Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\.ipsec] 'ImagePath' = '\?'
Вредоносные функции:
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\winlogon.exe
- %WINDIR%\Explorer.EXE
Изменения в файловой системе:
Создает следующие файлы:
- %WINDIR%\$NtUninstallKB27979$\4121336045\@
- %WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
- %WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
- %WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo
Самоудаляется.
Сетевая активность:
Подключается к:
- '69.##6.204.8':34354
- '10#.#0.227.241':34354
- '75.##1.205.176':34354
- '24.##3.127.185':34354
- '76.##9.18.253':34354
- '24.##.152.151':34354
- '87.##0.165.241':34354
- '67.##6.204.3':34354
- '18#.#22.62.160':34354
- '66.##9.175.194':34354
- '69.##2.248.91':34354
- '98.##4.160.125':34354
- '82.##9.9.161':34354
- '18#.#.23.207':34354
- '84.#0.81.83':34354
- '95.#4.8.115':34354
- '68.#.68.189':34354
- '72.##5.217.96':34354
- '50.##.195.39':34354
- '90.##9.119.96':34354
- '61.##1.193.172':34354
- '24.##4.226.239':34354
- '19#.#3.177.88':34354
- '76.##2.65.205':34354
- '76.##8.243.244':34354
- '95.##.201.10':34354
- '97.##.58.176':34354
- '67.##7.87.238':34354
- '19#.#62.44.204':34354
- '24.##6.239.66':34354
- '20#.#39.242.238':34354
- '18#.#10.106.213':34354
- '65.##.164.180':34354
- '68.##.52.193':34354
- '75.##4.70.24':34354
- '74.##.253.58':34354
- '68.##3.244.227':34354
- '74.##7.163.112':34354
- '20#.#55.126.200':34354
- '74.#35.1.21':34354
- '68.##.234.61':34354
- '74.##9.245.67':34354
- '78.#7.122.5':34354
- '75.##9.152.32':34354
- '71.##.56.208':34354
- '98.##5.71.153':34354
- '17#.#31.133.225':34354
- '98.##6.161.178':34354
- '20#.#31.246.207':34354
- '75.##4.34.28':34354
- '17#.#8.217.217':34354
- '69.##5.63.162':34354
- '18#.#5.192.205':34354
- '71.##5.94.54':34354
- '67.##.138.191':34354
- '71.##6.180.75':34354
- '68.##7.209.29':34354
- '20#.#42.52.30':34354
- '74.##6.249.127':34354
- '74.##.205.211':34354
- '19#.#8.85.200':34354
- '74.##.33.252':34354
- '84.##2.27.181':34354
- '24.##.124.211':34354
- '98.##4.78.174':34354
- '95.##.201.20':34354
- '68.##.13.159':34354
- '97.##.148.106':34354
- '66.##0.17.229':34354
- '68.##.135.47':34354
- '20#.#6.199.165':34354
- '20#.#44.124.113':34354
- '24.##.163.165':34354
- '50.##.192.82':34354
- '68.#.63.171':34354
- '76.#1.2.72':34354
- '17#.#34.209.2':34354
- '67.##2.118.252':34354
- '82.#1.155.6':34354
- '99.##4.247.236':34354
- '68.##6.193.14':34354
- '24.##7.131.133':34354
- '24.##1.199.135':34354
- '17#.#7.136.197':34354
- '72.##.242.186':34354
- '68.#.62.101':34354
- '10#.#.78.187':34354
- '75.##5.195.54':34354
- '77.##1.168.183':34354
- '68.##3.77.210':34354
- '85.##2.45.58':34354
- '66.#5.9.105':34354
- '98.##5.224.133':34354
- '65.##.246.243':34354
- '97.##0.4.102':34354
- '20#.#27.90.208':34354
- '76.##5.214.63':34354
- '69.##4.84.105':34354
- '98.##4.35.40':34354
- '82.##.146.176':34354
- '17#.#10.192.33':34354
- '20#.#12.146.165':34354
- '74.##9.195.28':34354
- '17#.#49.141.99':34354
- '68.##0.11.204':34354
- '89.##6.147.133':34354
- '66.##0.58.117':34354
- '98.##7.194.43':34354
- '20#.#5.203.161':34354
- '17#.#1.151.63':34354
- '18#.#16.128.136':34354
- '75.##.229.215':34354
- '24.##6.44.81':34354
- '46.##4.50.222':34354
- '99.##5.101.142':34354
- '71.##.203.247':34354
- '78.##9.38.153':34354
- '75.##1.183.51':34354
- '98.#12.2.61':34354
- '75.##.71.148':34354
- '18#.#3.12.153':34354
- '70.#60.92.7':34354
- '83.##.166.111':34354
- '17#.#9.206.69':34354
- '24.##1.24.121':34354
- '98.##5.234.198':34354
- '24.##8.82.162':34354
- '10#.#62.9.37':34354
- '10#.89.9.84':34354
- '98.##4.15.20':34354
- '68.##5.79.199':34354
- '68.##9.61.29':34354
- '10#.2.2.151':34354
- '68.##.109.187':34354
- '17#.#19.125.121':34354
- '24.##0.159.62':34354
- '24.##7.206.52':34354
- '76.##9.104.46':34354
- '99.##3.252.228':34354
- '91.##1.218.197':34354
- '67.##2.217.218':34354
- '75.#2.13.93':34354
- '18#.#89.64.226':34354
- '68.##5.66.176':34354
- '69.##8.226.61':34354
- '67.##.66.106':34354
- '93.#7.27.54':34354
- '68.##.219.22':34354
- '17#.3.66.17':34354
- '98.##0.52.224':34354
- '98.##1.45.60':34354
- '72.##1.217.47':34354
- '69.##4.102.162':34354
- '71.#.192.62':34354
- '24.##4.132.46':34354
- '76.##8.193.93':34354
- '18#.#59.138.109':34354
- '76.##1.70.107':34354
- '70.##0.157.238':34354
- '18#.111.0.4':34354
- '21#.#31.15.136':34354
- '69.##0.69.45':34354
- '68.##.151.37':34354
- '70.#25.4.53':34354
- '74.##.23.104':34354
- '69.##5.204.183':34354
- '76.##7.80.38':34354
- '12.#8.18.61':34354
- '96.##.219.150':34354
- '68.##.128.143':34354
- '10#.#94.249.47':34354
- 'pr####.fling.com':80
- '98.##0.169.47':34354
- '71.##.52.103':34354
- '24.#.195.14':34354
- '75.##.114.237':34354
- '99.##.109.64':34354
- '98.##5.86.132':34354
- '18#.#22.124.111':34354
- '46.##.232.95':34354
- '68.##7.96.66':34354
- '75.#0.38.92':34354
- '17#.#68.177.237':34354
- '75.##3.155.13':34354
- '17#.#58.113.84':34354
- '10#.#62.64.96':34354
- '98.##9.58.84':34354
- '20#.#65.121.253':34354
- '71.#2.41.36':34354
- '24.##.57.124':34354
- '19#.#3.170.218':34354
- '68.##1.210.43':34354
- '71.##.136.111':34354
- '98.##.50.142':34354
- '69.##6.56.28':34354
- '78.##.188.166':34354
- '98.##4.150.142':34354
- '66.##.209.251':34354
- '62.##0.220.142':34354
- '67.##.255.147':34354
- '66.##1.98.152':34354
- '75.##5.40.123':34354
- '85.##5.22.118':34354
- '72.##8.132.77':34354
- '18#.#6.136.241':34354
- '13#.#35.13.236':34354
- '67.##.253.141':34354
- '17#.#7.145.51':34354
- '71.##.49.233':34354
- '66.##2.96.177':34354
- '98.##.107.220':34354
- '24.##1.66.166':34354
- '67.##7.162.178':34354
- '76.##5.174.248':34354
- '70.##8.81.164':34354
- '68.##.220.42':34354
- '76.##9.170.192':34354
- '17#.#06.23.121':34354
- '18#.#53.200.97':34354
- '10#.#37.38.46':34354
- '18#.#31.155.230':34354
- '75.##8.165.165':34354
- '75.##2.77.10':34354
- '98.##8.225.184':34354
- '66.#6.138.2':34354
- '20#.#72.30.5':34354
- '89.##5.217.157':34354
- '24.##3.241.217':34354
- '71.##.204.229':34354
- '77.#2.4.201':34354
- '84.##7.227.88':34354
- '18#.#88.85.99':34354
- '76.##9.179.230':34354
- '76.#1.4.91':34354
- '17#.#17.226.82':34354
- '92.#0.81.78':34354
- '98.##0.201.51':34354
- '93.#5.33.70':34354
- '92.##.43.217':34354
- '66.##7.195.125':34354
- '71.##2.225.21':34354
- '17#.#0.46.149':34354
- '71.#5.47.83':34354
- '96.##.135.34':34354
- '75.##.224.252':34354
- '10#.#22.22.42':34354
- '69.##9.53.248':34354
- '24.##7.132.248':34354
- '17#.#52.206.42':34354
- '64.##6.206.50':34354
- '18#.#22.47.246':34354
- '92.##.186.224':34354
- '75.##1.1.237':34354
- '69.##3.98.160':34354
- '75.#5.3.126':34354
- '68.##.74.137':34354
- '76.#08.1.64':34354
TCP:
Запросы HTTP GET:
- pr####.fling.com/geo/txt/city.php
UDP:
- DNS ASK pr####.fling.com
- 'localhost':752
- '8.#.8.8':1035
