Trojan.Fakealert.47564

Added to the Dr.Web virus database: 2014-12-16

Virus description added: 2014-12-16

Technical Information

Malicious functions:

Creates and executes the following:

'%TEMP%\psiphon3-plonk.exe' -ssh -C -N -batch -P 587 -l psiphon_ssh_e2ad0b4035744893 -pw 721B1A06EC03A6422F075094DFA0E4466356781b5a32e239a99f525bf6561561d1aeafc06e26c031c12d52e0dad8c969 -D 1080 -v -z -Z 7221a6eca9731860cc14a55a900ede17f53f96f42c8121624071f83576fda194 109.228.19.161
'%TEMP%\psiphon3-plonk.exe' -ssh -C -N -batch -P 610 -l psiphon_ssh_2be9112f4f98040a -pw 5AA96F6FBB1AA3DA8BAE4F67545D74FE022889b3350cb36873fc0732220fdf87b08355ee1eb65c46071f878e268e7bb7 -D 1080 -v -z -Z 854a4cb9aa0f36cbed754b8061b1c982c423d5003ceac3b8081780473c413b57 88.208.222.43
'%TEMP%\psiphon3-plonk.exe' -ssh -C -N -batch -P 465 -l psiphon_ssh_884dc22a6a31b321 -pw 0DA568BF0A3BD60BFFB38066A2A61C33f4da88aa0bba321e4103a4ceede196bc23fcde5e33e3a65ba309642186e3e3fe -D 1080 -v -z -Z 7725a2b65f4c89dbbd0c71872199fac4b42b1b3e19f6ab883e767dc04dff128f 109.228.19.93
'%TEMP%\psiphon3-plonk.exe' -ssh -C -N -batch -P 44 -l psiphon_ssh_31bdc3015c12d440 -pw B8F6D52F9341CE405FA375507A643E8F13322f498d8c1315aa68a0d32b97956097ca1efbdf43da77486d067dd77879ed -D 1080 -v -z -Z 5bf1f3891b4f651889af3bd2393121becc4147a8b33a6b245066157e04ab3477 213.171.207.103
'%TEMP%\psiphon3-plonk.exe' -ssh -C -N -batch -P 438 -l psiphon_ssh_f32b53b85877d6cb -pw 28E93C84EAF19C8226626070684BDFC8a8d3c6d8cb295fdfc3c8fc1009078da97ba94115bbae3a5554db3cd9abeb7dd8 -D 1080 -v -z -Z f36c2e0c3f4dcc00f382e73e0e28cffb23d7e502a37b0f7e85e3f1efd049cb4d 109.228.19.133
'%TEMP%\psiphon3-plonk.exe' -ssh -C -N -batch -P 465 -l psiphon_ssh_125436b6e236fc55 -pw D6D6A4050EBE622728C1607B95D2B3E5d8554e8dda00d341db3c246cd0896036169d5ffe8a980890d4874bc21c9d4df0 -D 1080 -v -z -Z 92694080db6d47453cb40c1508cd03883b61c4ebe222a6c9b2ef2913e2de8740 109.228.16.100
'%TEMP%\psiphon3-plonk.exe' -ssh -C -N -batch -P 587 -l psiphon_ssh_db2b268e1577c459 -pw BD70EC2BA0C768992C0DA8BD2A865E06e5f57c3db2915bdc67042859c96de6a1301957e6f05d83b4d969ab5f31fe8074 -D 1080 -v -z -Z ecc3dcbe159a8293508d2ad7eb5fabfc89f51ade0b5b2ca86d14e018bb6e9216 88.208.221.254
'%TEMP%\psiphon3-plonk.exe' -ssh -C -N -batch -P 465 -l psiphon_ssh_5d8ced9806f83899 -pw F2AC33403CAEE881BE5D4F323A297A8Eb0a3ad70059f9974878c4d7e82547c68c728d9e03657824e6287dc94621bd2ee -D 1080 -v -z -Z 647365742ea7b7d0cc9d305c7e7a3f06566532e32d7cec198977226f7aa4061d 109.228.16.82
'%TEMP%\psiphon3-plonk.exe' -ssh -C -N -batch -P 995 -l psiphon_ssh_70500a449583bfd6 -pw B719E3A522EBE87F10D7FDA4A91E0193852dfa546888069a35f5b62ad187c1f8bc65c07c9be5550bee79c12cc699e8f8 -D 1080 -v -z -Z 79afa110aefd1839c6e23acc3e03732d9bfcf41b94007b9488dccbf26b9ac617 88.208.223.89
'%TEMP%\psiphon3-plonk.exe' -ssh -C -N -batch -P 587 -l psiphon_ssh_f62d2d094a9bc041 -pw AB295CD6881431A35A65CC2EEF2FFA5B948537ca77afbbea2c8da58888a99070a6821ed7534e09cd1add281da3eb9394 -D 1080 -v -z -Z 79ee3ce26a563e559ce9cda6ded892e457396268254e6ef4a05bf7e8724acbac 213.171.197.150

Executes the following:

'<SYSTEM32>\wbem\wmiadap.exe' /R /T

Modifies file system :

Creates the following files:

<LS_APPDATA>\PUTTY.RND
%TEMP%\psiphon3-plonk.exe

Deletes the following files:

<SYSTEM32>\PerfStringBackup.TMP
<SYSTEM32>\wbem\Performance\WmiApRpl.ini

Network activity:

Connects to:

'10#.#28.19.93':465
'88.##8.222.43':610
'10#.#28.19.161':587
'21#.#71.207.103':44
'10#.#28.19.133':438
'88.##8.223.89':995
'88.##8.221.254':587
'localhost':1080
'10#.#28.16.100':465
'21#.#71.197.150':587
'10#.#28.16.82':465

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial