Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run\] 'FEIQ' = '<Полный путь к файлу> 1'
Изменения в файловой системе
Создает следующие файлы
- %APPDATA%\feiq\feiq.ini
- %ProgramFiles%\feiq\zone\image\4f4a781db030ae8d5e84d4caf90f1747.png
- %ProgramFiles%\feiq\zone\image\5e96edd4516f348c2317af845112023e.gif
- %ProgramFiles%\feiq\zone\image\6e7e18d4569bfe59210b2947105f05f0.gif
- %ProgramFiles%\feiq\zone\image\7f5f59a3a5dd55db4fabf72fdc045485.gif
- %ProgramFiles%\feiq\zone\image\131f5b074d9f8bc6049cfde364530875.gif
- %ProgramFiles%\feiq\zone\image\683a2bbbfa0a4e282bae11dc5eebf675.gif
- %ProgramFiles%\feiq\zone\image\860d4f7f6782285406a96c092b38805d.jpg
- %ProgramFiles%\feiq\zone\image\2401c01dd3fdbe7d80f02b26d11d8f7f.jpg
- %ProgramFiles%\feiq\zone\image\6361c909a9c0ff4e0867d5fb6ae28914.jpg
- %ProgramFiles%\feiq\zone\image\34458eb1df38a60c2209182c43d1f5aa.gif
- %ProgramFiles%\feiq\zone\image\722353e851c95d7ae608bd7ce5c75efc.jpg
- %ProgramFiles%\feiq\zone\image\aebf40f73551de45476780ecf0ff3c20.jpg
- %ProgramFiles%\feiq\zone\image\c1d0cd7d4d57a7cbe1ae8bc0f1c2fe27.gif
- %ProgramFiles%\feiq\zone\image\df453317c93f4df742d398436e1d5646.gif
- %ALLUSERSPROFILE%\microsoft\crypto\rsa\machinekeys\95584aed2525b14ccacb44240acfd834_0cb67e2f-dc95-45ca-8fb8-69bde8e3f814
- %ProgramFiles%\feiq\zone\image\edaa43447b5883a61f054bd27eceba18.gif
- %ProgramFiles%\feiq\zone\image\f5eb33897069eafcefcf4896dc5db673.gif
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³ö÷ò³ä£°å2.html
- %TEMP%\etilqs_qq1pcchnoybe2el
- %TEMP%\etilqs_2bysetl6te0f6jp
- %ProgramFiles%\feiq\db\info.db-journal
- %ProgramFiles%\feiq\db\info.db
- %ProgramFiles%\feiq\tuiguang\data.db-journal
- %ProgramFiles%\feiq\db\resumefile.db-journal
- %ProgramFiles%\feiq\tuiguang\data.db
- %ProgramFiles%\feiq\db\resumefile.db
- %ALLUSERSPROFILE%\microsoft\crypto\rsa\machinekeys\7711f9c43176ea52b86f52a38013fdaf_0cb67e2f-dc95-45ca-8fb8-69bde8e3f814
- %ProgramFiles%\feiq\feiqcfg.xml
- %ProgramFiles%\feiq\zone\image\03c714fa9758d8e262c344786c436230.jpg
- %ProgramFiles%\feiq\zone\image\c180d5c7b7d58181e6efbbee3d5127e0.jpg
- %ProgramFiles%\feiq\zone\image\2f561b63b7d93a7f55573b99f212343b.jpg
- %TEMP%\etilqs_wymnladjcxb3l2y
- %ProgramFiles%\feiq\gifdll\imageole.dll
- %ProgramFiles%\feiq\appbox\logo\cfg.db-journal
- %ProgramFiles%\feiq\appbox\logo\cfg.db
- %ProgramFiles%\feiq\db\winfo.db-journal
- %ProgramFiles%\feiq\db\winfo.db
- %TEMP%\etilqs_r19armnw26xckyv
- %TEMP%\etilqs_ccdz444ustw8ry8
- %ProgramFiles%\feiq\zone\zone.db-journal
- %ProgramFiles%\feiq\zone\zone.db
- %TEMP%\etilqs_e1zl0ccp4ovgq7h
- %TEMP%\etilqs_tbmkvra9szhhey6
- %ProgramFiles%\feiq\zone\zonecache.db-journal
- %ProgramFiles%\feiq\zone\zonecache.db
- %TEMP%\etilqs_fvppaqp1byli5yi
- %ProgramFiles%\feiq\zone\image\02d8ba1bdac27d6f1d10c04bf89dab65.jpg
- %ProgramFiles%\feiq\zone\zonetpl.db-journal
- %ProgramFiles%\feiq\zone\zonetpl.db
- %ProgramFiles%\feiq\zone\image\zonetpl.zip
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³ö÷ò³ä£°å1.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³ö÷ò³ä£°å3.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³èõö¾ä£°å1.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³èõö¾ä£°å2.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³èõö¾ä£°å3.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³èõö¾ä£°å4.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³èõö¾ä£°å5.html
- %ProgramFiles%\feiq\zone\image\0fa3ead2d292051eb73f200165ffd7c8.gif
- %ProgramFiles%\feiq\zone\image\01f31aed202f0b31ea2879550c239585.gif
- %ProgramFiles%\feiq\zone\image\1e84c1b9b4753b2876030181a74e3d0f.gif
- %ProgramFiles%\feiq\zone\image\2c52d91c9521d197139e92cee16e8322.jpg
- %TEMP%\fiqfbfb.tmp
Удаляет следующие файлы
- %ProgramFiles%\feiq\appbox\logo\cfg.db-journal
- %ProgramFiles%\feiq\tuiguang\data.db-journal
- %ProgramFiles%\feiq\db\info.db-journal
- %ProgramFiles%\feiq\zone\image\zonetpl.zip
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³ö÷ò³ä£°å3.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³ö÷ò³ä£°å2.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³ö÷ò³ä£°å1.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³èõö¾ä£°å5.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³èõö¾ä£°å4.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³èõö¾ä£°å3.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³èõö¾ä£°å2.html
- %ProgramFiles%\feiq\zone\image\tplhtml\ГЇВµГ³èõö¾ä£°å1.html
- %ProgramFiles%\feiq\zone\zonetpl.db-journal
- %ProgramFiles%\feiq\zone\zonecache.db-journal
- %ProgramFiles%\feiq\zone\zone.db-journal
- %ProgramFiles%\feiq\db\winfo.db-journal
- %ProgramFiles%\feiq\db\resumefile.db-journal
- %TEMP%\fiqfbfb.tmp
Подменяет следующие файлы
- %ProgramFiles%\feiq\zone\zonetpl.db-journal
- %ProgramFiles%\feiq\zone\zone.db-journal
Сетевая активность
Подключается к
- 'fe##18.com':80
- 'fe######ade.blog.sohu.com':80
TCP
Запросы HTTP GET
- http://www.fe##18.com/Upgrade.php
- http://fe######ade.blog.sohu.com/225351355.html
- http://bl##.sohu.com/error/blogstatus.do?st######
UDP
- DNS ASK e.###q18.com
- DNS ASK fe##18.com
- DNS ASK fe######ade.blog.sohu.com
- DNS ASK bl##.sohu.com
- '<LOCALNET>.99.255':2425
- '255.255.255.255':2425
- '<LOCALNET>.99.9':2425
Другое
Запускает на исполнение
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Полный путь к файлу>"
