Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
- [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = '{6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,...
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\.redbook] 'ImagePath' = '\?'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Security Center
Executes the following:
- '<SYSTEM32>\cmd.exe'
Injects code into
the following system processes:
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\winlogon.exe
- %WINDIR%\Explorer.EXE
Modifies file system:
Creates the following files:
- %WINDIR%\$NtUninstallKB27979$\4121336045\@
- %WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
- %WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
- %WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo
Deletes itself.
Network activity:
Connects to:
- '76.#5.51.39':34354
- '68.#5.45.61':34354
- '75.##8.171.212':34354
- '24.##.193.215':34354
- '68.##1.85.138':34354
- '24.##.122.77':34354
- '82.##.46.161':34354
- '75.##.228.107':34354
- '17#.#9.169.211':34354
- '24.##.193.80':34354
- '99.##7.22.140':34354
- '70.##5.88.169':34354
- '71.##.76.103':34354
- '24.##8.169.60':34354
- '67.#.69.210':34354
- '70.##4.88.60':34354
- '75.##.229.190':34354
- '20#.#21.119.226':34354
- '72.##7.17.132':34354
- '24.##.163.194':34354
- '68.##3.164.183':34354
- '96.##.101.183':34354
- '17#.#1.240.66':34354
- '41.##1.28.65':34354
- '72.##6.33.158':34354
- '17#.#99.100.31':34354
- '75.##.110.249':34354
- '98.#8.9.232':34354
- '65.##8.231.231':34354
- '66.##9.201.71':34354
- '13#.#91.99.133':34354
- '17#.#5.105.146':34354
- '72.##.62.188':34354
- '18#.#40.44.80':34354
- '69.##0.58.194':34354
- '96.##.206.110':34354
- '65.##.234.45':34354
- '67.##0.46.47':34354
- '17#.#3.241.178':34354
- '76.##4.17.47':34354
- '72.##0.107.71':34354
- '97.##.184.232':34354
- '71.#0.5.146':34354
- '98.##3.189.136':34354
- '21#.#68.60.27':34354
- '67.#43.40.3':34354
- '88.##1.60.33':34354
- '70.##.218.103':34354
- '72.##4.112.86':34354
- '78.#1.13.47':34354
- '20#.#37.74.223':34354
- '88.##0.251.177':34354
- '68.##.129.58':34354
- '68.##.251.21':34354
- '72.##1.255.62':34354
- '75.##.198.86':34354
- '17#.#01.63.81':34354
- '98.##7.185.168':34354
- '71.##.249.247':34354
- '67.##4.111.170':34354
- '99.##.142.127':34354
- '19#.#8.156.123':34354
- '76.#8.13.10':34354
- '98.##.84.141':34354
- '68.##6.119.172':34354
- '68.##2.174.232':34354
- '84.##2.27.181':34354
- '69.#40.9.79':34354
- '76.##2.117.185':34354
- '98.##1.67.165':34354
- '76.##6.6.125':34354
- '72.##5.72.170':34354
- '76.##7.80.127':34354
- '98.##.132.36':34354
- '68.#.64.49':34354
- '98.##4.82.49':34354
- '78.#7.123.3':34354
- '98.#46.9.31':34354
- '70.##0.223.196':34354
- '71.#30.4.58':34354
- '75.##0.91.88':34354
- '75.##7.84.86':34354
- '68.##7.179.122':34354
- '98.##9.161.151':34354
- '17#.#9.100.40':34354
- '72.##4.122.92':34354
- '65.##8.58.74':34354
- '70.##1.202.213':34354
- '64.##.122.159':34354
- '98.##3.224.6':34354
- '24.#5.60.17':34354
- '67.##4.75.105':34354
- '50.##.252.115':34354
- '74.##3.167.120':34354
- '72.##2.199.151':34354
- '24.#9.16.10':34354
- '24.##9.21.165':34354
- '17#.#.38.104':34354
- '74.##.58.103':34354
- '24.#.190.203':34354
- '69.##3.146.18':34354
- '72.##8.26.47':34354
- '17#.#1.89.212':34354
- '24.##.247.48':34354
- '91.##.148.78':34354
- '94.##2.66.83':34354
- '72.##0.132.79':34354
- '18#.#7.177.79':34354
- '70.##1.76.19':34354
- '67.##9.91.166':34354
- '17#.#2.91.84':34354
- '68.#4.14.24':34354
- '69.##1.157.137':34354
- '72.##5.176.82':34354
- '18#.#0.137.210':34354
- '24.##.76.143':34354
- '50.##.124.46':34354
- '75.##6.31.49':34354
- '64.##1.20.44':34354
- '66.##.16.133':34354
- '74.#11.1.40':34354
- '24.##1.170.6':34354
- '19#.#1.21.218':34354
- '18#.#1.71.113':34354
- '24.##6.87.41':34354
- '98.##.243.145':34354
- '76.##8.223.131':34354
- '69.##2.36.44':34354
- '75.##.165.170':34354
- '24.##3.72.226':34354
- '31.##5.138.152':34354
- '97.##.55.185':34354
- '67.##.217.231':34354
- '17#.#17.243.85':34354
- '18#.#8.224.77':34354
- '93.##8.34.73':34354
- '75.##3.236.133':34354
- '72.##7.61.134':34354
- '76.##.112.245':34354
- '75.##.11.170':34354
- '74.##.160.43':34354
- '65.#0.7.79':34354
- '80.##.32.189':34354
- '17#.#3.166.169':34354
- '96.##6.4.245':34354
- '68.##.112.38':34354
- '81.#1.11.73':34354
- '98.##6.77.176':34354
- '69.##3.71.242':34354
- '18#.#7.197.104':34354
- '98.##4.211.74':34354
- '96.#5.6.104':34354
- '70.##.213.11':34354
- '69.##2.99.98':34354
- '24.#.163.96':34354
- '93.##.213.54':34354
- '18#.#14.216.73':34354
- '88.##4.104.102':34354
- '72.##.208.222':34354
- '20#.#27.108.166':34354
- '74.##.49.217':34354
- '69.##5.193.109':34354
- '69.##7.86.240':34354
- '71.##3.50.108':34354
- '24.##3.113.86':34354
- '89.##.225.134':34354
- '99.##.248.70':34354
- '98.#0.84.63':34354
- '18#.#7.165.148':34354
- '74.#4.6.243':34354
- '98.##0.63.208':34354
- 'pr####.fling.com':80
- '24.##.25.212':34354
- '20#.#20.11.131':34354
- '69.##0.71.159':34354
- '17#.#4.245.239':34354
- '24.#.133.252':34354
- '18#.#7.36.215':34354
- '98.##2.76.108':34354
- '67.##.137.150':34354
- '24.##.191.27':34354
- '24.##9.19.99':34354
- '20#.#1.38.141':34354
- '99.##3.116.42':34354
- '72.##8.76.108':34354
- '96.##.130.184':34354
- '15#.#5.173.2':34354
- '98.#65.65.8':34354
- '24.##1.25.239':34354
- '75.##8.73.205':34354
- '75.##.137.135':34354
- '74.##.248.193':34354
- '75.##.156.36':34354
- '17#.#34.209.2':34354
- '87.##.186.77':34354
- '67.##.109.102':34354
- '66.##6.96.35':34354
- '19#.#47.101.241':34354
- '74.##2.129.7':34354
- '68.##3.208.16':34354
- '17#.#74.172.229':34354
- '18#.#2.102.254':34354
- '76.##4.160.199':34354
- '93.#5.33.70':34354
- '71.##2.172.126':34354
- '98.##2.74.110':34354
- '65.##.180.154':34354
- '76.##.241.11':34354
- '71.##7.10.42':34354
- '67.##7.46.79':34354
- '18#.#14.4.24':34354
- '17#.#25.111.163':34354
- '72.##0.40.45':34354
- '75.##.56.135':34354
- '17#.#77.85.220':34354
- '68.##2.128.188':34354
- '98.#24.8.25':34354
- '21#.#49.152.220':34354
- '91.##.18.170':34354
- '24.##0.146.54':34354
- '75.##3.55.81':34354
- '71.#02.77.6':34354
- '69.##9.154.30':34354
- '72.##8.161.200':34354
- '70.##8.187.77':34354
- '76.##6.240.220':34354
- '71.##.252.56':34354
- '18#.#0.24.90':34354
- '17#.#4.211.89':34354
- '17#.#1.231.132':34354
- '24.##.213.54':34354
- '24.#26.8.96':34354
- '74.##3.59.209':34354
- '89.##.212.207':34354
- '76.##7.101.75':34354
- '71.##8.81.43':34354
- '12#.#39.37.123':34354
- '24.##.159.79':34354
- '17#.#9.218.52':34354
- '21#.37.11.7':34354
- '99.##.53.136':34354
- '76.#7.51.43':34354
- '17#.#56.51.83':34354
- '65.#.193.203':34354
- '31.##.126.39':34354
- '96.##.54.199':34354
- '12#.#00.67.168':34354
- '84.##5.49.77':34354
- '74.##4.96.163':34354
- '72.##3.31.220':34354
- '17#.#3.144.104':34354
- '77.##.55.164':34354
- '68.##.107.195':34354
- '98.##0.98.67':34354
- '20#.#31.106.105':34354
- '98.##2.210.170':34354
- '68.##.175.251':34354
TCP:
HTTP GET requests:
- http://pr####.fling.com/geo/txt/city.php
UDP:
- DNS ASK pr####.fling.com
- 'localhost':752
