BackDoor.Maxplus.988

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.i8042prt] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'75.##.137.94':34354
'76.##6.30.22':34354
'98.##1.41.105':34354
'83.##8.60.155':34354
'74.#4.6.243':34354
'79.##4.25.236':34354
'61.##.218.136':34354
'68.##6.204.88':34354
'72.##1.107.242':34354
'50.##.35.205':34354
'68.##.80.247':34354
'72.##9.251.118':34354
'69.##2.99.98':34354
'24.##2.141.139':34354
'76.##4.30.159':34354
'50.##.254.18':34354
'76.##.239.73':34354
'70.##4.78.252':34354
'99.##6.209.4':34354
'76.##3.70.151':34354
'75.##.190.69':34354
'98.##1.59.68':34354
'67.##6.218.70':34354
'98.##8.240.175':34354
'75.##8.13.83':34354
'74.##7.217.232':34354
'24.#8.31.96':34354
'75.##7.147.27':34354
'69.##1.20.112':34354
'68.#0.172.6':34354
'97.#4.11.30':34354
'18#.#6.126.151':34354
'64.##.236.123':34354
'99.##1.171.113':34354
'76.##7.163.177':34354
'75.##1.56.137':34354
'71.##2.245.244':34354
'76.##2.65.205':34354
'68.#0.54.53':34354
'50.##1.60.169':34354
'66.##.93.239':34354
'68.##.76.228':34354
'98.##4.172.168':34354
'24.##.237.191':34354
'17#.#16.88.122':34354
'18#.#9.51.30':34354
'69.##1.157.62':34354
'75.##5.38.132':34354
'69.##3.14.111':34354
'24.##0.217.95':34354
'71.##.112.201':34354
'17#.#9.200.238':34354
'79.#18.77.4':34354
'12#.#16.243.144':34354
'69.##.128.174':34354
'76.##5.103.95':34354
'10#.#.49.168':34354
'66.##.212.126':34354
'94.##9.213.121':34354
'97.##4.169.161':34354
'17#.#20.85.74':34354
'98.##2.113.98':34354
'70.##0.107.64':34354
'65.##9.31.191':34354
'74.##.17.159':34354
'89.##5.249.104':34354
'17#.#9.123.93':34354
'94.##9.238.21':34354
'17#.#17.99.146':34354
'68.##.240.143':34354
'65.##1.252.105':34354
'10#.#.122.15':34354
'67.##9.119.83':34354
'79.##.101.234':34354
'24.##.144.80':34354
'97.##1.178.27':34354
'20#.#2.34.239':34354
'91.##7.60.22':34354
'24.##3.175.166':34354
'68.##.39.166':34354
'68.##.59.116':34354
'67.##.67.132':34354
'76.#8.242.5':34354
'98.##7.152.113':34354
'68.#8.34.2':34354
'76.##.159.129':34354
'72.#30.99.2':34354
'84.##5.207.253':34354
'67.##4.6.246':34354
'76.##9.60.163':34354
'71.##.224.143':34354
'18#.#11.6.12':34354
'76.##5.40.253':34354
'18#.#6.21.113':34354
'17#.#00.37.142':34354
'74.##.107.140':34354
'74.#8.107.1':34354
'68.##.175.104':34354
'67.##3.112.245':34354
'69.##2.1.229':34354
'68.##3.138.207':34354
'76.##5.82.126':34354
'75.##6.1.129':34354
'65.#3.71.50':34354
'17#.#50.131.33':34354
'67.##0.133.35':34354
'17#.#6.71.116':34354
'65.#.149.2':34354
'19#.#31.196.70':34354
'68.#.176.195':34354
'71.##4.19.14':34354
'74.##3.168.119':34354
'70.##9.181.177':34354
'24.##.120.231':34354
'24.##2.19.229':34354
'90.##9.111.34':34354
'92.##.156.172':34354
'75.##9.33.80':34354
'75.##9.125.31':34354
'98.#50.24.0':34354
'18#.#52.255.225':34354
'70.##7.243.134':34354
'72.##5.234.45':34354
'98.##3.95.214':34354
'69.##5.4.205':34354
'24.##.155.181':34354
'17#.5.1.39':34354
'98.##.198.37':34354
'18#.#22.130.39':34354
'24.##.215.189':34354
'76.##2.162.231':34354
'75.##.91.244':34354
'76.##5.207.246':34354
'17#.#26.136.41':34354
'67.##1.231.54':34354
'72.##2.74.251':34354
'17#.#7.30.26':34354
'70.##9.187.149':34354
'18#.#77.178.202':34354
'71.##9.249.223':34354
'18#.#7.164.32':34354
'64.##6.61.163':34354
'85.##.25.101':34354
'12.#1.84.9':34354
'79.##3.147.72':34354
'71.#31.8.70':34354
'68.#.182.194':34354
'67.##0.67.22':34354
'71.#6.40.15':34354
'76.##1.122.106':34354
'95.##.146.109':34354
'80.#0.34.22':34354
'75.##.241.196':34354
'24.##4.226.239':34354
'65.##.75.108':34354
'18#.#1.245.92':34354
'72.##8.202.87':34354
'50.##.225.36':34354
'71.##.190.78':34354
'69.##6.179.46':34354
'96.#7.28.11':34354
'19#.#12.115.231':34354
'41.#7.88.59':34354
'68.##9.145.182':34354
'24.##9.88.118':34354
'18#.#55.26.170':34354
'46.##1.198.176':34354
'98.#8.77.60':34354
'19#.#02.242.183':34354
'75.##.139.165':34354
'70.##6.159.164':34354
'localhost':80
'17#.#29.29.189':34354
'74.##2.161.195':34354
'68.#9.84.86':34354
'24.##0.111.105':34354
'72.##8.143.34':34354
'98.##4.208.147':34354
'69.##7.119.118':34354
'67.##.95.226':34354
'96.##.180.78':34354
'66.##.15.191':34354
'13#.#04.112.127':34354
'24.#3.40.59':34354
'24.#.14.107':34354
'70.##8.67.25':34354
'18#.#24.84.42':34354
'67.##.166.182':34354
'50.##0.147.205':34354
'15#.#60.36.231':34354
'82.##.180.134':34354
'98.##9.0.218':34354
'17#.#09.153.60':34354
'98.##6.120.50':34354
'75.##5.179.194':34354
'17#.#01.174.200':34354
'17#.#8.137.239':34354
'24.##.115.13':34354
'19#.#8.85.200':34354
'17#.#01.83.249':34354
'24.##5.253.96':34354
'71.##.102.231':34354
'17#.#08.42.27':34354
'67.#0.1.124':34354
'24.##.82.236':34354
'74.##4.245.75':34354
'68.##.231.217':34354
'72.##7.112.9':34354
'24.##1.209.131':34354
'17#.#1.98.143':34354
'98.##9.101.210':34354
'71.#.200.169':34354
'99.##5.81.49':34354
'24.##.234.74':34354
'18#.#92.88.126':34354
'98.##3.17.251':34354
'68.#7.22.63':34354
'18#.#49.133.107':34354
'46.##1.210.16':34354
'89.##5.187.184':34354
'93.##.213.54':34354
'67.##3.5.247':34354
'75.##9.25.246':34354
'68.##1.99.172':34354
'72.##4.139.52':34354
'76.##3.235.138':34354
'98.##8.106.201':34354
'75.##0.7.227':34354
'67.##6.55.108':34354
'69.#33.78.2':34354
'17#.#2.179.109':34354
'17#.#8.107.108':34354
'69.##2.217.255':34354
'76.##.87.107':34354
'99.##.122.111':34354
'17#.#9.217.145':34354
'65.##2.142.226':34354
'71.##.83.111':34354
'24.##.233.190':34354
'18#.#27.119.142':34354
'71.#9.10.39':34354
'18#.#06.152.29':34354
'76.##3.214.16':34354
'69.##3.240.198':34354
'76.##.232.199':34354
'24.#81.27.9':34354
'98.##6.20.100':34354
'67.##.183.183':34354
'17#.#23.29.251':34354
'69.##0.187.183':34354
'74.##8.198.239':34354
'68.##6.97.109':34354
'24.##.229.190':34354
'98.##2.196.229':34354
'95.##.77.122':34354
'24.##6.171.200':34354
'68.##7.247.132':34354

TCP:

Запросы HTTP GET:

nw##bpes.cn/stat2.php?&a#################
nw##bpes.cn/stat2.php?&a################

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней