Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Shell Transfer Microsoft Video Propagation' = 'C:\jtuyvzyvpwdtx\dasseyto.exe'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\UserMode Session Machine Counter Now Human] 'Start' = '00000002'
Вредоносные функции:
Создает и запускает на исполнение:
- 'C:\jtuyvzyvpwdtx\yjckuuyhcz.exe' "c:\jtuyvzyvpwdtx\dasseyto.exe"
- 'C:\jtuyvzyvpwdtx\dasseyto.exe'
- 'C:\jtuyvzyvpwdtx\ruwa2p0mrndxp9jp55.exe'
Изменения в файловой системе:
Создает следующие файлы:
- C:\jtuyvzyvpwdtx\dasseyto.exe
- C:\jtuyvzyvpwdtx\yjckuuyhcz.exe
- C:\jtuyvzyvpwdtx\af3ynmjnm
- %WINDIR%\jtuyvzyvpwdtx\tihkulfdnr
- C:\jtuyvzyvpwdtx\tihkulfdnr
- C:\jtuyvzyvpwdtx\ruwa2p0mrndxp9jp55.exe
Присваивает атрибут 'скрытый' для следующих файлов:
- C:\jtuyvzyvpwdtx\yjckuuyhcz.exe
- C:\jtuyvzyvpwdtx\dasseyto.exe
Удаляет следующие файлы:
- C:\jtuyvzyvpwdtx\ruwa2p0mrndxp9jp55.exe
- %WINDIR%\jtuyvzyvpwdtx\tihkulfdnr
Сетевая активность:
Подключается к:
- 'wi####measure.net':80
- 'su####measure.net':80
- 'th###circle.net':80
- 'th###afraid.net':80
- 'ch###circle.net':80
- 'su####afraid.net':80
- 'wi####circle.net':80
- 'wi####afraid.net':80
- 'wi####dinner.net':80
- 'su####dinner.net':80
- 'ch###afraid.net':80
- 'be####afraid.net':80
- 'ri####circle.net':80
- 'ri####afraid.net':80
- 'ri####dinner.net':80
- 'be####dinner.net':80
- 'ch###dinner.net':80
- 'th###dinner.net':80
- 'th####easure.net':80
- 'be####circle.net':80
- 'ch####easure.net':80
- 'in####seafraid.net':80
- 'fo####circle.net':80
- 'fo####afraid.net':80
- 'fo####dinner.net':80
- 'in####sedinner.net':80
- 'wo###dinner.net':80
- 're####erdinner.net':80
- 're####ermeasure.net':80
- 'in####secircle.net':80
- 'wo####easure.net':80
- 'in####semeasure.net':80
- 'ef####dinner.net':80
- 'th####hdinner.net':80
- 'th####hmeasure.net':80
- 'su####circle.net':80
- 'ef####measure.net':80
- 'th####hcircle.net':80
- 'fo####measure.net':80
- 'ef####circle.net':80
- 'ef####afraid.net':80
- 'th####hafraid.net':80
- 'be####measure.net':80
- 'in####sebuilt.net':80
- 'fo###tcarry.net':80
- 'fo###tbuilt.net':80
- 'fo###tapple.net':80
- 'in####seapple.net':80
- 'wo###apple.net':80
- 're####erapple.net':80
- 're####erfather.net':80
- 'in####secarry.net':80
- 'wo###father.net':80
- 'in####sefather.net':80
- 'ef###tapple.net':80
- 'th####happle.net':80
- 'th####hfather.net':80
- 'su###rcarry.net':80
- 'ef####father.net':80
- 'th####hcarry.net':80
- 'fo####father.net':80
- 'ef###tcarry.net':80
- 'ef###tbuilt.net':80
- 'th####hbuilt.net':80
- 'de####ydinner.net':80
- 'li####dinner.net':80
- 'li####measure.net':80
- 'hu####dcircle.net':80
- 'de####ymeasure.net':80
- 'li####circle.net':80
- 'ri####measure.net':80
- 'de####ycircle.net':80
- 'de####yafraid.net':80
- 'li####afraid.net':80
- 'jo####ycircle.net':80
- 're####ercarry.net':80
- 'jo####ymeasure.net':80
- 'wo###carry.net':80
- 'wo###built.net':80
- 're####erbuilt.net':80
- 'jo####yafraid.net':80
- 'hu####dafraid.net':80
- 'hu####ddinner.net':80
- 'hu####dmeasure.net':80
- 'jo####ydinner.net':80
TCP:
Запросы HTTP GET:
- http://wi####measure.net/index.php?me########
- http://su####measure.net/index.php?me########
- http://th###circle.net/index.php?me########
- http://th###afraid.net/index.php?me########
- http://ch###circle.net/index.php?me########
- http://su####afraid.net/index.php?me########
- http://wi####circle.net/index.php?me########
- http://wi####afraid.net/index.php?me########
- http://wi####dinner.net/index.php?me########
- http://su####dinner.net/index.php?me########
- http://ch###afraid.net/index.php?me########
- http://be####afraid.net/index.php?me########
- http://ri####circle.net/index.php?me########
- http://ri####afraid.net/index.php?me########
- http://ri####dinner.net/index.php?me########
- http://be####dinner.net/index.php?me########
- http://ch###dinner.net/index.php?me########
- http://th###dinner.net/index.php?me########
- http://th####easure.net/index.php?me########
- http://be####circle.net/index.php?me########
- http://ch####easure.net/index.php?me########
- http://in####seafraid.net/index.php?me########
- http://fo####circle.net/index.php?me########
- http://fo####afraid.net/index.php?me########
- http://fo####dinner.net/index.php?me########
- http://in####sedinner.net/index.php?me########
- http://wo###dinner.net/index.php?me########
- http://re####erdinner.net/index.php?me########
- http://re####ermeasure.net/index.php?me########
- http://in####secircle.net/index.php?me########
- http://wo####easure.net/index.php?me########
- http://in####semeasure.net/index.php?me########
- http://ef####dinner.net/index.php?me########
- http://th####hdinner.net/index.php?me########
- http://th####hmeasure.net/index.php?me########
- http://su####circle.net/index.php?me########
- http://ef####measure.net/index.php?me########
- http://th####hcircle.net/index.php?me########
- http://fo####measure.net/index.php?me########
- http://ef####circle.net/index.php?me########
- http://ef####afraid.net/index.php?me########
- http://th####hafraid.net/index.php?me########
- http://be####measure.net/index.php?me########
- http://in####sebuilt.net/index.php?me########
- http://fo###tcarry.net/index.php?me########
- http://fo###tbuilt.net/index.php?me########
- http://fo###tapple.net/index.php?me########
- http://in####seapple.net/index.php?me########
- http://wo###apple.net/index.php?me########
- http://re####erapple.net/index.php?me########
- http://re####erfather.net/index.php?me########
- http://in####secarry.net/index.php?me########
- http://wo###father.net/index.php?me########
- http://in####sefather.net/index.php?me########
- http://ef###tapple.net/index.php?me########
- http://th####happle.net/index.php?me########
- http://th####hfather.net/index.php?me########
- http://su###rcarry.net/index.php?me########
- http://ef####father.net/index.php?me########
- http://th####hcarry.net/index.php?me########
- http://fo####father.net/index.php?me########
- http://ef###tcarry.net/index.php?me########
- http://ef###tbuilt.net/index.php?me########
- http://th####hbuilt.net/index.php?me########
- http://de####ydinner.net/index.php?me########
- http://li####dinner.net/index.php?me########
- http://li####measure.net/index.php?me########
- http://hu####dcircle.net/index.php?me########
- http://de####ymeasure.net/index.php?me########
- http://li####circle.net/index.php?me########
- http://ri####measure.net/index.php?me########
- http://de####ycircle.net/index.php?me########
- http://de####yafraid.net/index.php?me########
- http://li####afraid.net/index.php?me########
- http://jo####ycircle.net/index.php?me########
- http://re####ercarry.net/index.php?me########
- http://jo####ymeasure.net/index.php?me########
- http://wo###carry.net/index.php?me########
- http://wo###built.net/index.php?me########
- http://re####erbuilt.net/index.php?me########
- http://jo####yafraid.net/index.php?me########
- http://hu####dafraid.net/index.php?me########
- http://hu####ddinner.net/index.php?me########
- http://hu####dmeasure.net/index.php?me########
- http://jo####ydinner.net/index.php?me########
UDP:
- DNS ASK wi####measure.net
- DNS ASK su####measure.net
- DNS ASK th###circle.net
- DNS ASK th###afraid.net
- DNS ASK ch###circle.net
- DNS ASK su####afraid.net
- DNS ASK wi####circle.net
- DNS ASK wi####afraid.net
- DNS ASK wi####dinner.net
- DNS ASK su####dinner.net
- DNS ASK ch###afraid.net
- DNS ASK be####afraid.net
- DNS ASK ri####circle.net
- DNS ASK ri####afraid.net
- DNS ASK ri####dinner.net
- DNS ASK be####dinner.net
- DNS ASK ch###dinner.net
- DNS ASK th###dinner.net
- DNS ASK th####easure.net
- DNS ASK be####circle.net
- DNS ASK ch####easure.net
- DNS ASK in####seafraid.net
- DNS ASK fo####circle.net
- DNS ASK fo####afraid.net
- DNS ASK fo####dinner.net
- DNS ASK in####sedinner.net
- DNS ASK wo###dinner.net
- DNS ASK re####erdinner.net
- DNS ASK re####ermeasure.net
- DNS ASK in####secircle.net
- DNS ASK wo####easure.net
- DNS ASK in####semeasure.net
- DNS ASK ef####dinner.net
- DNS ASK th####hdinner.net
- DNS ASK th####hmeasure.net
- DNS ASK su####circle.net
- DNS ASK ef####measure.net
- DNS ASK th####hcircle.net
- DNS ASK fo####measure.net
- DNS ASK ef####circle.net
- DNS ASK ef####afraid.net
- DNS ASK th####hafraid.net
- DNS ASK be####measure.net
- DNS ASK in####sebuilt.net
- DNS ASK fo###tcarry.net
- DNS ASK fo###tbuilt.net
- DNS ASK fo###tapple.net
- DNS ASK in####seapple.net
- DNS ASK wo###apple.net
- DNS ASK re####erapple.net
- DNS ASK re####erfather.net
- DNS ASK in####secarry.net
- DNS ASK wo###father.net
- DNS ASK in####sefather.net
- DNS ASK ef###tapple.net
- DNS ASK th####happle.net
- DNS ASK th####hfather.net
- DNS ASK su###rcarry.net
- DNS ASK ef####father.net
- DNS ASK th####hcarry.net
- DNS ASK fo####father.net
- DNS ASK ef###tcarry.net
- DNS ASK ef###tbuilt.net
- DNS ASK th####hbuilt.net
- DNS ASK de####ydinner.net
- DNS ASK li####dinner.net
- DNS ASK li####measure.net
- DNS ASK hu####dcircle.net
- DNS ASK de####ymeasure.net
- DNS ASK li####circle.net
- DNS ASK ri####measure.net
- DNS ASK de####ycircle.net
- DNS ASK de####yafraid.net
- DNS ASK li####afraid.net
- DNS ASK jo####ycircle.net
- DNS ASK re####ercarry.net
- DNS ASK jo####ymeasure.net
- DNS ASK wo###carry.net
- DNS ASK wo###built.net
- DNS ASK re####erbuilt.net
- DNS ASK jo####yafraid.net
- DNS ASK hu####dafraid.net
- DNS ASK hu####ddinner.net
- DNS ASK hu####dmeasure.net
- DNS ASK jo####ydinner.net
Другое:
Ищет следующие окна:
- ClassName: 'Shell_TrayWnd' WindowName: ''
