Вредоносные функции:
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\winlogon.exe
- %WINDIR%\Explorer.EXE
Изменения в файловой системе:
Создает следующие файлы:
- %WINDIR%\$NtUninstallKB27979$\4121336045\@
- %WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
- %WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
- %WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo
Самоудаляется.
Сетевая активность:
Подключается к:
- '24.##8.189.156':34354
- '76.##2.162.119':34354
- '67.##1.88.79':34354
- '68.##.108.227':34354
- '18#.#52.228.151':34354
- '67.##9.123.7':34354
- '68.##3.14.214':34354
- '67.##0.35.23':34354
- '67.##5.87.181':34354
- '68.#5.157.3':34354
- '76.##7.86.166':34354
- '17#.#34.130.135':34354
- '24.##.124.211':34354
- '69.##3.26.99':34354
- '18#.#41.38.210':34354
- '71.#4.155.3':34354
- '10#.#03.212.64':34354
- '89.##4.165.64':34354
- '17#.#.246.13':34354
- '50.##3.247.222':34354
- '71.##9.117.142':34354
- '18#.#4.106.81':34354
- '98.##2.23.49':34354
- '95.#5.27.0':34354
- '78.#7.123.3':34354
- '79.##.186.72':34354
- '97.##.125.118':34354
- '24.##.167.226':34354
- '67.##0.224.42':34354
- '74.##.205.171':34354
- '24.##.138.180':34354
- '70.##.88.130':34354
- '19#.#44.240.25':34354
- '75.##.48.133':34354
- '69.##5.51.110':34354
- '98.##7.248.161':34354
- '75.##6.174.13':34354
- '46.##1.210.16':34354
- '96.##.138.35':34354
- '24.##3.243.108':34354
- '76.##7.225.193':34354
- '85.##9.215.229':34354
- '20#.#3.103.45':34354
- '68.#1.6.69':34354
- '72.##0.40.208':34354
- '68.##.55.116':34354
- '97.##.22.122':34354
- '17#.#7.199.225':34354
- '75.##5.139.144':34354
- '68.##.103.164':34354
- '24.##6.148.234':34354
- '75.##2.3.231':34354
- '18#.#5.201.205':34354
- '97.#6.66.88':34354
- '24.#0.6.188':34354
- '67.##.167.227':34354
- '71.#.16.129':34354
- '68.#0.123.4':34354
- '68.##.165.200':34354
- '71.##9.113.5':34354
- '98.##0.175.3':34354
- '76.##7.121.140':34354
- '83.##1.229.125':34354
- '18#.#34.123.208':34354
- '67.##.166.173':34354
- '24.##8.99.238':34354
- '98.##4.253.235':34354
- '84.##2.27.181':34354
- '68.#.77.101':34354
- '99.##0.187.12':34354
- '76.##6.113.124':34354
- '17#.#1.128.128':34354
- '71.##.105.95':34354
- '69.##9.249.198':34354
- '94.##9.214.94':34354
- '98.##2.37.26':34354
- '21#.#25.163.150':34354
- '17#.#11.232.182':34354
- '67.##9.241.101':34354
- '68.##4.51.21':34354
- '76.#6.91.2':34354
- '74.#3.67.2':34354
- '98.##3.211.158':34354
- '76.##.159.228':34354
- '65.##.44.156':34354
- '10#.#8.13.57':34354
- '18#.#37.191.70':34354
- '17#.#11.52.156':34354
- '18#.#71.10.167':34354
- '65.##9.29.135':34354
- '71.##.19.130':34354
- '50.##.125.242':34354
- '98.##.109.160':34354
- '75.##.227.158':34354
- '69.##.248.142':34354
- '69.##.46.144':34354
- '71.#96.8.60':34354
- '71.##4.29.224':34354
- '76.##9.51.226':34354
- '70.##6.74.59':34354
- '76.##7.234.152':34354
- '70.##6.170.39':34354
- '31.##6.245.65':34354
- '46.##.155.46':34354
- '72.##.252.46':34354
- '10#.#33.155.161':34354
- '98.##3.16.50':34354
- '18#.#6.60.171':34354
- '76.##.152.53':34354
- '68.##.22.252':34354
- '24.##3.72.226':34354
- '76.#2.28.56':34354
- '75.##.231.29':34354
- '79.##6.169.29':34354
- '96.##.35.219':34354
- '72.##6.10.94':34354
- '98.##4.91.202':34354
- '75.##2.136.27':34354
- '72.##1.104.152':34354
- '15#.#2.22.28':34354
- '68.##.14.216':34354
- '14#.#26.89.75':34354
- '97.##0.202.72':34354
- '41.##2.95.216':34354
- '94.##2.66.83':34354
- '18#.#1.63.85':34354
- '17#.#06.123.36':34354
- '18#.#.125.77':34354
- '18#.#3.130.84':34354
- '18#.#09.47.115':34354
- '75.##4.53.190':34354
- '50.##.220.82':34354
- '69.##.230.218':34354
- '74.#7.81.58':34354
- '24.##1.226.9':34354
- '66.##.224.18':34354
- '17#.#13.37.172':34354
- '21#.#2.206.227':34354
- '18#.#52.31.244':34354
- '69.##2.181.24':34354
- '46.##.151.98':34354
- '75.#5.44.29':34354
- '17#.#5.115.145':34354
- '74.##0.174.154':34354
- '76.##6.190.103':34354
- '75.##1.82.148':34354
- '68.##.156.11':34354
- '98.##6.1.249':34354
- '17#.#58.100.225':34354
- '68.##.161.107':34354
- '68.##.131.31':34354
- '67.##1.193.1':34354
- '70.##3.100.78':34354
- '24.##6.78.205':34354
- '20#.#48.45.130':34354
- '67.##7.230.27':34354
- '69.##1.229.239':34354
- '24.#.239.32':34354
- '10#.#7.180.94':34354
- '18#.#33.13.128':34354
- '4.###.239.88':34354
- '70.##7.153.52':34354
- '12.##.110.138':34354
- '24.##.221.14':34354
- '19#.#8.85.200':34354
- '79.##4.197.83':34354
- '99.##5.101.142':34354
- '68.##.56.200':34354
- '76.##6.104.39':34354
- '18#.#8.194.172':34354
- '74.##0.212.202':34354
- 'pr####.fling.com':80
- '76.##9.147.160':34354
- '93.##6.234.26':34354
- '96.##.39.194':34354
- '19#.#9.152.249':34354
- '24.##2.206.224':34354
- '64.##.139.97':34354
- '71.##.201.193':34354
- '72.##0.125.114':34354
- '99.##.24.121':34354
- '17#.#8.117.63':34354
- '20#.#31.106.105':34354
- '18#.#9.245.122':34354
- '24.##.230.110':34354
- '69.##0.245.172':34354
- '76.##0.168.218':34354
- '76.##0.139.81':34354
- '71.##4.34.87':34354
- '71.##8.118.150':34354
- '93.##8.34.73':34354
- '68.#.58.112':34354
- '17#.#4.138.206':34354
- '12#.#8.70.35':34354
- '98.##9.254.75':34354
- '13#.#95.146.247':34354
- '75.##.206.116':34354
- '76.##.241.11':34354
- '17#.58.2.82':34354
- '98.##0.182.94':34354
- '98.##6.170.196':34354
- '13#.#4.105.18':34354
- '98.##6.138.195':34354
- '24.##.25.212':34354
- '67.##2.103.196':34354
- '68.#.189.183':34354
- '67.##1.248.22':34354
- '98.##3.43.126':34354
- '94.#1.13.7':34354
- '65.#4.52.2':34354
- '72.##8.220.36':34354
- '98.##8.123.176':34354
- '18#.#2.187.49':34354
- '76.#8.30.37':34354
- '79.##3.191.71':34354
- '70.##7.87.124':34354
- '99.##5.157.95':34354
- '24.##0.159.62':34354
- '72.##6.11.144':34354
- '20#.#08.98.140':34354
- '97.#1.69.15':34354
- '78.##.169.61':34354
- '69.##3.225.186':34354
- '69.##6.6.121':34354
- '17#.#03.75.50':34354
- '24.##8.214.126':34354
- '72.##8.70.195':34354
- '75.#4.99.65':34354
- '72.##0.108.66':34354
- '98.##.48.123':34354
- '24.##9.34.104':34354
- '66.##.173.241':34354
- '69.##1.214.136':34354
- '69.##5.25.17':34354
- '72.##9.133.196':34354
- '24.#.43.235':34354
- '68.##7.246.108':34354
- '19#.#12.124.78':34354
- '24.##1.28.182':34354
- '24.#.133.252':34354
- '67.##7.131.161':34354
- '72.##0.17.71':34354
- '17#.#5.149.39':34354
- '24.##.183.233':34354
- '18#.#8.60.129':34354
- '4.###.90.132':34354
- '17#.#44.55.104':34354
- '12#.#71.78.168':34354
- '75.#0.56.94':34354
- '18#.#90.197.150':34354
- '98.##4.211.74':34354
- '75.##.255.114':34354
- '18#.#9.189.141':34354
- '50.##.127.57':34354
- '74.##9.49.79':34354
- '21#.#31.15.0':34354
- '18#.#3.35.129':34354
TCP:
Запросы HTTP GET:
- pr####.fling.com/geo/txt/city.php
UDP:
- DNS ASK pr####.fling.com
- 'localhost':752
- '8.#.8.8':1036
