Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Policy IP Solutions iSCSI Topology' = 'C:\az8rsu1aezd\zsqxnck4.exe'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\Machine Transaction Counter] 'ImagePath' = 'C:\az8rsu1aezd\zsqxnck4.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Machine Transaction Counter] 'Start' = '00000002'
Вредоносные функции:
Запускает на исполнение:
- 'C:\az8rsu1aezd\exgcp2trchshq.exe' "c:\az8rsu1aezd\zsqxnck4.exe"
- 'C:\az8rsu1aezd\zsqxnck4.exe'
- 'C:\az8rsu1aezd\aikd1ip2txpewvxq3hscm.exe'
Изменения в файловой системе:
Создает следующие файлы:
- C:\az8rsu1aezd\zsqxnck4.exe
- C:\az8rsu1aezd\exgcp2trchshq.exe
- C:\az8rsu1aezd\dbep5pv3iers
- %WINDIR%\az8rsu1aezd\jca7vh
- C:\az8rsu1aezd\jca7vh
- C:\az8rsu1aezd\aikd1ip2txpewvxq3hscm.exe
Присваивает атрибут 'скрытый' для следующих файлов:
- C:\az8rsu1aezd\exgcp2trchshq.exe
- C:\az8rsu1aezd\zsqxnck4.exe
Удаляет следующие файлы:
- C:\az8rsu1aezd\aikd1ip2txpewvxq3hscm.exe
- %WINDIR%\az8rsu1aezd\jca7vh
Подменяет следующие файлы:
- %WINDIR%\az8rsu1aezd\jca7vh
Сетевая активность:
Подключается к:
- 'br#####iagabrielson.net':80
- 'ga#####lagabrielson.net':80
- 'br######achristinsen.net':80
- 'ga######achristinsen.net':80
- 'br#####iastephenson.net':80
- 'ga#####lastephenson.net':80
- 'br######acollingwood.net':80
- 'ga######acollingwood.net':80
- 'sh#####lestephenson.net':80
- 'sh######echristinsen.net':80
- 'gr#####orgabrielson.net':80
- 'ge#####nestephenson.net':80
- 'gr######rchristinsen.net':80
- 'sh######ecollingwood.net':80
- 'gr#####orstephenson.net':80
- 'sh#####legabrielson.net':80
- 'gr######rcollingwood.net':80
- 'gr#####learthurson.net':80
- 'si#####ermontgomery.net':80
- 'gr#####lewilloughby.net':80
- 'si#####erarthurson.net':80
- 'gr#####lenormanson.net':80
- 'he#####onwilloughby.net':80
- 'gr#####lemontgomery.net':80
- 'si#####ernormanson.net':80
- 'si#####erwilloughby.net':80
- 'an#####lagabrielson.net':80
- 'ga#####legabrielson.net':80
- 'an######achristinsen.net':80
- 'ga######echristinsen.net':80
- 'an#####lastephenson.net':80
- 'ga#####lestephenson.net':80
- 'an######acollingwood.net':80
- 'ga######ecollingwood.net':80
- 'th######achristinsen.net':80
- 'ce######echristinsen.net':80
- 'he#####onstephenson.net':80
- 'kr#####lestephenson.net':80
- 'th######acollingwood.net':80
- 'ce######ecollingwood.net':80
- 'th#####nagabrielson.net':80
- 'ce#####negabrielson.net':80
- 'kr######ecollingwood.net':80
- 'gr#####lestephenson.net':80
- 'he######nchristinsen.net':80
- 'gr######ecollingwood.net':80
- 'si#####erstephenson.net':80
- 'kr#####legabrielson.net':80
- 'he######ncollingwood.net':80
- 'kr######echristinsen.net':80
- 'he#####ongabrielson.net':80
- 'ge######echristinsen.net':80
- 'he#####tagabrielson.net':80
- 'br#####testephenson.net':80
- 'he######achristinsen.net':80
- 'ge######ecollingwood.net':80
- 'he#####tastephenson.net':80
- 'ge#####negabrielson.net':80
- 'he######acollingwood.net':80
- 'je#####onstephenson.net':80
- 'je######nchristinsen.net':80
- 'br######echristinsen.net':80
- 'th#####nastephenson.net':80
- 'ce#####nestephenson.net':80
- 'je######ncollingwood.net':80
- 'br######ecollingwood.net':80
- 'je#####ongabrielson.net':80
- 'br#####tegabrielson.net':80
TCP:
Запросы HTTP GET:
- http://br#####iagabrielson.net/index.php
- http://ga#####lagabrielson.net/index.php
- http://br######achristinsen.net/index.php
- http://ga######achristinsen.net/index.php
- http://br#####iastephenson.net/index.php
- http://ga#####lastephenson.net/index.php
- http://br######acollingwood.net/index.php
- http://ga######acollingwood.net/index.php
- http://sh#####lestephenson.net/index.php
- http://sh######echristinsen.net/index.php
- http://gr#####orgabrielson.net/index.php
- http://ge#####nestephenson.net/index.php
- http://gr######rchristinsen.net/index.php
- http://sh######ecollingwood.net/index.php
- http://gr#####orstephenson.net/index.php
- http://sh#####legabrielson.net/index.php
- http://gr######rcollingwood.net/index.php
- http://gr#####learthurson.net/index.php
- http://si#####ermontgomery.net/index.php
- http://gr#####lewilloughby.net/index.php
- http://si#####erarthurson.net/index.php
- http://gr#####lenormanson.net/index.php
- http://he#####onwilloughby.net/index.php
- http://gr#####lemontgomery.net/index.php
- http://si#####ernormanson.net/index.php
- http://si#####erwilloughby.net/index.php
- http://an#####lagabrielson.net/index.php
- http://ga#####legabrielson.net/index.php
- http://an######achristinsen.net/index.php
- http://ga######echristinsen.net/index.php
- http://an#####lastephenson.net/index.php
- http://ga#####lestephenson.net/index.php
- http://an######acollingwood.net/index.php
- http://ga######ecollingwood.net/index.php
- http://th######achristinsen.net/index.php
- http://ce######echristinsen.net/index.php
- http://he#####onstephenson.net/index.php
- http://kr#####lestephenson.net/index.php
- http://th######acollingwood.net/index.php
- http://ce######ecollingwood.net/index.php
- http://th#####nagabrielson.net/index.php
- http://ce#####negabrielson.net/index.php
- http://kr######ecollingwood.net/index.php
- http://gr#####lestephenson.net/index.php
- http://he######nchristinsen.net/index.php
- http://gr######ecollingwood.net/index.php
- http://si#####erstephenson.net/index.php
- http://kr#####legabrielson.net/index.php
- http://he######ncollingwood.net/index.php
- http://kr######echristinsen.net/index.php
- http://he#####ongabrielson.net/index.php
- http://ge######echristinsen.net/index.php
- http://he#####tagabrielson.net/index.php
- http://br#####testephenson.net/index.php
- http://he######achristinsen.net/index.php
- http://ge######ecollingwood.net/index.php
- http://he#####tastephenson.net/index.php
- http://ge#####negabrielson.net/index.php
- http://he######acollingwood.net/index.php
- http://je#####onstephenson.net/index.php
- http://je######nchristinsen.net/index.php
- http://br######echristinsen.net/index.php
- http://th#####nastephenson.net/index.php
- http://ce#####nestephenson.net/index.php
- http://je######ncollingwood.net/index.php
- http://br######ecollingwood.net/index.php
- http://je#####ongabrielson.net/index.php
- http://br#####tegabrielson.net/index.php
UDP:
- DNS ASK ga#####lagabrielson.net
- DNS ASK br######acollingwood.net
- DNS ASK ga######achristinsen.net
- DNS ASK br#####iagabrielson.net
- DNS ASK ga#####lastephenson.net
- DNS ASK an######achristinsen.net
- DNS ASK ga######acollingwood.net
- DNS ASK br#####iastephenson.net
- DNS ASK br######achristinsen.net
- DNS ASK gr#####orgabrielson.net
- DNS ASK sh#####legabrielson.net
- DNS ASK gr######rchristinsen.net
- DNS ASK sh######echristinsen.net
- DNS ASK gr#####orstephenson.net
- DNS ASK sh#####lestephenson.net
- DNS ASK gr######rcollingwood.net
- DNS ASK sh######ecollingwood.net
- DNS ASK si#####ermontgomery.net
- DNS ASK gr#####lemontgomery.net
- DNS ASK si#####erarthurson.net
- DNS ASK gr#####learthurson.net
- DNS ASK he#####onwilloughby.net
- DNS ASK kr#####lewilloughby.net
- DNS ASK si#####ernormanson.net
- DNS ASK gr#####lenormanson.net
- DNS ASK gr#####lewilloughby.net
- DNS ASK ga#####legabrielson.net
- DNS ASK an######acollingwood.net
- DNS ASK ga######echristinsen.net
- DNS ASK an#####lagabrielson.net
- DNS ASK ga#####lestephenson.net
- DNS ASK si#####erwilloughby.net
- DNS ASK ga######ecollingwood.net
- DNS ASK an#####lastephenson.net
- DNS ASK ge#####nestephenson.net
- DNS ASK th######achristinsen.net
- DNS ASK ce######echristinsen.net
- DNS ASK he#####onstephenson.net
- DNS ASK kr#####lestephenson.net
- DNS ASK th######acollingwood.net
- DNS ASK ce######ecollingwood.net
- DNS ASK th#####nagabrielson.net
- DNS ASK ce#####negabrielson.net
- DNS ASK kr######ecollingwood.net
- DNS ASK gr#####lestephenson.net
- DNS ASK he######nchristinsen.net
- DNS ASK gr######ecollingwood.net
- DNS ASK si#####erstephenson.net
- DNS ASK kr#####legabrielson.net
- DNS ASK he######ncollingwood.net
- DNS ASK kr######echristinsen.net
- DNS ASK he#####ongabrielson.net
- DNS ASK ge######echristinsen.net
- DNS ASK he#####tagabrielson.net
- DNS ASK br#####testephenson.net
- DNS ASK he######achristinsen.net
- DNS ASK ge######ecollingwood.net
- DNS ASK he#####tastephenson.net
- DNS ASK ge#####negabrielson.net
- DNS ASK he######acollingwood.net
- DNS ASK je#####onstephenson.net
- DNS ASK je######nchristinsen.net
- DNS ASK br######echristinsen.net
- DNS ASK th#####nastephenson.net
- DNS ASK ce#####nestephenson.net
- DNS ASK je######ncollingwood.net
- DNS ASK br######ecollingwood.net
- DNS ASK je#####ongabrielson.net
- DNS ASK br#####tegabrielson.net
