Trojan.PWS.Spy.14109

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.xxhgfs] 'ImagePath' = '\*'

Вредоносные функции:

Для затруднения выявления своего присутствия в системе

блокирует запуск следующих системных утилит:

Центр обеспечения безопасности (Security Center)

Запускает на исполнение:

'<SYSTEM32>\cmd.exe'

Внедряет код в

следующие системные процессы:

<SYSTEM32>\cmd.exe
<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'18#.#60.82.250':34354
'17#.#03.10.33':34354
'71.##4.60.40':34354
'19#.#04.131.103':34354
'75.##6.125.49':34354
'75.##.124.224':34354
'68.##.157.47':34354
'70.##7.229.169':34354
'68.#.151.153':34354
'68.##2.254.228':34354
'75.##.225.138':34354
'20#.#38.55.168':34354
'69.##.227.157':34354
'69.##5.238.219':34354
'75.#6.43.42':34354
'67.##0.195.203':34354
'98.##2.189.150':34354
'68.#5.45.61':34354
'71.##6.75.212':34354
'93.##7.238.2':34354
'72.##7.104.117':34354
'24.##1.199.56':34354
'68.##.215.12':34354
'24.##.21.145':34354
'89.##9.195.52':34354
'81.##.195.54':34354
'96.##.189.193':34354
'10#.#.76.119':34354
'17#.#09.152.64':34354
'74.##1.199.234':34354
'21#.#6.161.32':34354
'24.#11.31.5':34354
'99.##4.106.6':34354
'20#.#95.128.77':34354
'50.##.181.142':34354
'74.##.207.248':34354
'76.#8.33.2':34354
'69.##.153.226':34354
'10#.#.244.144':34354
'19#.#49.195.191':34354
'75.##3.67.243':34354
'61.##0.49.108':34354
'76.##7.32.67':34354
'98.#65.3.68':34354
'75.##9.132.198':34354
'98.##1.152.142':34354
'76.##4.208.15':34354
'24.##.219.203':34354
'65.##.120.84':34354
'75.##.183.64':34354
'99.##.166.61':34354
'66.##8.97.247':34354
'12#.3.86.28':34354
'21#.80.55.6':34354
'75.##1.143.83':34354
'18#.#5.195.64':34354
'76.##1.252.24':34354
'76.##7.111.219':34354
'76.##6.136.89':34354
'85.##5.127.178':34354
'69.##8.76.178':34354
'76.##9.47.26':34354
'75.##0.51.154':34354
'19#.#8.224.92':34354
'24.##5.88.126':34354
'20#.#10.126.17':34354
'98.##7.94.21':34354
'69.##3.50.129':34354
'97.##3.167.245':34354
'74.##8.63.118':34354
'24.##9.71.228':34354
'97.#9.68.46':34354
'71.##.197.12':34354
'17#.#11.255.89':34354
'76.##.110.182':34354
'70.##9.43.25':34354
'68.#0.29.22':34354
'50.##.231.238':34354
'18#.#70.39.136':34354
'12#.#33.70.240':34354
'18#.65.50.5':34354
'76.##.195.83':34354
'84.##1.150.82':34354
'11#.#02.120.96':34354
'18#.#.154.89':34354
'74.##0.177.59':34354
'17#.#5.229.94':34354
'20#.#04.23.189':34354
'98.##2.40.213':34354
'21#.#5.62.74':34354
'18#.#95.90.15':34354
'68.##.61.217':34354
'11#.#0.221.102':34354
'17#.#9.30.178':34354
'96.##.138.11':34354
'99.##.167.173':34354
'69.##5.140.68':34354
'75.##8.60.50':34354
'68.##4.194.109':34354
'98.##9.199.51':34354
'82.#9.4.204':34354
'76.##.117.170':34354
'50.##3.226.69':34354
'98.##9.221.48':34354
'71.##1.49.218':34354
'18#.#37.191.221':34354
'69.##8.230.89':34354
'76.##7.56.174':34354
'74.##2.51.66':34354
'74.#7.99.52':34354
'74.##.202.167':34354
'19#.#6.245.110':34354
'75.##2.8.137':34354
'88.##4.155.234':34354
'24.#.191.79':34354
'10#.#05.89.5':34354
'17#.#26.255.242':34354
'24.#2.1.24':34354
'74.##.180.152':34354
'68.##.72.189':34354
'98.##.64.199':34354
'24.##.41.157':34354
'70.##4.142.122':34354
'72.##8.91.249':34354
'99.##2.104.128':34354
'67.##4.75.174':34354
'17#.134.4.9':34354
'67.##6.112.137':34354
'68.#.232.110':34354
'10#.#5.102.224':34354
'68.##2.210.140':34354
'68.##4.66.226':34354
'68.##.185.250':34354
'69.##2.151.154':34354
'24.##7.163.12':34354
'17#.#5.222.224':34354
'66.##.184.143':34354
'24.##0.163.92':34354
'17#.#4.50.28':34354
'76.##5.216.21':34354
'98.##4.83.99':34354
'10#.#5.48.28':34354
'18#.#3.110.74':34354
'24.##6.148.112':34354
'71.##.244.124':34354
'98.##6.151.74':34354
'69.##3.116.58':34354
'18#.#90.213.172':34354
'75.##.78.204':34354
'98.##1.146.42':34354
'68.##3.91.127':34354
'89.##8.86.85':34354
'67.##6.136.72':34354
'18#.#34.125.216':34354
'98.##3.161.143':34354
'17#.#2.164.56':34354
'68.##4.17.213':34354
'70.##0.144.218':34354
'75.##.75.244':34354
'50.#0.67.80':34354
'99.##.99.167':34354
'76.##7.201.216':34354
'76.##7.137.34':34354
'24.##7.81.61':34354
'96.#9.13.63':34354
'24.##8.171.207':34354
'76.##.190.106':34354
'76.##4.241.15':34354
'98.##4.121.138':34354
'68.##2.225.64':34354
'70.#0.97.39':34354
'localhost':80
'76.##.208.202':34354
'67.##.128.99':34354
'24.##8.92.108':34354
'98.##3.3.146':34354
'72.##9.157.58':34354
'68.##.136.193':34354
'75.##4.161.60':34354
'68.#.200.168':34354
'75.#4.85.50':34354
'72.##7.142.107':34354
'18#.#8.249.250':34354
'50.#8.4.195':34354
'98.##.191.105':34354
'68.#.2.56':34354
'20#.#26.87.78':34354
'70.##0.116.113':34354
'66.##9.172.189':34354
'72.##8.86.89':34354
'98.##0.31.150':34354
'75.##3.159.74':34354
'76.##5.51.31':34354
'18#.#.253.155':34354
'15#.#13.216.75':34354
'10#.#3.16.75':34354
'99.##3.134.75':34354
'17#.#6.15.19':34354
'72.#82.83.3':34354
'69.##.177.70':34354
'76.##7.99.138':34354
'19#.#8.131.1':34354
'98.##9.36.164':34354
'68.##.167.57':34354
'17#.#17.61.110':34354
'92.##.92.100':34354
'75.##5.204.223':34354
'24.##.88.197':34354
'17#.#4.68.210':34354
'72.##8.210.51':34354
'18#.#10.215.34':34354
'20#.#39.6.124':34354
'98.##.97.157':34354
'71.##9.210.239':34354
'65.##.151.20':34354
'98.#3.68.31':34354
'19#.#02.184.210':34354
'24.##7.227.217':34354
'97.##3.186.107':34354
'50.##.228.83':34354
'41.##2.100.239':34354
'24.##.117.37':34354
'20#.#23.117.228':34354
'69.##3.97.182':34354
'98.##4.216.157':34354
'67.##3.193.179':34354
'50.##0.66.179':34354
'21#.#68.60.27':34354
'17#.#7.204.15':34354
'24.##2.131.63':34354
'17#.#8.77.35':34354
'91.##7.60.22':34354
'71.##5.186.223':34354
'17#.#9.191.15':34354
'71.#5.30.14':34354
'70.##2.97.168':34354
'24.##0.139.234':34354
'72.##8.62.249':34354
'17#.#2.107.23':34354
'17#.#79.181.86':34354
'75.##1.22.185':34354
'75.##6.78.172':34354
'67.##.135.89':34354
'19#.#98.18.170':34354
'96.##.50.171':34354
'99.##8.18.204':34354
'67.##.215.212':34354
'24.##1.189.142':34354
'70.##3.151.82':34354
'70.##5.35.94':34354
'50.#9.91.59':34354
'71.#8.50.74':34354
'18#.#4.244.246':34354
'68.##4.200.148':34354
'24.##7.102.126':34354
'21#.#2.195.7':34354
'65.##.164.170':34354

TCP:

Запросы HTTP GET:

http://ii##tuok.cn/stat2.php?&a################# via localhost
http://ii##tuok.cn/stat2.php?&a################ via localhost

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней