Trojan.PWS.Spy.20114

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.i8042prt] 'ImagePath' = '\*'

Вредоносные функции:

Для затруднения выявления своего присутствия в системе

блокирует запуск следующих системных утилит:

Центр обеспечения безопасности (Security Center)

Запускает на исполнение:

'<SYSTEM32>\cmd.exe'

Внедряет код в

следующие системные процессы:

<SYSTEM32>\cmd.exe
<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'67.##0.195.203':34354
'76.##7.43.54':34354
'98.##.231.140':34354
'72.#5.78.72':34354
'24.##5.62.125':34354
'68.##6.175.203':34354
'24.#4.64.36':34354
'69.##1.15.175':34354
'20#.#65.205.230':34354
'75.##8.18.242':34354
'98.##1.41.151':34354
'68.##9.253.245':34354
'67.##1.90.242':34354
'95.#9.75.39':34354
'24.##4.143.117':34354
'65.##4.60.209':34354
'72.##8.174.136':34354
'24.##6.173.114':34354
'10#.#.42.231':34354
'67.##0.147.125':34354
'68.##.212.238':34354
'24.##7.102.126':34354
'10#.#00.81.144':34354
'98.##8.212.206':34354
'67.##3.83.52':34354
'71.##.196.119':34354
'98.##.84.198':34354
'92.##.247.224':34354
'75.##.89.228':34354
'75.#5.82.60':34354
'18#.#51.28.94':34354
'24.##.179.50':34354
'17#.#06.213.0':34354
'11#.#93.195.147':34354
'18#.#6.197.37':34354
'68.##.145.138':34354
'95.##.191.25':34354
'10#.#24.194.58':34354
'91.##7.60.22':34354
'97.##.175.190':34354
'13#.#9.159.35':34354
'69.##2.131.40':34354
'75.#7.61.85':34354
'71.##.173.227':34354
'68.##2.77.76':34354
'17#.#.71.244':34354
'20#.#24.4.83':34354
'20#.#91.210.194':34354
'98.##6.197.158':34354
'71.##.146.162':34354
'76.##0.92.193':34354
'99.##6.29.19':34354
'95.##.174.73':34354
'68.##.192.165':34354
'24.##8.210.23':34354
'71.#1.242.2':34354
'24.##.233.114':34354
'24.#9.91.54':34354
'66.##5.61.183':34354
'97.##.245.22':34354
'17#.#7.77.237':34354
'98.##4.241.19':34354
'18#.#7.206.141':34354
'96.##.67.242':34354
'71.##.151.60':34354
'68.#.210.156':34354
'17#.#35.1.191':34354
'74.##5.14.140':34354
'69.##8.240.248':34354
'70.##5.35.94':34354
'65.#.162.228':34354
'92.##7.27.201':34354
'70.##0.14.113':34354
'41.##.108.74':34354
'98.##8.154.124':34354
'79.##3.64.181':34354
'97.##1.18.63':34354
'72.##4.21.17':34354
'69.##8.198.155':34354
'68.##8.231.128':34354
'75.##1.166.76':34354
'70.##7.44.75':34354
'68.##.221.96':34354
'74.##1.199.234':34354
'59.##8.166.196':34354
'98.##5.120.52':34354
'41.##1.66.74':34354
'12#.#3.121.68':34354
'97.##.145.234':34354
'84.##1.150.82':34354
'74.##3.137.14':34354
'68.##.128.37':34354
'65.#.148.16':34354
'24.##7.107.108':34354
'68.##.167.57':34354
'76.##8.105.229':34354
'98.##9.214.171':34354
'21#.#07.230.110':34354
'64.##3.121.33':34354
'98.##9.70.184':34354
'75.##.127.30':34354
'70.##.162.114':34354
'68.##.130.152':34354
'20#.#23.117.228':34354
'70.##0.139.199':34354
'13#.#60.86.134':34354
'69.##.153.226':34354
'69.##7.194.201':34354
'98.##9.0.231':34354
'24.##2.202.33':34354
'24.##1.62.37':34354
'71.##9.66.72':34354
'68.##.134.141':34354
'70.##6.41.23':34354
'95.##.190.193':34354
'76.##.220.126':34354
'96.##7.160.152':34354
'10#.#.76.119':34354
'74.##.65.190':34354
'17#.#6.121.76':34354
'99.##.202.245':34354
'17#.#69.77.172':34354
'65.##.97.112':34354
'99.##8.23.159':34354
'98.##2.94.29':34354
'98.##.126.183':34354
'69.##4.199.174':34354
'98.##1.37.124':34354
'17#.134.4.9':34354
'75.##8.16.50':34354
'14.##.158.108':34354
'17#.#1.69.41':34354
'24.##3.99.126':34354
'65.##1.55.146':34354
'68.##.218.230':34354
'60.##8.252.167':34354
'70.##3.235.247':34354
'72.#90.77.8':34354
'98.##9.90.245':34354
'77.##.107.31':34354
'11#.#4.58.218':34354
'68.#4.14.42':34354
'2.##6.194.6':34354
'19#.#3.102.212':34354
'98.##.146.159':34354
'85.##6.176.161':34354
'24.##.233.177':34354
'70.##1.153.81':34354
'24.#0.9.82':34354
'76.##9.204.48':34354
'24.##9.93.182':34354
'92.##.101.87':34354
'70.##9.208.134':34354
'24.##.230.143':34354
'75.#32.8.5':34354
'75.##3.106.105':34354
'71.##6.168.55':34354
'68.##.249.193':34354
'19#.#42.133.103':34354
'97.##2.158.67':34354
'62.##9.145.194':34354
'17#.#44.185.255':34354
'76.##4.226.14':34354
'75.##.189.128':34354
'76.##7.166.42':34354
'76.##6.201.209':34354
'11#.#98.109.121':34354
'67.##5.240.211':34354
'66.#7.46.33':34354
'67.##2.56.54':34354
'69.##7.190.254':34354
'localhost':80
'71.##.167.24':34354
'71.##6.240.98':34354
'68.##3.125.240':34354
'71.##2.210.132':34354
'69.##6.78.105':34354
'24.##0.222.196':34354
'18#.#37.191.199':34354
'92.##.171.171':34354
'11#.#01.29.192':34354
'98.##6.47.151':34354
'18#.#33.120.132':34354
'77.##0.228.27':34354
'93.##.120.46':34354
'99.##.88.125':34354
'65.#5.24.21':34354
'66.#1.7.109':34354
'17#.#1.231.156':34354
'24.##2.17.133':34354
'17#.#.157.31':34354
'24.##1.139.87':34354
'18#.#27.92.246':34354
'24.##1.174.30':34354
'98.##9.159.131':34354
'69.##9.198.34':34354
'70.##9.249.128':34354
'20#.#35.212.10':34354
'68.##4.197.6':34354
'12#.#21.241.239':34354
'98.##6.209.139':34354
'67.##4.113.0':34354
'67.##4.192.44':34354
'69.##9.196.153':34354
'18#.#61.14.216':34354
'17#.#07.32.38':34354
'2.###.11.128':34354
'67.##.171.44':34354
'98.##2.198.40':34354
'20#.#43.193.56':34354
'75.#.163.8':34354
'65.#3.170.1':34354
'76.##5.226.7':34354
'74.##4.136.220':34354
'13#.#84.156.107':34354
'24.##.96.187':34354
'76.#7.207.0':34354
'50.##5.34.158':34354
'72.##1.8.179':34354
'67.##9.190.4':34354
'98.##9.85.88':34354
'69.##1.73.255':34354
'67.#.41.236':34354
'75.##8.171.0':34354
'68.##.152.193':34354
'85.##5.127.178':34354
'18#.#.214.85':34354
'15#.#24.149.190':34354
'95.##.102.102':34354
'75.#8.31.64':34354
'24.#2.22.55':34354
'76.##1.210.102':34354
'69.##5.205.70':34354
'18#.#3.252.89':34354
'74.#0.1.189':34354
'11#.#5.38.92':34354
'70.##.20.134':34354
'84.##2.27.181':34354
'98.##.83.180':34354
'75.##6.219.95':34354
'68.##.46.189':34354
'67.##.94.114':34354
'74.##6.21.157':34354
'69.##4.112.109':34354
'11#.#7.35.114':34354
'70.##.146.120':34354
'71.##.162.155':34354
'70.##1.129.212':34354
'86.##6.103.119':34354
'75.##.45.169':34354
'72.##0.61.51':34354
'70.##0.113.54':34354
'75.##.11.170':34354
'69.##5.45.49':34354
'71.##6.75.212':34354
'66.##9.48.50':34354
'17#.#4.199.207':34354

TCP:

Запросы HTTP GET:

http://qa##qijn.cn/stat2.php?&a################# via localhost
http://qa##qijn.cn/stat2.php?&a################ via localhost

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней