Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'List IKE Tools ActiveX Disk' = '<SYSTEM32>\rqawsqps.exe'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\Host Collector Port File Office Files] 'ImagePath' = '<SYSTEM32>\rqawsqps.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Host Collector Port File Office Files] 'Start' = '00000002'
Вредоносные функции:
Для затруднения выявления своего присутствия в системе
блокирует:
- Центр обеспечения безопасности (Security Center)
Запускает на исполнение:
- '<SYSTEM32>\idofqbhjfat.exe' "<SYSTEM32>\rqawsqps.exe"
- '%WINDIR%\Temp\fywfuo2zv8ru.exe' -r 42260 tcp
- '%TEMP%\fywfuo2p0mruzpbmj3zp.exe'
- '<SYSTEM32>\rqawsqps.exe'
Изменения в файловой системе:
Создает следующие файлы:
- <SYSTEM32>\cyxavba\run
- <SYSTEM32>\cyxavba\rng
- %WINDIR%\Temp\fywfuo2zv8ru.exe
- <SYSTEM32>\cyxavba\cfg
- <SYSTEM32>\idofqbhjfat.exe
- %TEMP%\fywfuo2p0mruzpbmj3zp.exe
- <SYSTEM32>\cyxavba\tst
- <SYSTEM32>\rqawsqps.exe
- <SYSTEM32>\cyxavba\etc
Присваивает атрибут 'скрытый' для следующих файлов:
- <SYSTEM32>\idofqbhjfat.exe
- <SYSTEM32>\rqawsqps.exe
Удаляет следующие файлы:
- %WINDIR%\Temp\fywfuo2zv8ru.exe
- <DRIVERS>\etc\hosts
- %TEMP%\fywfuo2p0mruzpbmj3zp.exe
Подменяет файл HOSTS.
Сетевая активность:
Подключается к:
- 'ta###sound.net':80
- 'gl###and.net':80
- 'ta###green.net':80
- 'gl###ound.net':80
- 'gr###lift.net':80
- 'eq###green.net':80
- 'ta###hand.net':80
- 'eq###lift.net':80
- 'sa###ound.net':80
- 'sp###and.net':80
- 'sa###reen.net':80
- 'sp###ound.net':80
- 'ta###lift.net':80
- 'gl###reen.net':80
- 'sa###and.net':80
- 'gl###ift.net':80
- 'vi###sound.net':80
- 'sp###hand.net':80
- 'vi###green.net':80
- 'sp###sound.net':80
- 'fa###ift.net':80
- 'wa###green.net':80
- 'vi###hand.net':80
- 'wa###lift.net':80
- 'gr###sound.net':80
- 'eq###hand.net':80
- 'gr###green.net':80
- 'eq###sound.net':80
- 'vi###lift.net':80
- 'sp###green.net':80
- 'gr###hand.net':80
- 'sp###lift.net':80
- 'th###ore.net':80
- 'dr###where.net':80
- 'th###ail.net':80
- 'dr###wore.net':80
- 'so###lift.net':80
- 'ar###green.net':80
- 'th###here.net':80
- 'ar###lift.net':80
- 'be##lxc.com':80
- 'de###lxc.com':80
- 'ri###nstorm.net':80
- 'af###sllc.com':80
- 'th###oad.net':80
- 'dr###mail.net':80
- 'fa###here.net':80
- 'dr###road.net':80
- 'wh###sound.net':80
- 'up###and.net':80
- 'wh###green.net':80
- 'up###ound.net':80
- 'sa###ift.net':80
- 'sp###reen.net':80
- 'wh###hand.net':80
- 'sp###ift.net':80
- 'so###sound.net':80
- 'ar###hand.net':80
- 'so###green.net':80
- 'ar###sound.net':80
- 'wh###lift.net':80
- 'up###reen.net':80
- 'so###hand.net':80
- 'up###ift.net':80
TCP:
Запросы HTTP GET:
- http://ta###sound.net/index.php
- http://gl###and.net/index.php
- http://ta###green.net/index.php
- http://gl###ound.net/index.php
- http://gr###lift.net/index.php
- http://eq###green.net/index.php
- http://ta###hand.net/index.php
- http://eq###lift.net/index.php
- http://sa###ound.net/index.php
- http://sp###and.net/index.php
- http://sa###reen.net/index.php
- http://sp###ound.net/index.php
- http://ta###lift.net/index.php
- http://gl###reen.net/index.php
- http://sa###and.net/index.php
- http://gl###ift.net/index.php
- http://vi###sound.net/index.php
- http://sp###hand.net/index.php
- http://vi###green.net/index.php
- http://sp###sound.net/index.php
- http://fa###ift.net/index.php
- http://wa###green.net/index.php
- http://vi###hand.net/index.php
- http://wa###lift.net/index.php
- http://gr###sound.net/index.php
- http://eq###hand.net/index.php
- http://gr###green.net/index.php
- http://eq###sound.net/index.php
- http://vi###lift.net/index.php
- http://sp###green.net/index.php
- http://gr###hand.net/index.php
- http://sp###lift.net/index.php
- http://th###ore.net/index.php
- http://dr###where.net/index.php
- http://th###ail.net/index.php
- http://dr###wore.net/index.php
- http://so###lift.net/index.php
- http://ar###green.net/index.php
- http://th###here.net/index.php
- http://ar###lift.net/index.php
- http://be##lxc.com/index.php
- http://de###lxc.com/index.php
- http://ri###nstorm.net/index.php
- http://af###sllc.com/index.php
- http://th###oad.net/index.php
- http://dr###mail.net/index.php
- http://fa###here.net/index.php
- http://dr###road.net/index.php
- http://wh###sound.net/index.php
- http://up###and.net/index.php
- http://wh###green.net/index.php
- http://up###ound.net/index.php
- http://sa###ift.net/index.php
- http://sp###reen.net/index.php
- http://wh###hand.net/index.php
- http://sp###ift.net/index.php
- http://so###sound.net/index.php
- http://ar###hand.net/index.php
- http://so###green.net/index.php
- http://ar###sound.net/index.php
- http://wh###lift.net/index.php
- http://up###reen.net/index.php
- http://so###hand.net/index.php
- http://up###ift.net/index.php
UDP:
- DNS ASK ta###sound.net
- DNS ASK gl###and.net
- DNS ASK ta###green.net
- DNS ASK gl###ound.net
- DNS ASK gr###lift.net
- DNS ASK eq###green.net
- DNS ASK ta###hand.net
- DNS ASK eq###lift.net
- DNS ASK sa###ound.net
- DNS ASK sp###and.net
- DNS ASK sa###reen.net
- DNS ASK sp###ound.net
- DNS ASK ta###lift.net
- DNS ASK gl###reen.net
- DNS ASK sa###and.net
- DNS ASK gl###ift.net
- DNS ASK gr###green.net
- DNS ASK sp###hand.net
- DNS ASK vi###hand.net
- DNS ASK sp###sound.net
- DNS ASK vi###sound.net
- DNS ASK wa###green.net
- DNS ASK fa###reen.net
- DNS ASK wa###lift.net
- DNS ASK fa###ift.net
- DNS ASK eq###hand.net
- DNS ASK gr###hand.net
- DNS ASK eq###sound.net
- DNS ASK gr###sound.net
- DNS ASK sp###green.net
- DNS ASK vi###green.net
- DNS ASK sp###lift.net
- DNS ASK vi###lift.net
- DNS ASK th###ore.net
- DNS ASK dr###where.net
- DNS ASK th###ail.net
- DNS ASK dr###wore.net
- DNS ASK so###lift.net
- DNS ASK ar###green.net
- DNS ASK th###here.net
- DNS ASK ar###lift.net
- DNS ASK be##lxc.com
- DNS ASK de###lxc.com
- DNS ASK ri###nstorm.net
- DNS ASK af###sllc.com
- DNS ASK th###oad.net
- DNS ASK dr###mail.net
- DNS ASK fa###here.net
- DNS ASK dr###road.net
- DNS ASK wh###sound.net
- DNS ASK up###and.net
- DNS ASK wh###green.net
- DNS ASK up###ound.net
- DNS ASK sa###ift.net
- DNS ASK sp###reen.net
- DNS ASK wh###hand.net
- DNS ASK sp###ift.net
- DNS ASK so###sound.net
- DNS ASK ar###hand.net
- DNS ASK so###green.net
- DNS ASK ar###sound.net
- DNS ASK wh###lift.net
- DNS ASK up###reen.net
- DNS ASK so###hand.net
- DNS ASK up###ift.net
- '23#.#55.255.250':1900
