BackDoor.Tdss.6985

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.<Служебное имя>] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'96.##.244.153':34354
'66.##0.203.128':34354
'24.#4.103.1':34354
'18#.#8.156.81':34354
'24.##4.143.117':34354
'98.##5.31.139':34354
'66.##1.177.52':34354
'65.#.133.44':34354
'98.##2.192.134':34354
'75.##2.214.85':34354
'17#.#9.163.118':34354
'99.##.137.86':34354
'98.##5.4.176':34354
'68.##.158.154':34354
'71.##.44.194':34354
'74.##.224.48':34354
'74.##1.94.179':34354
'68.##.117.235':34354
'99.##.235.244':34354
'17#.#9.191.15':34354
'68.##.93.140':34354
'13#.#93.58.117':34354
'68.##7.229.104':34354
'68.##3.4.105':34354
'68.##4.58.86':34354
'98.##4.211.74':34354
'70.##.116.59':34354
'66.##1.104.12':34354
'18#.34.7.94':34354
'24.##.186.241':34354
'97.##1.123.95':34354
'19#.#8.85.200':34354
'71.##9.243.169':34354
'13#.#4.43.68':34354
'18#.#26.201.106':34354
'24.##5.86.16':34354
'24.##.99.150':34354
'75.##6.225.134':34354
'75.#4.5.198':34354
'70.##6.181.222':34354
'69.##7.85.24':34354
'68.##.235.166':34354
'24.#9.67.5':34354
'68.##9.187.41':34354
'95.##.122.172':34354
'98.##4.12.76':34354
'19#.#2.158.15':34354
'24.#3.57.33':34354
'98.##4.23.181':34354
'24.##.178.44':34354
'67.##2.113.18':34354
'75.##9.105.180':34354
'97.##.182.224':34354
'96.##.187.47':34354
'65.#.111.27':34354
'74.##0.114.150':34354
'24.##8.87.216':34354
'75.##0.137.68':34354
'98.##6.228.2':34354
'69.##6.94.32':34354
'18.##1.5.107':34354
'24.##8.22.85':34354
'17#.#14.210.154':34354
'79.##8.222.144':34354
'19#.#42.135.99':34354
'24.##.164.186':34354
'11#.#0.205.142':34354
'68.##.46.189':34354
'98.##.83.180':34354
'99.##6.42.180':34354
'18#.#.62.232':34354
'74.##.149.233':34354
'24.##.125.215':34354
'13#.#41.73.26':34354
'20#.#74.193.27':34354
'65.#5.98.37':34354
'72.##7.65.141':34354
'71.##4.181.203':34354
'10#.#5.200.25':34354
'96.##.179.37':34354
'17#.#4.180.186':34354
'21#.#31.18.100':34354
'18#.#.206.70':34354
'76.##.118.99':34354
'72.##8.122.113':34354
'24.##.147.214':34354
'76.##.141.202':34354
'24.#2.1.24':34354
'98.##6.189.98':34354
'10#.#16.20.159':34354
'19#.#73.205.98':34354
'20#.#08.100.75':34354
'67.##9.19.126':34354
'2.##0.55.56':34354
'15#.#5.172.85':34354
'71.##.133.88':34354
'68.##4.243.239':34354
'99.##7.155.245':34354
'64.##.218.191':34354
'18#.#76.98.182':34354
'17#.#2.68.60':34354
'24.##.14.198':34354
'18#.#76.22.196':34354
'50.##3.130.190':34354
'72.##.215.153':34354
'98.#85.50.9':34354
'69.##4.217.75':34354
'14#.#69.220.226':34354
'12#.#.194.136':34354
'75.##.164.140':34354
'98.##5.109.220':34354
'20#.#0.107.199':34354
'69.##3.206.32':34354
'68.##4.17.213':34354
'20#.#60.156.117':34354
'24.##4.222.80':34354
'89.##.166.78':34354
'89.##2.69.28':34354
'19#.#3.102.212':34354
'76.##.190.122':34354
'67.##0.165.94':34354
'18#.#3.56.22':34354
'19#.#77.176.254':34354
'62.##1.252.166':34354
'17#.#17.149.37':34354
'19#.#2.231.1':34354
'98.##8.180.251':34354
'67.##.68.254':34354
'75.##3.6.193':34354
'98.##9.70.184':34354
'99.##0.165.45':34354
'21#.10.42.6':34354
'71.##9.217.176':34354
'24.#.138.50':34354
'68.#2.35.87':34354
'76.##0.21.22':34354
'24.##1.66.166':34354
'17#.#1.101.146':34354
'76.##3.217.137':34354
'24.##2.199.47':34354
'18#.#.142.133':34354
'74.##.183.60':34354
'76.#6.52.27':34354
'72.##3.47.127':34354
'21#.#7.235.170':34354
'99.##7.26.121':34354
'98.##.109.179':34354
'79.#.250.240':34354
'74.##2.168.22':34354
'24.#3.45.21':34354
'68.##.243.243':34354
'75.#3.226.5':34354
'18#.#27.61.158':34354
'93.##2.42.17':34354
'64.##9.15.143':34354
'67.##4.44.43':34354
'76.#1.28.70':34354
'17#.#9.16.62':34354
'71.##.44.178':34354
'70.##.252.199':34354
'98.##9.228.190':34354
'71.##.101.168':34354
'14#.#33.211.163':34354
'98.##6.189.123':34354
'74.##8.59.117':34354
'18#.#96.160.78':34354
'19#.#63.213.181':34354
'98.##8.135.195':34354
'71.##9.24.124':34354
'70.##0.235.175':34354
'98.##1.150.201':34354
'localhost':80
'76.##7.133.118':34354
'24.##3.2.208':34354
'19#.#9.143.206':34354
'70.#90.82.2':34354
'2.##.89.32':34354
'71.##.198.204':34354
'68.##8.228.118':34354
'11#.#7.160.82':34354
'97.#9.2.215':34354
'76.##7.223.103':34354
'69.##4.186.210':34354
'96.##.180.173':34354
'11#.#35.194.224':34354
'75.##3.16.174':34354
'88.##5.168.19':34354
'10#.#8.28.150':34354
'68.##1.150.88':34354
'20#.#4.212.38':34354
'72.##8.110.104':34354
'74.##3.72.221':34354
'12.##.230.69':34354
'46.##.26.189':34354
'67.##7.210.156':34354
'98.##1.166.3':34354
'67.##2.126.50':34354
'98.##3.254.96':34354
'24.#7.95.63':34354
'17#.#6.94.58':34354
'66.##5.164.62':34354
'76.##8.176.137':34354
'17#.#8.35.67':34354
'75.##8.22.19':34354
'24.##8.9.124':34354
'68.#.81.102':34354
'74.##4.232.98':34354
'92.##.144.177':34354
'97.##.49.139':34354
'68.##0.106.21':34354
'87.##.91.102':34354
'41.#82.65.1':34354
'71.##2.204.127':34354
'98.##8.111.144':34354
'69.##2.213.84':34354
'67.##.139.247':34354
'18#.#.212.61':34354
'72.##0.96.148':34354
'99.##.206.81':34354
'76.##.113.81':34354
'17#.#16.178.139':34354
'19#.#7.72.162':34354
'12#.#35.242.193':34354
'19#.#61.98.92':34354
'24.##7.91.160':34354
'92.##.91.140':34354
'19#.#2.248.185':34354
'76.#7.72.61':34354
'98.##2.25.50':34354
'66.##0.234.32':34354
'20#.#42.12.226':34354
'24.#.80.41':34354
'98.##.111.235':34354
'19#.#13.94.208':34354
'67.##6.114.173':34354
'17#.#9.3.137':34354
'72.##6.7.119':34354
'98.##9.183.85':34354
'74.##.32.135':34354
'14#.#07.226.54':34354
'76.##4.76.51':34354
'19#.#2.134.29':34354
'74.##.36.145':34354
'70.##8.40.171':34354
'64.##.221.106':34354
'79.##5.136.206':34354
'68.##.195.188':34354
'68.#5.157.3':34354
'74.##3.218.21':34354
'14.##6.177.183':34354
'76.##7.77.218':34354
'17#.#22.22.237':34354
'68.##5.150.56':34354
'67.##3.183.46':34354
'17#.#1.118.218':34354
'76.#.123.12':34354
'98.##.129.176':34354

TCP:

Запросы HTTP GET:

eg##kkid.cn/stat2.php?&a#################
eg##kkid.cn/stat2.php?&a################

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней