Trojan.PWS.Spy.20272

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.netbt] 'ImagePath' = '\*'

Вредоносные функции:

Для затруднения выявления своего присутствия в системе

блокирует запуск следующих системных утилит:

Центр обеспечения безопасности (Security Center)

Запускает на исполнение:

'<SYSTEM32>\cmd.exe'

Внедряет код в

следующие системные процессы:

<SYSTEM32>\cmd.exe
<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'67.##2.106.228':34354
'10#.#31.198.100':34354
'85.##5.162.128':34354
'98.##9.178.224':34354
'10#.#.105.241':34354
'24.##2.199.124':34354
'69.##4.176.127':34354
'72.##0.16.232':34354
'70.##7.44.75':34354
'17#.#7.250.131':34354
'67.##2.186.146':34354
'75.##9.231.135':34354
'87.##.91.102':34354
'68.##.253.211':34354
'76.##6.31.188':34354
'19#.#8.85.200':34354
'68.##9.175.16':34354
'75.##0.105.242':34354
'18#.#73.69.170':34354
'77.##9.13.16':34354
'95.##.151.194':34354
'24.##3.59.129':34354
'68.#.232.110':34354
'10#.#16.97.237':34354
'71.##.56.173':34354
'76.##3.132.120':34354
'18#.#3.60.244':34354
'75.##9.235.74':34354
'72.##1.137.150':34354
'20#.#42.168.102':34354
'65.#.149.254':34354
'71.##.85.101':34354
'11#.#7.214.213':34354
'69.##5.205.70':34354
'94.##3.93.11':34354
'74.##6.165.229':34354
'68.##.180.184':34354
'84.##2.27.181':34354
'17#.#8.64.186':34354
'10#.#84.86.67':34354
'17#.#1.39.253':34354
'74.##9.186.253':34354
'96.##.41.244':34354
'76.##3.235.244':34354
'17#.#37.135.0':34354
'75.#41.0.73':34354
'69.##1.73.255':34354
'71.##.52.198':34354
'88.##8.37.52':34354
'82.##3.112.44':34354
'10#.#7.235.53':34354
'67.##.155.76':34354
'94.##3.217.83':34354
'68.##.178.104':34354
'85.##5.127.178':34354
'68.##3.91.127':34354
'18#.#5.161.243':34354
'75.##.36.140':34354
'18#.#75.54.119':34354
'18#.#42.55.118':34354
'66.##8.36.147':34354
'93.##.213.54':34354
'95.##.120.36':34354
'75.##5.29.147':34354
'93.##8.34.73':34354
'71.##8.218.198':34354
'98.##2.189.150':34354
'68.##.128.127':34354
'85.##2.237.125':34354
'99.##.35.125':34354
'89.##6.60.226':34354
'71.#5.57.34':34354
'71.##7.54.35':34354
'77.##7.164.184':34354
'75.##0.145.105':34354
'67.##3.193.179':34354
'11#.#09.222.96':34354
'83.##.169.244':34354
'70.##6.10.246':34354
'41.##7.50.227':34354
'76.##9.204.48':34354
'81.##.195.54':34354
'68.##.110.38':34354
'70.##8.144.152':34354
'97.#9.68.46':34354
'76.##7.234.152':34354
'24.#.128.85':34354
'74.##9.122.255':34354
'96.##.150.76':34354
'65.#5.98.37':34354
'99.##.250.230':34354
'89.##2.69.133':34354
'91.##7.112.13':34354
'18#.#14.31.244':34354
'10#.#20.177.78':34354
'84.##1.150.82':34354
'18#.#39.1.162':34354
'68.#.147.47':34354
'24.##.150.114':34354
'46.#2.176.7':34354
'18#.37.2.50':34354
'24.##7.101.200':34354
'39.##3.11.248':34354
'96.##.194.91':34354
'68.##1.45.228':34354
'18#.#9.183.125':34354
'79.##0.231.159':34354
'71.##7.215.24':34354
'79.##3.243.75':34354
'68.##6.81.131':34354
'24.##7.87.215':34354
'70.#5.55.32':34354
'10#.#37.13.65':34354
'69.##4.186.210':34354
'67.##.88.165':34354
'95.##.251.47':34354
'98.##9.58.12':34354
'66.##7.212.136':34354
'75.##5.193.137':34354
'76.##9.203.245':34354
'98.##8.223.231':34354
'98.##0.203.156':34354
'20#.#8.32.224':34354
'69.##7.175.253':34354
'70.##0.211.56':34354
'17#.#8.250.61':34354
'18#.#7.79.157':34354
'98.##9.226.50':34354
'68.#17.0.96':34354
'65.##.132.177':34354
'72.##4.111.247':34354
'75.#9.44.99':34354
'10#.#11.85.131':34354
'41.##0.200.86':34354
'69.##6.140.172':34354
'76.#3.75.25':34354
'10#.#98.234.130':34354
'68.##.242.21':34354
'77.##2.184.161':34354
'62.##7.125.160':34354
'18#.#76.93.186':34354
'31.##3.216.39':34354
'65.##.243.201':34354
'81.##.68.242':34354
'18#.#45.55.198':34354
'15#.#4.19.106':34354
'98.##8.78.93':34354
'17#.#6.64.25':34354
'75.##.127.30':34354
'98.##8.165.243':34354
'70.##3.75.147':34354
'41.##1.48.123':34354
'71.##.71.229':34354
'46.##8.116.164':34354
'11#.#2.78.38':34354
'17#.#27.8.148':34354
'18#.#7.253.9':34354
'18#.#94.144.56':34354
'96.##.67.166':34354
'17#.#5.229.94':34354
'20#.#74.193.27':34354
'17#.#26.151.188':34354
'83.##.199.12':34354
'24.##.111.88':34354
'66.##8.171.219':34354
'89.##.123.131':34354
'72.##1.15.221':34354
'66.#1.80.4':34354
'98.##1.41.104':34354
'75.##.229.109':34354
'75.##.29.237':34354
'localhost':80
'75.##1.0.102':34354
'66.##.170.31':34354
'82.##6.229.116':34354
'98.##2.214.148':34354
'24.##8.242.121':34354
'17#.#8.76.241':34354
'95.#8.25.35':34354
'78.##.50.195':34354
'24.##.164.101':34354
'71.##9.210.239':34354
'76.##4.193.3':34354
'18#.#37.191.221':34354
'98.##1.97.63':34354
'75.#6.112.9':34354
'17#.#9.2.230':34354
'69.##6.75.198':34354
'96.##.113.95':34354
'79.##7.83.156':34354
'16#.#37.200.193':34354
'72.##0.209.66':34354
'72.##0.52.154':34354
'24.##.84.124':34354
'19#.#8.177.124':34354
'24.##.135.112':34354
'24.##.94.123':34354
'67.##9.190.4':34354
'89.##.105.113':34354
'18#.#4.244.246':34354
'97.##3.167.245':34354
'19#.#60.181.236':34354
'18#.#7.199.239':34354
'19#.#12.115.231':34354
'74.##1.199.234':34354
'93.##5.220.19':34354
'17#.8.2.243':34354
'76.##0.134.119':34354
'10#.#5.26.96':34354
'24.##1.66.166':34354
'75.##.11.170':34354
'24.##3.138.110':34354
'68.##.113.157':34354
'69.##2.138.221':34354
'97.##.184.26':34354
'10#.#8.52.104':34354
'78.##9.23.70':34354
'20#.#89.54.74':34354
'67.##3.200.141':34354
'13#.#04.112.127':34354
'71.##9.61.76':34354
'15#.#5.175.113':34354
'92.##.232.55':34354
'24.##8.173.207':34354
'83.##4.59.138':34354
'68.##.46.189':34354
'70.##1.241.34':34354
'21#.#31.16.20':34354
'74.##5.37.194':34354
'70.##7.28.33':34354
'68.#2.3.104':34354
'74.##.254.196':34354
'68.##0.171.73':34354
'71.##.21.254':34354
'24.#.101.242':34354
'70.##0.36.125':34354
'70.#2.14.64':34354
'18#.#5.97.111':34354
'10.##6.54.145':34354
'18#.#4.202.102':34354
'20#.#07.23.49':34354
'19#.#7.47.223':34354
'71.##.193.26':34354
'17#.#68.20.213':34354
'18#.#6.239.130':34354
'24.##1.158.23':34354
'24.##.72.231':34354
'95.##.222.100':34354
'75.##6.62.230':34354
'98.##.83.180':34354
'72.##8.110.104':34354
'18#.#27.118.84':34354
'68.##.179.203':34354
'76.##3.255.176':34354
'19#.#10.115.209':34354
'71.##0.55.78':34354
'19#.#01.203.203':34354

TCP:

Запросы HTTP GET:

http://pp##dnjp.cn/stat2.php?&a################# via localhost
http://pp##dnjp.cn/stat2.php?&a################ via localhost

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней