Trojan.PWS.Spy.20133

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.xxhgfs] 'ImagePath' = '\*'

Вредоносные функции:

Для затруднения выявления своего присутствия в системе

блокирует запуск следующих системных утилит:

Центр обеспечения безопасности (Security Center)

Запускает на исполнение:

'<SYSTEM32>\cmd.exe'

Внедряет код в

следующие системные процессы:

<SYSTEM32>\cmd.exe
<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'17#.#23.193.0':34354
'17#.#.71.173':34354
'93.#5.33.70':34354
'68.##.46.189':34354
'98.##4.127.216':34354
'17#.#03.64.116':34354
'94.##2.143.241':34354
'18#.#8.112.87':34354
'84.##2.27.181':34354
'71.##.207.207':34354
'98.##1.1.234':34354
'69.##3.223.143':34354
'91.##7.60.22':34354
'24.##.252.31':34354
'69.##.177.71':34354
'76.##6.195.97':34354
'71.##.236.70':34354
'72.##0.26.126':34354
'17#.#5.164.11':34354
'81.#1.173.5':34354
'10#.#29.224.132':34354
'17#.#9.34.64':34354
'46.#2.235.2':34354
'97.#2.54.27':34354
'75.##6.213.196':34354
'24.##.228.198':34354
'68.##6.133.235':34354
'69.##5.205.70':34354
'72.##1.185.38':34354
'18#.#7.147.80':34354
'24.##.91.153':34354
'98.##9.204.44':34354
'69.##1.34.51':34354
'80.##.179.74':34354
'75.##0.64.136':34354
'10#.#85.227.96':34354
'75.##6.62.230':34354
'75.##5.193.137':34354
'68.##.237.228':34354
'64.##.69.243':34354
'75.##.175.218':34354
'18#.#11.48.211':34354
'24.##7.207.224':34354
'18#.#9.151.81':34354
'74.##3.54.23':34354
'75.##.174.44':34354
'62.##.198.128':34354
'98.##2.36.153':34354
'99.##2.8.239':34354
'10#.#01.183.34':34354
'98.#0.0.32':34354
'71.#36.1.94':34354
'82.##9.245.179':34354
'18#.#0.98.121':34354
'71.##6.75.212':34354
'68.##2.188.77':34354
'11#.#35.87.100':34354
'69.##7.107.128':34354
'68.#.213.73':34354
'18#.#15.96.58':34354
'95.##1.155.35':34354
'72.##7.200.109':34354
'17#.19.9.17':34354
'71.##2.156.86':34354
'76.##3.249.27':34354
'74.##7.168.138':34354
'67.##2.55.211':34354
'64.##1.172.70':34354
'91.##4.126.101':34354
'70.##0.150.103':34354
'75.#6.58.82':34354
'15#.#24.149.190':34354
'74.##.130.46':34354
'89.##.120.32':34354
'20#.#65.101.33':34354
'10#.#15.150.230':34354
'68.##.214.30':34354
'68.##.61.211':34354
'71.##5.206.216':34354
'75.##.213.211':34354
'12.##.68.125':34354
'68.##4.255.141':34354
'89.##6.5.123':34354
'69.##2.201.151':34354
'89.##6.121.127':34354
'17#.#7.7.136':34354
'68.##9.242.251':34354
'18#.#.205.138':34354
'95.##.51.111':34354
'18#.#22.131.167':34354
'68.##3.127.175':34354
'17#.#1.218.107':34354
'76.##.155.243':34354
'76.#.123.12':34354
'24.##5.127.119':34354
'75.##.247.120':34354
'24.##1.212.60':34354
'17#.#73.89.178':34354
'87.##.91.102':34354
'68.##3.128.30':34354
'24.##.45.168':34354
'20#.#55.228.115':34354
'74.##.82.176':34354
'67.#3.25.19':34354
'94.##3.179.83':34354
'70.##3.64.192':34354
'24.##8.89.77':34354
'69.##4.136.79':34354
'72.##4.112.65':34354
'17#.#3.5.100':34354
'11#.#09.222.96':34354
'68.##0.202.183':34354
'91.##.64.249':34354
'75.##4.107.141':34354
'19#.#3.204.121':34354
'76.##9.203.245':34354
'68.##8.185.34':34354
'96.##.113.95':34354
'66.##.90.249':34354
'76.##4.6.252':34354
'67.##.195.47':34354
'50.##.86.233':34354
'21#.#3.104.161':34354
'93.##5.190.119':34354
'89.##4.179.121':34354
'18#.#40.117.42':34354
'69.##4.90.46':34354
'46.##3.19.14':34354
'85.##6.137.119':34354
'24.##6.115.40':34354
'67.##6.247.125':34354
'82.##8.86.176':34354
'24.##8.201.179':34354
'66.##8.103.203':34354
'17#.#0.224.84':34354
'82.##4.37.130':34354
'76.##6.241.62':34354
'67.##2.52.196':34354
'70.##6.214.71':34354
'98.##.183.231':34354
'68.##5.100.105':34354
'24.##.147.141':34354
'69.##5.220.121':34354
'76.##6.206.156':34354
'20#.#55.79.127':34354
'18#.#6.219.156':34354
'65.#.52.125':34354
'18#.#2.220.70':34354
'74.##6.144.5':34354
'24.##4.90.56':34354
'68.##7.186.165':34354
'70.##9.180.111':34354
'68.##.136.104':34354
'13#.#6.169.252':34354
'24.##6.221.246':34354
'24.##8.120.229':34354
'18#.#3.96.146':34354
'93.##.120.143':34354
'66.##5.155.108':34354
'46.##5.133.206':34354
'76.##.182.239':34354
'24.##0.44.63':34354
'95.##.142.168':34354
'24.##5.171.188':34354
'63.##7.239.150':34354
'68.##.13.151':34354
'98.#6.8.239':34354
'68.##4.194.109':34354
'68.##5.230.171':34354
'10#.#2.230.239':34354
'79.##4.224.171':34354
'localhost':80
'76.##4.90.114':34354
'65.##.151.20':34354
'17#.#9.181.137':34354
'72.##2.233.169':34354
'46.##9.105.81':34354
'86.#.174.230':34354
'77.##.222.28':34354
'24.##2.17.133':34354
'96.##.35.101':34354
'71.##4.109.190':34354
'65.##1.48.37':34354
'75.##.93.143':34354
'17#.#1.141.107':34354
'74.##6.100.139':34354
'31.##7.201.239':34354
'75.##7.165.97':34354
'98.##0.55.28':34354
'97.##.11.240':34354
'71.##.117.159':34354
'70.##5.72.224':34354
'66.##6.42.33':34354
'67.##.92.254':34354
'92.##1.21.248':34354
'18#.#6.97.117':34354
'76.#7.51.59':34354
'24.##5.181.187':34354
'74.##1.199.234':34354
'17#.#07.226.126':34354
'87.##7.116.95':34354
'19#.#2.82.178':34354
'14#.#51.90.193':34354
'74.##2.202.191':34354
'85.##7.189.24':34354
'10#.#4.97.145':34354
'99.##.220.159':34354
'49.##5.122.12':34354
'93.##.213.54':34354
'69.##4.235.110':34354
'76.##5.37.169':34354
'17#.#3.0.170':34354
'18#.#0.220.131':34354
'91.##.194.117':34354
'98.##8.222.14':34354
'68.##.164.215':34354
'71.##.248.85':34354
'69.##4.193.36':34354
'71.##.26.175':34354
'74.#3.9.132':34354
'19#.#3.225.211':34354
'10#.#7.134.69':34354
'50.##.252.207':34354
'18#.2.2.124':34354
'15#.#5.151.243':34354
'67.##.93.199':34354
'24.##.79.175':34354
'17#.#02.40.228':34354
'18#.#4.168.23':34354
'99.##6.86.217':34354
'68.##.167.57':34354
'77.##.109.205':34354
'19#.#5.187.114':34354
'10#.#30.226.1':34354
'24.##.28.241':34354
'65.##.233.12':34354
'68.#2.6.21':34354
'24.##9.183.236':34354
'76.##9.87.135':34354
'71.##.44.221':34354
'80.##1.199.117':34354
'24.##1.206.82':34354
'67.##9.240.82':34354
'75.##.57.165':34354
'75.##.42.230':34354
'98.#94.2.91':34354
'77.##2.79.38':34354
'72.##5.245.158':34354
'69.##5.201.158':34354
'12#.#49.89.218':34354
'93.##.14.170':34354
'75.#32.8.5':34354
'67.##9.190.4':34354
'49.##2.99.104':34354
'86.##7.153.59':34354
'50.##.168.34':34354
'74.##6.0.137':34354

TCP:

Запросы HTTP GET:

http://hw##qkrn.cn/stat2.php?&a################# via localhost
http://hw##qkrn.cn/stat2.php?&a################ via localhost

Другое:

Ищет следующие окна:

ClassName: 'JDlkjdioUOUDuiod' WindowName: ''

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней