BackDoor.Maxplus.628

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.serial] 'ImagePath' = '\?'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Завершает или пытается завершить

следующие системные процессы:

<SYSTEM32>\drwtsn32.exe

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'24.##9.168.79':34354
'19#.#60.113.146':34354
'96.##.47.106':34354
'17#.#0.47.106':34354
'17#.#58.103.29':34354
'74.##.87.176':34354
'96.##.196.75':34354
'24.#3.0.28':34354
'76.##0.13.238':34354
'50.##5.34.158':34354
'76.##3.218.163':34354
'18#.#21.215.20':34354
'96.##.216.83':34354
'74.##.23.104':34354
'18#.#4.0.239':34354
'50.##.124.84':34354
'17#.#1.28.140':34354
'17#.#8.117.63':34354
'67.##.155.68':34354
'24.##3.8.177':34354
'98.##3.222.32':34354
'75.##7.255.241':34354
'84.##2.27.181':34354
'24.##8.253.30':34354
'66.#7.6.73':34354
'99.##2.251.176':34354
'68.##1.225.12':34354
'67.##2.188.109':34354
'67.##9.56.70':34354
'71.#6.98.69':34354
'17#.#16.120.71':34354
'75.##8.208.70':34354
'76.##2.111.194':34354
'71.##3.111.193':34354
'68.##0.131.195':34354
'24.##4.3.116':34354
'20#.#3.4.171':34354
'24.##8.192.12':34354
'17#.#42.196.66':34354
'98.##0.219.140':34354
'12.##.92.123':34354
'17#.#10.192.33':34354
'18#.#0.216.48':34354
'17#.#72.148.35':34354
'68.##.209.199':34354
'75.##4.188.199':34354
'74.##0.35.136':34354
'76.##6.132.10':34354
'71.##5.162.30':34354
'24.#.43.232':34354
'71.##2.187.166':34354
'99.#6.60.19':34354
'71.#4.43.93':34354
'96.#5.76.20':34354
'17#.#6.163.93':34354
'70.##5.239.4':34354
'79.##.250.231':34354
'68.##.175.211':34354
'18#.#55.26.170':34354
'18#.#64.152.231':34354
'68.##8.255.167':34354
'75.##6.41.17':34354
'68.##6.161.14':34354
'75.##.11.170':34354
'71.##.194.19':34354
'74.##.185.162':34354
'17#.#3.1.164':34354
'69.##6.90.92':34354
'98.##4.185.15':34354
'68.##7.223.154':34354
'69.##4.100.158':34354
'19#.#77.159.97':34354
'24.##.185.75':34354
'69.##6.180.27':34354
'17#.#0.171.205':34354
'68.##8.36.173':34354
'24.#.136.21':34354
'75.##2.68.88':34354
'69.##4.244.80':34354
'24.##8.194.82':34354
'17#.#09.156.121':34354
'21#.#0.96.122':34354
'98.##9.159.131':34354
'17#.99.58.9':34354
'99.##6.209.4':34354
'87.#.52.93':34354
'75.##.106.210':34354
'75.##1.226.120':34354
'71.##9.214.107':34354
'76.##6.244.115':34354
'10#.#8.61.103':34354
'98.##0.19.148':34354
'17#.#18.72.137':34354
'75.##6.72.136':34354
'67.##.240.116':34354
'98.##5.55.18':34354
'99.##.218.245':34354
'75.#25.90.4':34354
'17#.#0.194.139':34354
'17#.#17.228.135':34354
'76.##3.38.253':34354
'95.##.138.128':34354
'66.##3.237.7':34354
'24.##7.30.36':34354
'68.##.129.58':34354
'75.##2.223.197':34354
'68.##3.142.138':34354
'68.##4.141.58':34354
'65.##.246.243':34354
'67.##.22.215':34354
'76.##4.111.54':34354
'70.##2.217.10':34354
'71.##.246.125':34354
'66.##.181.217':34354
'72.##6.74.204':34354
'71.##6.206.52':34354
'70.##8.212.182':34354
'18#.#2.252.73':34354
'20#.#02.109.218':34354
'76.##0.155.220':34354
'68.#8.11.83':34354
'67.##6.210.5':34354
'24.#.203.209':34354
'71.##8.60.36':34354
'24.##6.79.50':34354
'20#.#95.20.212':34354
'98.##8.205.38':34354
'67.#.69.210':34354
'68.#.11.129':34354
'71.##9.117.142':34354
'69.##9.214.151':34354
'17#.2.86.75':34354
'12#.#32.80.200':34354
'24.##.123.162':34354
'17#.#5.177.177':34354
'97.##.212.229':34354
'17#.#7.67.119':34354
'76.##2.114.160':34354
'76.##4.140.100':34354
'76.##0.116.77':34354
'68.##0.1.149':34354
'68.##.65.188':34354
'68.##7.179.122':34354
'15#.#24.149.190':34354
'18#.#90.197.150':34354
'69.##6.8.133':34354
'74.##.161.59':34354
'68.##.223.188':34354
'74.##5.161.71':34354
'66.##.226.117':34354
'78.##.186.74':34354
'24.##2.140.238':34354
'75.#.146.122':34354
'68.##1.55.41':34354
'68.##9.54.35':34354
'24.##.250.172':34354
'68.##2.167.175':34354
'24.##6.142.189':34354
'68.#6.62.91':34354
'50.##.45.225':34354
'68.##6.112.68':34354
'72.##2.223.58':34354
'24.##0.42.130':34354
'68.#.77.101':34354
'71.##.52.110':34354
'89.##4.67.211':34354
'96.#2.77.54':34354
'13#.#4.105.18':34354
'17#.#9.132.253':34354
'24.##3.220.120':34354
'75.##7.23.149':34354
'pr####.fling.com':80
'24.##0.159.62':34354
'24.#.133.252':34354
'15#.#81.147.150':34354
'75.##8.251.172':34354
'24.##.139.206':34354
'68.##.151.37':34354
'96.##.35.219':34354
'67.#2.0.171':34354
'24.##7.131.133':34354
'21#.#18.4.131':34354
'50.##.27.218':34354
'76.##9.48.111':34354
'66.##6.195.151':34354
'68.##.156.11':34354
'46.#5.9.230':34354
'68.##4.10.31':34354
'76.##7.210.229':34354
'70.#4.90.7':34354
'24.##.176.117':34354
'75.##.65.125':34354
'70.##8.58.219':34354
'74.##0.19.139':34354
'72.##3.31.220':34354
'24.##.19.181':34354
'50.##2.73.63':34354
'65.##.210.238':34354
'75.##0.159.46':34354
'68.##6.96.185':34354
'50.##9.58.52':34354
'10#.#91.216.246':34354
'17#.#17.191.103':34354
'76.##3.146.32':34354
'24.##2.87.10':34354
'68.##.110.187':34354
'68.##2.176.231':34354
'17#.#7.129.109':34354
'50.#1.96.53':34354
'72.##7.61.226':34354
'65.#85.4.43':34354
'70.#8.50.88':34354
'67.##9.19.126':34354
'89.##4.70.44':34354
'98.##0.169.47':34354
'72.##9.74.61':34354
'69.##1.199.207':34354
'68.##.82.206':34354
'98.##6.175.120':34354
'72.##.118.134':34354
'67.##0.31.27':34354
'98.##1.48.253':34354
'75.##6.113.2':34354
'66.##0.147.20':34354
'70.##4.150.225':34354
'24.##.89.247':34354
'20#.#.200.117':34354
'74.##.209.14':34354
'17#.#2.187.31':34354
'71.##9.180.84':34354
'27.#1.21.85':34354
'98.##2.161.38':34354
'76.#1.7.80':34354
'69.##3.164.39':34354
'66.##0.17.22':34354
'99.##0.241.202':34354
'50.##.72.152':34354
'71.##.24.116':34354
'17#.#03.22.210':34354
'17#.#0.166.10':34354
'18#.#08.152.113':34354
'71.##.15.158':34354
'98.##5.118.240':34354
'99.##2.72.96':34354
'97.##0.237.212':34354
'68.##2.174.232':34354
'24.#7.13.33':34354
'24.##.248.153':34354
'98.##.60.190':34354
'67.#1.60.94':34354
'68.##.209.94':34354
'72.##0.101.192':34354
'17#.#03.5.60':34354
'71.##7.65.162':34354
'76.##9.219.191':34354
'12.##1.185.57':34354
'17#.#9.232.197':34354

TCP:

Запросы HTTP GET:

pr####.fling.com/geo/txt/city.php

UDP:

DNS ASK pr####.fling.com
'localhost':752
'8.#.8.8':1035

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней