Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'esl_dUFbFPPtKrLNTSlCLqWnkV' = '<SYSTEM32>\xuTvBAUuVGbVqC.exe'
Создает или изменяет следующие файлы:
- %HOMEPATH%\Start Menu\Programs\Startup\System Check.lnk
- %HOMEPATH%\Start Menu\Programs\Startup\.lnk
Вредоносные функции:
Запускает на исполнение:
- '<SYSTEM32>\cmd.exe' /c del <Полный путь к вирусу> >> NUL
Внедряет код в
следующие системные процессы:
- %WINDIR%\Explorer.EXE
Изменения в файловой системе:
Создает следующие файлы:
- <SYSTEM32>\xuTvBAUuVGbVqC.exe
Самоудаляется.
Сетевая активность:
Подключается к:
- 'wn#####kloscpythk.org':80
- 'hg#####bnrbpwdbrr.com':80
- 'sn#####pafqnletry.net':80
- 'kj#####mpvpcowoka.cc':80
- 'hm#####bjhsllfyqo.in':80
- 'wd#####ywaajlvbli.me':80
- 'ls#####kvdogrlfdr.in':80
- 'sc#####cvmpgarssu.net':80
- 'ex#####micsxesbfe.cc':80
- 'ua#####ijixaqfguc.su':80
- 'es#####fepupgmgdl.tw':80
- 'oy#####qygycyeeuf.cc':80
- 'rt#####bkcrwncfsa.in':80
- 'jp#####icypqnpmcu.tw':80
- 'di#####hbtaocehsh.me':80
- 'ts#####lwqohnbngw.su':80
- 'ln#####ifqcextshh.net':80
- 'gy#####okacoxcakc.su':80
- 'vx#####dcwajrosmw.tw':80
- 'uy#####wreprkejqi.me':80
- 'gd#####dhxjbucgwu.org':80
- 'yg#####btgcxhtjkf.com':80
- 'jt#####fnsygrsedb.org':80
- 'yr#####fcvunokjay.in':80
- 'kh#####wmpxqshcoj.net':80
- 'qr#####becrpbptvk.cc':80
- 'sh#####odvqdakqvw.su':80
- 'cw#####rwfuyhclnq.tw':80
- 'tl#####ftdhuagdtq.org':80
- 'nf#####oidyxnrsdn.tw':80
- 'xn#####eogafrixkm.cc':80
- 'vs#####oajjxcuruo.su':80
- 'oj#####ixpgeueovw.com':80
- 'dx#####eynxxyoqbe.me':80
- 'hc#####msbqknhupt.tw':80
- 'je#####fkrwxytoss.cc':80
- 'qg#####fanhdpyula.su':80
- 'rp#####raheroijnt.com':80
- 'fl#####xqnivqlorn.me':80
- 'fo#####kfbryslppy.in':80
- 'gd#####xgwtltawsi.me':80
- 'wv#####rxwxlmgmuw.su':80
- 'tf#####yhwhovjhiu.com':80
- 'uc#####psymbctnej.net':80
- 'hn#####gueyvdacyv.org':80
- 'cq#####hoqihxbjlv.com':80
- 'em#####vxvywdnofn.su':80
- 'dg#####rnxjybvwfu.tw':80
- 'iv#####feltwlrhky.me':80
- 'bb#####rernipiumt.org':80
- 'iy#####rpkecktlvq.com':80
- 'gm#####neycbesagn.cc':80
- 'ua#####kuomglsjfu.com':80
- 'ck#####stelqhboey.me':80
- 'xy#####ypshqsscxo.org':80
- 'qw#####hnkersomth.in':80
- 'hr#####yyeqfpfwgm.net':80
- 'vf#####yoisrmypoq.org':80
- 'ds#####bacmchyycd.com':80
- 'xp#####sxetcjncos.net':80
- 'iy#####eyhiujhtar.cc':80
- 'ob#####bopbvgtwrm.in':80
- 'uv#####gpmvwmugcs.me':80
- 'xw#####xionvsecuy.in':80
- 'jj#####qgccfxavxu.net':80
- 'jr#####nqhwifqxyx.cc':80
- 'ul#####cqtyajmdov.su':80
- 'og#####ipjjeqrltd.tw':80
- 'dr#####dtahnwyoys.su':80
- 'vb#####escsucktva.me':80
- 'iu#####xodvmxieni.su':80
- 'qf#####ybeedhjyed.com':80
- 'vl#####cbpbwkrdnl.net':80
- 'ds#####yacnevnfoj.org':80
- 're#####yehwytuuoi.tw':80
- 'ky#####tkkouhgurj.net':80
- 'tm#####ykgufmxbpi.org':80
- 'ht#####atyblsovav.in':80
- 'at#####verfqigscg.tw':80
- 'vn#####akhuyspxph.cc':80
- 'vi#####ruwuunijgt.net':80
- 'ob#####vgedftrlix.org':80
- 'av#####jpvghhjmys.in':80
- 'fr#####vdfjmihvrf.tw':80
- 'vo#####xpdtnfjiwk.cc':80
- 'ow#####cjqftfgvjw.com':80
- 'nf#####usixsiavew.cc':80
- 'yv#####fovtfkrllk.in':80
- 'ed#####dfbysdakwx.tw':80
- 'yy#####kxhuvifroj.me':80
- 'qf#####gepfchvejp.su':80
TCP:
Запросы HTTP POST:
- http://wn#####kloscpythk.org/
- http://hg#####bnrbpwdbrr.com/
- http://sn#####pafqnletry.net/
- http://kj#####mpvpcowoka.cc/
- http://hm#####bjhsllfyqo.in/
- http://wd#####ywaajlvbli.me/
- http://ls#####kvdogrlfdr.in/
- http://sc#####cvmpgarssu.net/
- http://ex#####micsxesbfe.cc/
- http://ua#####ijixaqfguc.su/
- http://es#####fepupgmgdl.tw/
- http://oy#####qygycyeeuf.cc/
- http://rt#####bkcrwncfsa.in/
- http://jp#####icypqnpmcu.tw/
- http://di#####hbtaocehsh.me/
- http://ts#####lwqohnbngw.su/
- http://ln#####ifqcextshh.net/
- http://gy#####okacoxcakc.su/
- http://vx#####dcwajrosmw.tw/
- http://uy#####wreprkejqi.me/
- http://gd#####dhxjbucgwu.org/
- http://yg#####btgcxhtjkf.com/
- http://jt#####fnsygrsedb.org/
- http://yr#####fcvunokjay.in/
- http://kh#####wmpxqshcoj.net/
- http://qr#####becrpbptvk.cc/
- http://sh#####odvqdakqvw.su/
- http://cw#####rwfuyhclnq.tw/
- http://tl#####ftdhuagdtq.org/
- http://nf#####oidyxnrsdn.tw/
- http://xn#####eogafrixkm.cc/
- http://vs#####oajjxcuruo.su/
- http://oj#####ixpgeueovw.com/
- http://dx#####eynxxyoqbe.me/
- http://hc#####msbqknhupt.tw/
- http://je#####fkrwxytoss.cc/
- http://qg#####fanhdpyula.su/
- http://rp#####raheroijnt.com/
- http://fl#####xqnivqlorn.me/
- http://fo#####kfbryslppy.in/
- http://gd#####xgwtltawsi.me/
- http://wv#####rxwxlmgmuw.su/
- http://tf#####yhwhovjhiu.com/
- http://uc#####psymbctnej.net/
- http://hn#####gueyvdacyv.org/
- http://cq#####hoqihxbjlv.com/
- http://em#####vxvywdnofn.su/
- http://dg#####rnxjybvwfu.tw/
- http://iv#####feltwlrhky.me/
- http://bb#####rernipiumt.org/
- http://iy#####rpkecktlvq.com/
- http://gm#####neycbesagn.cc/
- http://ua#####kuomglsjfu.com/
- http://ck#####stelqhboey.me/
- http://xy#####ypshqsscxo.org/
- http://qw#####hnkersomth.in/
- http://hr#####yyeqfpfwgm.net/
- http://vf#####yoisrmypoq.org/
- http://ds#####bacmchyycd.com/
- http://xp#####sxetcjncos.net/
- http://iy#####eyhiujhtar.cc/
- http://ob#####bopbvgtwrm.in/
- http://uv#####gpmvwmugcs.me/
- http://xw#####xionvsecuy.in/
- http://jj#####qgccfxavxu.net/
- http://jr#####nqhwifqxyx.cc/
- http://ul#####cqtyajmdov.su/
- http://og#####ipjjeqrltd.tw/
- http://dr#####dtahnwyoys.su/
- http://vb#####escsucktva.me/
- http://iu#####xodvmxieni.su/
- http://qf#####ybeedhjyed.com/
- http://vl#####cbpbwkrdnl.net/
- http://ds#####yacnevnfoj.org/
- http://re#####yehwytuuoi.tw/
- http://ky#####tkkouhgurj.net/
- http://tm#####ykgufmxbpi.org/
- http://ht#####atyblsovav.in/
- http://at#####verfqigscg.tw/
- http://vn#####akhuyspxph.cc/
- http://vi#####ruwuunijgt.net/
- http://ob#####vgedftrlix.org/
- http://av#####jpvghhjmys.in/
- http://fr#####vdfjmihvrf.tw/
- http://vo#####xpdtnfjiwk.cc/
- http://ow#####cjqftfgvjw.com/
- http://nf#####usixsiavew.cc/
- http://yv#####fovtfkrllk.in/
- http://ed#####dfbysdakwx.tw/
- http://yy#####kxhuvifroj.me/
- http://qf#####gepfchvejp.su/
UDP:
- DNS ASK hg#####bnrbpwdbrr.com
- DNS ASK wd#####ywaajlvbli.me
- DNS ASK wn#####kloscpythk.org
- DNS ASK hm#####bjhsllfyqo.in
- DNS ASK sn#####pafqnletry.net
- DNS ASK ua#####ijixaqfguc.su
- DNS ASK sc#####cvmpgarssu.net
- DNS ASK jt#####fnsygrsedb.org
- DNS ASK ls#####kvdogrlfdr.in
- DNS ASK es#####fepupgmgdl.tw
- DNS ASK ex#####micsxesbfe.cc
- DNS ASK kj#####mpvpcowoka.cc
- DNS ASK oy#####qygycyeeuf.cc
- DNS ASK rt#####bkcrwncfsa.in
- DNS ASK jp#####icypqnpmcu.tw
- DNS ASK di#####hbtaocehsh.me
- DNS ASK ts#####lwqohnbngw.su
- DNS ASK ln#####ifqcextshh.net
- DNS ASK gy#####okacoxcakc.su
- DNS ASK vx#####dcwajrosmw.tw
- DNS ASK uy#####wreprkejqi.me
- DNS ASK gd#####dhxjbucgwu.org
- DNS ASK yg#####btgcxhtjkf.com
- DNS ASK kh#####wmpxqshcoj.net
- DNS ASK tl#####ftdhuagdtq.org
- DNS ASK yr#####fcvunokjay.in
- DNS ASK cw#####rwfuyhclnq.tw
- DNS ASK qr#####becrpbptvk.cc
- DNS ASK oj#####ixpgeueovw.com
- DNS ASK xn#####eogafrixkm.cc
- DNS ASK pw#####aixvhugfwp.in
- DNS ASK nf#####oidyxnrsdn.tw
- DNS ASK dx#####eynxxyoqbe.me
- DNS ASK vs#####oajjxcuruo.su
- DNS ASK sh#####odvqdakqvw.su
- DNS ASK hc#####msbqknhupt.tw
- DNS ASK je#####fkrwxytoss.cc
- DNS ASK qg#####fanhdpyula.su
- DNS ASK rp#####raheroijnt.com
- DNS ASK fl#####xqnivqlorn.me
- DNS ASK fo#####kfbryslppy.in
- DNS ASK gd#####xgwtltawsi.me
- DNS ASK wv#####rxwxlmgmuw.su
- DNS ASK tf#####yhwhovjhiu.com
- DNS ASK uc#####psymbctnej.net
- DNS ASK hn#####gueyvdacyv.org
- DNS ASK dg#####rnxjybvwfu.tw
- DNS ASK gm#####neycbesagn.cc
- DNS ASK em#####vxvywdnofn.su
- DNS ASK iy#####rpkecktlvq.com
- DNS ASK iv#####feltwlrhky.me
- DNS ASK qw#####hnkersomth.in
- DNS ASK ck#####stelqhboey.me
- DNS ASK dr#####dtahnwyoys.su
- DNS ASK ua#####kuomglsjfu.com
- DNS ASK hr#####yyeqfpfwgm.net
- DNS ASK xy#####ypshqsscxo.org
- DNS ASK bb#####rernipiumt.org
- DNS ASK vf#####yoisrmypoq.org
- DNS ASK ds#####bacmchyycd.com
- DNS ASK xp#####sxetcjncos.net
- DNS ASK iy#####eyhiujhtar.cc
- DNS ASK ob#####bopbvgtwrm.in
- DNS ASK uv#####gpmvwmugcs.me
- DNS ASK xw#####xionvsecuy.in
- DNS ASK jj#####qgccfxavxu.net
- DNS ASK jr#####nqhwifqxyx.cc
- DNS ASK ul#####cqtyajmdov.su
- DNS ASK og#####ipjjeqrltd.tw
- DNS ASK iu#####xodvmxieni.su
- DNS ASK re#####yehwytuuoi.tw
- DNS ASK vb#####escsucktva.me
- DNS ASK ds#####yacnevnfoj.org
- DNS ASK qf#####ybeedhjyed.com
- DNS ASK at#####verfqigscg.tw
- DNS ASK tm#####ykgufmxbpi.org
- DNS ASK cq#####hoqihxbjlv.com
- DNS ASK ky#####tkkouhgurj.net
- DNS ASK vn#####akhuyspxph.cc
- DNS ASK ht#####atyblsovav.in
- DNS ASK vl#####cbpbwkrdnl.net
- DNS ASK vi#####ruwuunijgt.net
- DNS ASK ob#####vgedftrlix.org
- DNS ASK av#####jpvghhjmys.in
- DNS ASK fr#####vdfjmihvrf.tw
- DNS ASK vo#####xpdtnfjiwk.cc
- DNS ASK ow#####cjqftfgvjw.com
- DNS ASK nf#####usixsiavew.cc
- DNS ASK yv#####fovtfkrllk.in
- DNS ASK ed#####dfbysdakwx.tw
- DNS ASK yy#####kxhuvifroj.me
- DNS ASK qf#####gepfchvejp.su
