Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'NetworkChecker' = '<Полный путь к вирусу>'
Вредоносные функции:
Ищет ветки реестра, отвечающие за хранение паролей сторонними программами:
- [<HKLM>\Software\BPFTP]
- [<HKCU>\Software\FTP Explorer\Profiles]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\FlashFXP]
- [<HKLM>\Software\FlashFXP]
- [<HKCU>\Software\South River Technologies\WebDrive\Connections]
- [<HKLM>\Software\South River Technologies\WebDrive\Connections]
- [<HKLM>\Software\Sota\FFFTP\Options]
- [<HKLM>\Software\FTP Explorer\Profiles]
- [<HKCU>\Software\Sota\FFFTP\Options]
- [<HKCU>\SOFTWARE\Far2\Plugins\FTP\Hosts]
- [<HKCU>\SOFTWARE\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\SOFTWARE\Far\Plugins\FTP\Hosts]
- [<HKCU>\SOFTWARE\Microsoft\MessengerService]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKLM>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKCU>\SOFTWARE\Far2\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
Изменения в файловой системе:
Создает следующие файлы:
- <DRIVERS>\npf.sys
- <SYSTEM32>\wpcap.dll
- <SYSTEM32>\Packet.dll
Присваивает атрибут 'скрытый' для следующих файлов:
- <Полный путь к вирусу>
Сетевая активность:
Подключается к:
- '37.##9.148.154':80
- '17#.#50.192.165':80
- '11#.#11.232.166':80
- '71.##.232.29':80
- '46.##2.33.168':80
- '17#.#58.218.154':80
- '46.##9.194.94':80
- '95.##.210.160':80
- '77.##3.32.165':80
- '77.##.118.161':80
- '37.##5.47.30':80
- '37.##5.252.27':80
- '17#.#40.5.27':80
- '37.#7.27.34':80
- '17#.#4.211.140':80
- '73.##1.20.140':80
- '76.#1.17.33':80
- '93.#7.86.32':80
- '18#.#90.24.33':80
- '94.##1.65.26':80
- '46.##0.69.25':80
- '78.##1.19.152':80
- '17#.#04.67.151':80
- '82.##1.135.176':80
- '95.##2.68.180':80
- '18#.#.119.177':80
- '17#.#6.18.212':80
- '37.##5.253.211':80
- '17#.#4.5.143':80
- '17#.#01.114.143':80
- '93.##6.78.143':80
- '18#.#.90.180':80
- '93.##.112.80':80
- '89.##3.236.255':80
- '71.##0.114.80':80
- '46.##3.100.85':80
- '10#.#6.162.84':80
- '83.##8.200.250':80
- '37.##9.93.180':80
- '21#.#11.223.250':80
- '93.##4.37.254':80
- '31.##2.180.252':80
- '58.##2.173.106':80
- '20#.#10.134.23':80
- '21#.#.128.108':80
- '17#.#84.234.109':80
- '18#.#70.116.109':80
- '50.##6.112.8':80
- '5.##4.32.21':80
- '46.##2.248.16':80
- '17#.#12.4.22':80
- '10#.#62.46.17':80
- '31.##2.42.110':80
- '78.##.178.224':80
- '10#.#62.77.223':80
- '13#.#7.143.225':80
- '17#.#7.28.228':80
- '89.##.104.227':80
- '46.##2.204.103':80
- '17#.#37.165.101':80
- '17#.#51.176.104':80
- '93.##.184.111':80
- '85.##.31.111':80
- '17#.#68.42.6':80
- '78.#6.253.4':80
- '68.##4.225.236':80
- '76.##1.19.245':80
- '19#.#6.18.244':80
- '21#.#0.107.153':80
- '5.###.212.152':80
- '46.##1.198.1':80
- '36.#38.72.2':80
- '17#.#19.43.2':80
- '17#.#7.58.245':80
- '5.###.234.17':80
- '17#.#04.90.199':80
- '95.##.223.18':80
- '17#.#7.119.19':80
- '17#.#09.87.19':80
- '93.##.231.193':80
- '18#.#17.195.245':80
- '81.##3.113.196':80
- '59.##1.6.198':80
- '77.##.222.196':80
- '21#.#10.142.228':80
- '10#.#62.83.228':80
- '58.##.226.230':80
- '77.##1.215.236':80
- '95.##5.31.236':80
- '16#.#0.228.162':80
- '20#.#31.2.162':80
- '94.##4.157.163':80
- '19#.#0.145.164':80
- '5.###.214.163':80
- '21#.#5.82.86':80
- '37.##9.7.250':80
- '37.##5.89.248':80
- '18#.#6.121.250':80
- '37.##9.112.99':80
- '31.##2.197.250':80
- '13#.#9.248.86':80
- '10#.#85.226.86':80
- '77.##1.75.89':80
- '77.##3.196.247':80
- '74.##.194.94':80
- '93.##.185.89':80
- 'localhost':1041
- '91.##2.52.90':80
- '93.##3.230.91':80
- '94.##3.63.90':80
- '17#.#22.116.169':80
- '17#.#50.122.168':80
- '92.##.155.171':80
- '74.##.122.172':80
- '46.##5.61.172':80
- '23.##.103.92':80
- '12#.#4.208.231':80
- '18#.#09.228.230':80
- '17#.#40.225.231':80
- '93.##.10.236':80
- '77.##2.49.232':80
- '17#.#6.86.10':80
- '10#.#7.242.9':80
- '20#.#00.117.10':80
- '92.##5.41.16':80
- '46.#9.22.12':80
- '37.##5.234.120':80
- '18#.#90.195.120':80
- '93.##.87.121':80
- '10#.#7.94.220':80
- '46.##2.212.218':80
- '82.##7.233.240':80
- '37.#5.1.240':80
- '24.##7.15.241':80
- '31.##0.130.120':80
- '18#.#90.72.120':80
- '76.##.235.220':80
- '37.##.112.160':80
- '21#.#94.127.159':80
- '17#.#36.244.210':80
- '17#.#10.221.211':80
- '17#.#3.219.211':80
- '17#.#37.222.222':80
- '93.##.14.222':80
- '17#.#.125.155':80
- '17#.#37.45.158':80
- '46.##9.162.157':80
- '17#.#51.188.123':80
- '17#.#51.162.123':80
- '17#.#51.23.124':80
- '17#.#03.24.145':80
- '46.##0.98.129':80
- '10#.#7.24.101':80
- '46.##9.17.100':80
- '37.##2.83.101':80
- '15#.#.36.122':80
- '85.##0.145.101':80
- '17#.#50.144.145':80
- '46.#9.53.83':80
- '93.##.193.82':80
- '5.###.100.83':80
- '24.##8.250.239':80
- '93.##8.178.237':80
- '77.##3.63.149':80
- '17#.#6.18.146':80
- '5.###.127.150':80
- '31.##.171.82':80
- '18#.#37.207.80':80
