Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Helper Endpoint Time UPnP PNRP' = 'C:\p6d5wqtelh\sougjawqied.exe'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\Resolution Identity WWAN Control] 'ImagePath' = 'C:\p6d5wqtelh\sougjawqied.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Resolution Identity WWAN Control] 'Start' = '00000002'
Вредоносные функции:
Запускает на исполнение:
- 'C:\p6d5wqtelh\w2a0b2xbw.exe' "c:\p6d5wqtelh\sougjawqied.exe"
- 'C:\p6d5wqtelh\sougjawqied.exe'
- 'C:\p6d5wqtelh\cvckiw2hrrlzjhstbvn3.exe'
Изменения в файловой системе:
Создает следующие файлы:
- C:\p6d5wqtelh\sougjawqied.exe
- C:\p6d5wqtelh\w2a0b2xbw.exe
- C:\p6d5wqtelh\prsngxbns
- %WINDIR%\p6d5wqtelh\erqlaimlhs
- C:\p6d5wqtelh\erqlaimlhs
- C:\p6d5wqtelh\cvckiw2hrrlzjhstbvn3.exe
Присваивает атрибут 'скрытый' для следующих файлов:
- C:\p6d5wqtelh\w2a0b2xbw.exe
- C:\p6d5wqtelh\sougjawqied.exe
Удаляет следующие файлы:
- C:\p6d5wqtelh\cvckiw2hrrlzjhstbvn3.exe
- %WINDIR%\p6d5wqtelh\erqlaimlhs
Подменяет следующие файлы:
- %WINDIR%\p6d5wqtelh\erqlaimlhs
Сетевая активность:
Подключается к:
- 'cr#####onpickering.net':80
- 'ja#####ynpickering.net':80
- 'ch#####negrenville.net':80
- 'cl#####ndgrenville.net':80
- 'cr#####oneccleston.net':80
- 'ja#####yngeorgeson.net':80
- 'cr#####ongrenville.net':80
- 'ja#####yneccleston.net':80
- 'cr#####ongeorgeson.net':80
- 'cl#####ndgeorgeson.net':80
- 'ch#####nagrenville.net':80
- 'se#####angrenville.net':80
- 'ch#####nageorgeson.net':80
- 'se#####angeorgeson.net':80
- 'ch#####nepickering.net':80
- 'cl#####ndeccleston.net':80
- 'ch#####negeorgeson.net':80
- 'cl#####ndpickering.net':80
- 'ch#####neeccleston.net':80
- 'co#####ceeccleston.net':80
- 'ha#####tageorgeson.net':80
- 'co#####cepickering.net':80
- 'ha#####taeccleston.net':80
- 'co#####cegeorgeson.net':80
- 'ch#####tapickering.net':80
- 'ka#####rapickering.net':80
- 'ha#####tagrenville.net':80
- 'co#####cegrenville.net':80
- 'ha#####tapickering.net':80
- 'ja#####tapickering.net':80
- 'ro#####neeccleston.net':80
- 'ja#####yngrenville.net':80
- 'ro#####nepickering.net':80
- 'ja#####taeccleston.net':80
- 'ro#####negrenville.net':80
- 'ja#####tagrenville.net':80
- 'ro#####negeorgeson.net':80
- 'ja#####tageorgeson.net':80
- 'se#####aneccleston.net':80
- 'ka#####racatherin.net':80
- 'ch#####tagriselda.net':80
- 'co#####cesunshine.net':80
- 'ch#####tacatherin.net':80
- 'ka#####ragriselda.net':80
- 'ch#####tasunshine.net':80
- 'ka#####rasunshine.net':80
- 'ch#####tawhitaker.net':80
- 'ka#####rawhitaker.net':80
- 'ha#####tasunshine.net':80
- 'ja#####tasunshine.net':80
- 'ha#####tacatherin.net':80
- 'ja#####tawhitaker.net':80
- 'ro#####nesunshine.net':80
- 'co#####cecatherin.net':80
- 'ha#####tawhitaker.net':80
- 'co#####cewhitaker.net':80
- 'ha#####tagriselda.net':80
- 'co#####cegriselda.net':80
- 'de#####stwhitaker.net':80
- 'la#####iawhitaker.net':80
- 'de#####stgriselda.net':80
- 'la#####iagriselda.net':80
- 'de#####stsunshine.net':80
- 'se#####anpickering.net':80
- 'ch#####naeccleston.net':80
- 'la#####iasunshine.net':80
- 'ch#####napickering.net':80
- 'la#####iacatherin.net':80
- 'ma#####angriselda.net':80
- 'pr#####lagriselda.net':80
- 'ma#####ancatherin.net':80
- 'pr#####lacatherin.net':80
- 'ma#####anwhitaker.net':80
- 'pr#####lasunshine.net':80
- 'de#####stcatherin.net':80
- 'pr#####lawhitaker.net':80
- 'ma#####ansunshine.net':80
TCP:
Запросы HTTP GET:
- http://cr#####onpickering.net/index.php
- http://ja#####ynpickering.net/index.php
- http://ch#####negrenville.net/index.php
- http://cl#####ndgrenville.net/index.php
- http://cr#####oneccleston.net/index.php
- http://ja#####yngeorgeson.net/index.php
- http://cr#####ongrenville.net/index.php
- http://ja#####yneccleston.net/index.php
- http://cr#####ongeorgeson.net/index.php
- http://cl#####ndgeorgeson.net/index.php
- http://ch#####nagrenville.net/index.php
- http://se#####angrenville.net/index.php
- http://ch#####nageorgeson.net/index.php
- http://se#####angeorgeson.net/index.php
- http://ch#####nepickering.net/index.php
- http://cl#####ndeccleston.net/index.php
- http://ch#####negeorgeson.net/index.php
- http://cl#####ndpickering.net/index.php
- http://ch#####neeccleston.net/index.php
- http://co#####ceeccleston.net/index.php
- http://ha#####tageorgeson.net/index.php
- http://co#####cepickering.net/index.php
- http://ha#####taeccleston.net/index.php
- http://co#####cegeorgeson.net/index.php
- http://ch#####tapickering.net/index.php
- http://ka#####rapickering.net/index.php
- http://ha#####tagrenville.net/index.php
- http://co#####cegrenville.net/index.php
- http://ha#####tapickering.net/index.php
- http://ja#####tapickering.net/index.php
- http://ro#####neeccleston.net/index.php
- http://ja#####yngrenville.net/index.php
- http://ro#####nepickering.net/index.php
- http://ja#####taeccleston.net/index.php
- http://ro#####negrenville.net/index.php
- http://ja#####tagrenville.net/index.php
- http://ro#####negeorgeson.net/index.php
- http://ja#####tageorgeson.net/index.php
- http://se#####aneccleston.net/index.php
- http://ka#####racatherin.net/index.php
- http://ch#####tagriselda.net/index.php
- http://co#####cesunshine.net/index.php
- http://ch#####tacatherin.net/index.php
- http://ka#####ragriselda.net/index.php
- http://ch#####tasunshine.net/index.php
- http://ka#####rasunshine.net/index.php
- http://ch#####tawhitaker.net/index.php
- http://ka#####rawhitaker.net/index.php
- http://ha#####tasunshine.net/index.php
- http://ja#####tasunshine.net/index.php
- http://ha#####tacatherin.net/index.php
- http://ja#####tawhitaker.net/index.php
- http://ro#####nesunshine.net/index.php
- http://co#####cecatherin.net/index.php
- http://ha#####tawhitaker.net/index.php
- http://co#####cewhitaker.net/index.php
- http://ha#####tagriselda.net/index.php
- http://co#####cegriselda.net/index.php
- http://de#####stwhitaker.net/index.php
- http://la#####iawhitaker.net/index.php
- http://de#####stgriselda.net/index.php
- http://la#####iagriselda.net/index.php
- http://de#####stsunshine.net/index.php
- http://se#####anpickering.net/index.php
- http://ch#####naeccleston.net/index.php
- http://la#####iasunshine.net/index.php
- http://ch#####napickering.net/index.php
- http://la#####iacatherin.net/index.php
- http://ma#####angriselda.net/index.php
- http://pr#####lagriselda.net/index.php
- http://ma#####ancatherin.net/index.php
- http://pr#####lacatherin.net/index.php
- http://ma#####anwhitaker.net/index.php
- http://pr#####lasunshine.net/index.php
- http://de#####stcatherin.net/index.php
- http://pr#####lawhitaker.net/index.php
- http://ma#####ansunshine.net/index.php
UDP:
- DNS ASK cr#####onpickering.net
- DNS ASK ja#####ynpickering.net
- DNS ASK ch#####negrenville.net
- DNS ASK cl#####ndgrenville.net
- DNS ASK cr#####oneccleston.net
- DNS ASK ja#####yngeorgeson.net
- DNS ASK cr#####ongrenville.net
- DNS ASK ja#####yneccleston.net
- DNS ASK cr#####ongeorgeson.net
- DNS ASK cl#####ndgeorgeson.net
- DNS ASK ch#####nagrenville.net
- DNS ASK se#####angrenville.net
- DNS ASK ch#####nageorgeson.net
- DNS ASK se#####angeorgeson.net
- DNS ASK ch#####nepickering.net
- DNS ASK cl#####ndeccleston.net
- DNS ASK ch#####negeorgeson.net
- DNS ASK cl#####ndpickering.net
- DNS ASK ch#####neeccleston.net
- DNS ASK ja#####yngrenville.net
- DNS ASK ha#####tageorgeson.net
- DNS ASK co#####cegeorgeson.net
- DNS ASK ha#####taeccleston.net
- DNS ASK co#####ceeccleston.net
- DNS ASK ha#####tagrenville.net
- DNS ASK ka#####rapickering.net
- DNS ASK ch#####taeccleston.net
- DNS ASK co#####cegrenville.net
- DNS ASK ch#####tapickering.net
- DNS ASK co#####cepickering.net
- DNS ASK ro#####neeccleston.net
- DNS ASK ja#####taeccleston.net
- DNS ASK ro#####nepickering.net
- DNS ASK ja#####tapickering.net
- DNS ASK ro#####negeorgeson.net
- DNS ASK ja#####tagrenville.net
- DNS ASK ha#####tapickering.net
- DNS ASK ja#####tageorgeson.net
- DNS ASK ro#####negrenville.net
- DNS ASK ka#####racatherin.net
- DNS ASK ch#####tagriselda.net
- DNS ASK co#####cesunshine.net
- DNS ASK ch#####tacatherin.net
- DNS ASK ka#####ragriselda.net
- DNS ASK ch#####tasunshine.net
- DNS ASK ka#####rasunshine.net
- DNS ASK ch#####tawhitaker.net
- DNS ASK ka#####rawhitaker.net
- DNS ASK ha#####tasunshine.net
- DNS ASK ja#####tasunshine.net
- DNS ASK ha#####tacatherin.net
- DNS ASK ja#####tawhitaker.net
- DNS ASK ro#####nesunshine.net
- DNS ASK co#####cecatherin.net
- DNS ASK ha#####tawhitaker.net
- DNS ASK co#####cewhitaker.net
- DNS ASK ha#####tagriselda.net
- DNS ASK co#####cegriselda.net
- DNS ASK ma#####ancatherin.net
- DNS ASK la#####iawhitaker.net
- DNS ASK de#####stsunshine.net
- DNS ASK la#####iagriselda.net
- DNS ASK de#####stwhitaker.net
- DNS ASK la#####iasunshine.net
- DNS ASK ch#####naeccleston.net
- DNS ASK se#####aneccleston.net
- DNS ASK ch#####napickering.net
- DNS ASK se#####anpickering.net
- DNS ASK de#####stgriselda.net
- DNS ASK pr#####lagriselda.net
- DNS ASK ma#####anwhitaker.net
- DNS ASK pr#####lacatherin.net
- DNS ASK ma#####angriselda.net
- DNS ASK pr#####lawhitaker.net
- DNS ASK de#####stcatherin.net
- DNS ASK la#####iacatherin.net
- DNS ASK ma#####ansunshine.net
- DNS ASK pr#####lasunshine.net
