Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'NetworkChecker' = '<Полный путь к вирусу>'
Вредоносные функции:
Ищет ветки реестра, отвечающие за хранение паролей сторонними программами:
- [<HKLM>\Software\BPFTP]
- [<HKCU>\Software\FTP Explorer\Profiles]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\FlashFXP]
- [<HKLM>\Software\FlashFXP]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
- [<HKLM>\Software\South River Technologies\WebDrive\Connections]
- [<HKLM>\Software\Sota\FFFTP\Options]
- [<HKLM>\Software\FTP Explorer\Profiles]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKCU>\SOFTWARE\Far2\Plugins\FTP\Hosts]
- [<HKCU>\SOFTWARE\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\SOFTWARE\Far\Plugins\FTP\Hosts]
- [<HKCU>\SOFTWARE\Microsoft\MessengerService]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKLM>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKCU>\SOFTWARE\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
Изменения в файловой системе:
Создает следующие файлы:
- <DRIVERS>\npf.sys
- <SYSTEM32>\wpcap.dll
- <SYSTEM32>\Packet.dll
Присваивает атрибут 'скрытый' для следующих файлов:
- <Полный путь к вирусу>
Сетевая активность:
Подключается к:
- '5.###.137.150':80
- '46.##8.54.222':80
- '95.##.211.151':80
- '78.##9.37.154':80
- '79.##3.226.151':80
- '17#.#11.44.220':80
- '17#.#15.179.192':80
- '17#.#05.169.221':80
- '5.###.36.222':80
- '10#.#35.10.222':80
- '15#.#24.102.233':80
- '93.##7.60.124':80
- '11#.#02.173.235':80
- '17#.#.79.237':80
- '17#.#50.95.236':80
- '77.##2.224.119':80
- '21#.#7.172.154':80
- '93.##.65.120':80
- '31.##.124.123':80
- '78.##.175.122':80
- '46.##2.0.112':80
- '85.##.31.111':80
- '65.##.21.112':80
- '21#.#.152.116':80
- '46.##.23.114':80
- '37.##2.40.22':80
- '17#.#12.4.22':80
- '17#.#9.127.23':80
- '46.##0.69.25':80
- '93.#9.29.25':80
- '21#.#11.143.188':80
- '17#.#03.8.138':80
- '93.##6.101.191':80
- '11#.#3.97.192':80
- '10#.#27.112.191':80
- '37.##9.87.135':80
- '95.##.178.47':80
- '19#.#12.117.135':80
- '84.##7.16.137':80
- '17#.#24.12.137':80
- '37.##5.100.238':80
- '79.##8.251.145':80
- '92.##.139.145':80
- '17#.#6.18.146':80
- '77.##3.63.149':80
- '94.##2.198.147':80
- '31.##2.176.213':80
- '17#.#04.171.212':80
- '42.#.142.214':80
- '94.##3.64.219':80
- '37.##5.213.215':80
- '46.##8.63.248':80
- '84.##7.129.246':80
- '46.##0.81.249':80
- '37.##9.179.254':80
- '93.#7.1.254':80
- '12#.#4.208.231':80
- '5.###.92.231':80
- '95.##.227.231':80
- '10#.#62.65.239':80
- '17#.#51.215.232':80
- '5.###.127.63':80
- '17#.#.110.63':80
- '17#.#5.23.64':80
- '46.##4.164.65':80
- '77.##.141.64':80
- '37.##9.112.99':80
- '21#.#96.171.98':80
- '77.##2.176.100':80
- '10#.#7.24.101':80
- '17#.#6.197.100':80
- '46.##2.67.186':80
- '77.##1.62.185':80
- '5.###.68.187':80
- '93.##.226.194':80
- '86.##7.74.187':80
- '92.##4.153.3':80
- '17#.#12.28.3':80
- '5.##8.107.6':80
- '21#.#11.240.6':80
- '37.##9.227.6':80
- '71.##.179.26':80
- '20#.#00.117.10':80
- '95.##.217.26':80
- '89.##.206.27':80
- '10#.#85.202.27':80
- '19#.#8.119.8':80
- '17#.#10.197.253':80
- '95.#9.140.9':80
- '13#.#49.12.10':80
- '22#.#37.5.10':80
- '17#.#41.133.125':80
- '31.##.134.177':80
- '81.##.131.126':80
- '75.##8.180.127':80
- '18#.#.105.127':80
- '17#.#04.172.173':80
- '77.##.226.29':80
- '15#.#24.92.175':80
- '17#.#17.203.176':80
- '82.##1.135.176':80
- '46.##6.39.101':80
- 'localhost':1044
- '17#.#51.215.101':80
- '17#.#50.182.106':80
- '5.###.59.106':80
- '21#.#5.95.46':80
- '15#.#24.113.44':80
- '37.##5.148.46':80
- '21#.#.149.47':80
- '15#.#14.131.47':80
- '77.##2.206.249':80
- '12#.#05.130.158':80
- '37.##9.7.250':80
- '95.##.199.252':80
- '93.##.164.252':80
- '93.##6.80.156':80
- '95.##0.103.107':80
- '46.##9.206.156':80
- '46.##5.106.158':80
- '81.##2.99.157':80
- '18#.#30.26.128':80
- '5.###.245.54':80
- '17#.#37.16.52':80
- '17#.36.6.55':80
- '17#.#65.118.58':80
- '17#.#01.194.57':80
- '11#.#6.227.3':80
- '37.#7.180.3':80
- '17#.#36.131.4':80
- '46.#85.62.6':80
- '19#.#09.195.4':80
- '94.##4.179.20':80
- '94.#6.78.20':80
- '5.##4.32.21':80
- '5.###.158.21':80
- '17#.#7.98.21':80
- '14#.#38.104.87':80
- '70.##4.202.86':80
- '31.##2.232.87':80
- '37.##5.116.93':80
- '17#.#50.154.89':80
- '37.##5.233.216':80
- '37.##5.216.216':80
- '21#.#7.223.217':80
- '19#.#62.152.218':80
- '93.##.34.218':80
- '77.##1.240.89':80
- '92.##.175.89':80
- '95.##1.222.90':80
- '23.##.103.92':80
- '93.#9.20.91':80
- '92.##5.41.16':80
- '89.##.104.14':80
- '18#.#10.111.16':80
- '93.##.168.17':80
- '11#.#41.36.17':80
- '94.##4.56.32':80
- '36.##.250.31':80
- '46.##1.97.32':80
- '21#.#11.249.33':80
- '18#.#18.178.32':80
