BackDoor.Maxplus.991

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.afd] 'ImagePath' = '\?'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'24.##7.107.108':34354
'69.##1.68.214':34354
'24.##5.225.100':34354
'71.##8.160.3':34354
'72.##5.72.170':34354
'69.##1.161.85':34354
'87.##.196.179':34354
'86.##7.164.50':34354
'78.##1.126.76':34354
'17#.#5.184.178':34354
'71.#1.65.13':34354
'68.##1.20.152':34354
'98.##9.29.100':34354
'24.#06.9.66':34354
'17#.#9.158.8':34354
'69.##4.18.97':34354
'68.##3.38.185':34354
'66.##7.246.212':34354
'71.##3.107.231':34354
'67.##2.75.70':34354
'24.##2.205.137':34354
'95.##2.200.43':34354
'98.##5.176.83':34354
'74.##.141.188':34354
'66.##.176.141':34354
'67.##1.248.22':34354
'14#.#72.115.40':34354
'96.##.25.155':34354
'71.##.218.69':34354
'65.##.32.107':34354
'17#.#0.91.131':34354
'2.##.187.121':34354
'76.##1.178.151':34354
'99.##3.116.42':34354
'24.##0.160.58':34354
'66.##6.171.123':34354
'24.##6.128.232':34354
'17#.#25.11.197':34354
'77.##9.168.190':34354
'76.##.69.168':34354
'71.##6.241.192':34354
'24.#27.2.31':34354
'85.##7.9.252':34354
'97.#04.7.14':34354
'98.##4.253.3':34354
'67.##.95.226':34354
'70.#1.48.34':34354
'18#.#7.181.176':34354
'74.##8.83.54':34354
'46.##.196.49':34354
'99.##7.246.109':34354
'98.##8.96.229':34354
'24.##5.132.143':34354
'18#.#4.178.100':34354
'24.##3.117.61':34354
'99.##7.155.245':34354
'69.##.167.96':34354
'95.##.106.241':34354
'67.##.20.198':34354
'88.##8.34.148':34354
'69.##6.88.89':34354
'98.##3.161.143':34354
'68.#9.27.81':34354
'50.##7.148.161':34354
'68.##.136.177':34354
'72.##4.78.16':34354
'68.##1.60.245':34354
'71.##.173.176':34354
'24.##9.57.67':34354
'70.##2.216.231':34354
'99.##5.111.210':34354
'74.#8.44.29':34354
'71.##.243.139':34354
'18#.#58.119.200':34354
'96.#1.165.2':34354
'18#.#0.24.90':34354
'91.##7.60.22':34354
'19#.#1.31.175':34354
'76.##5.40.253':34354
'98.##3.10.244':34354
'95.##.234.118':34354
'18#.#99.114.70':34354
'17#.#8.55.143':34354
'68.##.129.58':34354
'68.##1.189.214':34354
'50.#3.38.58':34354
'18#.#0.137.210':34354
'24.##7.131.191':34354
'98.##6.167.171':34354
'69.##3.9.171':34354
'10#.#07.195.88':34354
'67.##3.220.250':34354
'67.##1.159.42':34354
'98.##.154.154':34354
'18#.#55.26.170':34354
'17#.#8.0.169':34354
'24.##3.176.129':34354
'70.##3.202.58':34354
'75.#55.8.22':34354
'24.##4.52.14':34354
'18#.#78.34.180':34354
'98.##2.219.97':34354
'17#.#43.203.74':34354
'50.##.236.51':34354
'93.#5.33.70':34354
'69.##2.203.77':34354
'69.##4.121.29':34354
'74.##.101.179':34354
'98.##7.159.28':34354
'74.##9.31.111':34354
'15#.#0.60.46':34354
'17#.#7.67.119':34354
'50.##.83.155':34354
'68.##2.223.184':34354
'98.##6.170.225':34354
'98.##.186.128':34354
'98.##4.56.181':34354
'67.##3.181.157':34354
'98.##5.66.141':34354
'74.##.24.182':34354
'72.##0.108.66':34354
'50.##.114.98':34354
'46.##.230.181':34354
'71.##3.110.195':34354
'94.##2.152.182':34354
'68.##0.106.151':34354
'71.##4.161.161':34354
'17#.#3.137.72':34354
'84.##7.133.51':34354
'10#.#67.79.6':34354
'70.##9.99.85':34354
'76.##.82.179':34354
'19#.#7.117.31':34354
'71.##.56.173':34354
'68.##.22.196':34354
'14#.#69.138.247':34354
'17#.#8.26.129':34354
'76.##7.80.38':34354
'74.##.49.101':34354
'69.##4.244.2':34354
'97.##.85.248':34354
'17#.#6.255.69':34354
'69.##6.180.121':34354
'17#.#8.204.116':34354
'17#.#7.249.95':34354
'65.##.41.255':34354
'24.#6.0.234':34354
'71.##5.31.133':34354
'75.##.144.162':34354
'72.##4.188.188':34354
'24.##9.59.33':34354
'79.##8.186.215':34354
'76.##5.60.137':34354
'12.##9.239.252':34354
'69.##3.231.229':34354
'24.##7.188.33':34354
'75.##9.137.67':34354
'24.#9.64.31':34354
'68.#.151.236':34354
'68.##.105.119':34354
'98.##9.55.166':34354
'17#.#58.101.131':34354
'13#.#04.132.222':34354
'71.##.164.199':34354
'19#.#01.99.157':34354
'18#.#23.227.84':34354
'99.##3.176.111':34354
'10#.#7.236.19':34354
'24.##0.159.62':34354
'80.##5.124.99':34354
'17#.#3.190.153':34354
'pr####.fling.com':80
'18#.#2.85.24':34354
'68.#95.70.8':34354
'71.##3.186.159':34354
'72.##4.60.76':34354
'10#.#9.4.233':34354
'95.##.192.123':34354
'50.##.43.157':34354
'15#.#24.149.190':34354
'75.#2.94.43':34354
'19#.#5.90.55':34354
'68.##.206.229':34354
'17#.#25.209.101':34354
'68.#8.9.200':34354
'24.##6.228.115':34354
'69.##4.237.77':34354
'76.##7.56.79':34354
'46.#85.3.97':34354
'18#.#3.101.96':34354
'18#.#2.62.51':34354
'98.##4.251.216':34354
'71.##.209.68':34354
'76.##6.209.138':34354
'11#.#8.20.136':34354
'17#.#37.210.191':34354
'68.##.225.72':34354
'68.##.82.197':34354
'71.##.127.209':34354
'75.##.197.202':34354
'71.##7.172.121':34354
'70.##2.255.206':34354
'68.##5.126.210':34354
'68.##.251.188':34354
'17#.#7.29.252':34354
'79.##8.41.229':34354
'89.##.105.113':34354
'79.##2.23.94':34354
'17#.#4.242.101':34354
'70.##4.176.182':34354
'17#.#6.107.24':34354
'75.##.179.238':34354
'69.##2.225.238':34354
'76.##.80.194':34354
'19#.#01.98.215':34354
'75.##6.143.186':34354
'71.##.138.127':34354
'98.##.159.104':34354
'76.#3.98.75':34354
'18#.#0.236.34':34354
'70.##4.68.56':34354
'89.##9.87.58':34354
'98.##.207.202':34354
'68.##5.110.238':34354
'98.##6.170.196':34354
'20#.#99.194.186':34354
'12.##2.185.144':34354
'66.##7.8.218':34354
'75.##.232.34':34354
'16#.#37.101.110':34354
'62.##.107.141':34354
'71.##7.200.10':34354
'75.##.247.123':34354
'17#.#30.128.164':34354
'67.##6.138.149':34354
'18#.#76.98.182':34354
'75.##.11.170':34354
'76.##3.75.191':34354
'18#.#27.119.142':34354
'75.##7.146.74':34354
'19#.#3.170.218':34354
'71.##5.88.171':34354
'98.##3.222.32':34354
'75.##3.64.34':34354
'21#.#31.15.147':34354
'83.##.132.85':34354
'76.##.143.54':34354
'75.##3.86.113':34354
'70.##3.22.241':34354
'76.##3.114.56':34354
'68.##3.250.126':34354
'17#.#27.62.168':34354
'24.#.133.252':34354
'70.##9.14.136':34354
'78.##.53.130':34354
'70.##4.88.60':34354
'80.##.160.83':34354

TCP:

Запросы HTTP GET:

pr####.fling.com/geo/txt/city.php

UDP:

DNS ASK pr####.fling.com
'localhost':752
'8.#.8.8':1035

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней