Trojan.DownLoader17.53485

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RPC Link-Layer Font DNS Service Server' = '<SYSTEM32>\kctzubmojgwc.exe'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\Name Performance DHCP Panel] 'Start' = '00000002'

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Security Center

Creates and executes the following:

'<SYSTEM32>\qqyeykoim.exe' "<SYSTEM32>\kctzubmojgwc.exe"
'%WINDIR%\Temp\dq11poxt32ruaeafo.exe' -r 48684 tcp
'%TEMP%\dq11poxt2xz3aeafopshqsd.exe'
'<SYSTEM32>\kctzubmojgwc.exe'

Modifies file system :

Creates the following files:

<SYSTEM32>\ivbydyumokktjui\run
<SYSTEM32>\ivbydyumokktjui\rng
%WINDIR%\Temp\dq11poxt32ruaeafo.exe
<SYSTEM32>\ivbydyumokktjui\cfg
<SYSTEM32>\qqyeykoim.exe
%TEMP%\dq11poxt2xz3aeafopshqsd.exe
<SYSTEM32>\ivbydyumokktjui\tst
<SYSTEM32>\kctzubmojgwc.exe
<SYSTEM32>\ivbydyumokktjui\etc

Sets the 'hidden' attribute to the following files:

<SYSTEM32>\qqyeykoim.exe
<SYSTEM32>\kctzubmojgwc.exe

Deletes the following files:

%WINDIR%\Temp\dq11poxt32ruaeafo.exe
<DRIVERS>\etc\hosts
%TEMP%\dq11poxt2xz3aeafopshqsd.exe

Substitutes the HOSTS file.

Network activity:

Connects to:

'ab###ull.net':80
'pi###ruit.net':80
'kn###ull.net':80
'kn###oise.net':80
'ab###oise.net':80
'so###ruit.net':80
'so###oise.net':80
'pi###ull.net':80
'pi###oise.net':80
'pi###ise.net':80
'so###ise.net':80
'cl###bone.net':80
'da###one.net':80
'da###rote.net':80
'da###old.net':80
'cl###wrote.net':80
'cl###fire.net':80
'kn###ise.net':80
'ab###ise.net':80
'ab###ruit.net':80
'da###ire.net':80
'kn###ruit.net':80
'ju###oise.net':80
'mo###ull.net':80
'mo###oise.net':80
'mo###ise.net':80
'ju###ise.net':80
'ju###ull.net':80
'wh###ise.net':80
'hi###oise.net':80
'hi###ise.net':80
'hi###ruit.net':80
'wh###ruit.net':80
'ro###ise.net':80
'si###ise.net':80
'si###ruit.net':80
'so###ull.net':80
'ro###ruit.net':80
'ro###oise.net':80
'mo###ruit.net':80
'ju###ruit.net':80
'si###ull.net':80
'si###oise.net':80
'ro###ull.net':80
'cl###cold.net':80
'ca###rote.net':80
'he###rote.net':80
'he###old.net':80
'si###fire.net':80
'ca###old.net':80
'ca###one.net':80
'qu###cold.net':80
'th###old.net':80
'he###ire.net':80
'he###one.net':80
'ca###ire.net':80
'de###lxc.com':80
'th###cold.net':80
'be##lxc.com':80
'ri###nstorm.net':80
'af###sllc.com':80
'si###cold.net':80
'si###bone.net':80
'th###fire.net':80
'th###bone.net':80
'th###wrote.net':80
'si###wrote.net':80
'me###old.net':80
'si###old.net':80
'mo###ire.net':80
'mo###one.net':80
'su###yfire.net':80
'me###rote.net':80
'me###ire.net':80
'si###ire.net':80
'si###one.net':80
'si###rote.net':80
'me###one.net':80
'th###one.net':80
'qu###fire.net':80
'qu###bone.net':80
'qu###wrote.net':80
'th###rote.net':80
'th###ire.net':80
'mo###rote.net':80
'su###ybone.net':80
'su###ywrote.net':80
'su###ycold.net':80
'mo###old.net':80

TCP:

HTTP GET requests:

http://ab###ull.net/index.php
http://pi###ruit.net/index.php
http://kn###ull.net/index.php
http://kn###oise.net/index.php
http://ab###oise.net/index.php
http://so###ruit.net/index.php
http://so###oise.net/index.php
http://pi###ull.net/index.php
http://pi###oise.net/index.php
http://pi###ise.net/index.php
http://so###ise.net/index.php
http://cl###bone.net/index.php
http://da###one.net/index.php
http://da###rote.net/index.php
http://da###old.net/index.php
http://cl###wrote.net/index.php
http://cl###fire.net/index.php
http://kn###ise.net/index.php
http://ab###ise.net/index.php
http://ab###ruit.net/index.php
http://da###ire.net/index.php
http://kn###ruit.net/index.php
http://ju###oise.net/index.php
http://mo###ull.net/index.php
http://mo###oise.net/index.php
http://mo###ise.net/index.php
http://ju###ise.net/index.php
http://ju###ull.net/index.php
http://wh###ise.net/index.php
http://hi###oise.net/index.php
http://hi###ise.net/index.php
http://hi###ruit.net/index.php
http://wh###ruit.net/index.php
http://ro###ise.net/index.php
http://si###ise.net/index.php
http://si###ruit.net/index.php
http://so###ull.net/index.php
http://ro###ruit.net/index.php
http://ro###oise.net/index.php
http://mo###ruit.net/index.php
http://ju###ruit.net/index.php
http://si###ull.net/index.php
http://si###oise.net/index.php
http://ro###ull.net/index.php
http://cl###cold.net/index.php
http://ca###rote.net/index.php
http://he###rote.net/index.php
http://he###old.net/index.php
http://si###fire.net/index.php
http://ca###old.net/index.php
http://ca###one.net/index.php
http://qu###cold.net/index.php
http://th###old.net/index.php
http://he###ire.net/index.php
http://he###one.net/index.php
http://ca###ire.net/index.php
http://de###lxc.com/index.php
http://th###cold.net/index.php
http://be##lxc.com/index.php
http://ri###nstorm.net/index.php
http://af###sllc.com/index.php
http://si###cold.net/index.php
http://si###bone.net/index.php
http://th###fire.net/index.php
http://th###bone.net/index.php
http://th###wrote.net/index.php
http://si###wrote.net/index.php
http://me###old.net/index.php
http://si###old.net/index.php
http://mo###ire.net/index.php
http://mo###one.net/index.php
http://su###yfire.net/index.php
http://me###rote.net/index.php
http://me###ire.net/index.php
http://si###ire.net/index.php
http://si###one.net/index.php
http://si###rote.net/index.php
http://me###one.net/index.php
http://th###one.net/index.php
http://qu###fire.net/index.php
http://qu###bone.net/index.php
http://qu###wrote.net/index.php
http://th###rote.net/index.php
http://th###ire.net/index.php
http://mo###rote.net/index.php
http://su###ybone.net/index.php
http://su###ywrote.net/index.php
http://su###ycold.net/index.php
http://mo###old.net/index.php

UDP:

DNS ASK kn###ull.net
DNS ASK ab###ull.net
DNS ASK ab###oise.net
DNS ASK ab###ise.net
DNS ASK kn###oise.net
DNS ASK pi###ruit.net
DNS ASK pi###oise.net
DNS ASK so###oise.net
DNS ASK so###ise.net
DNS ASK so###ruit.net
DNS ASK pi###ise.net
DNS ASK da###rote.net
DNS ASK cl###bone.net
DNS ASK cl###wrote.net
DNS ASK cl###cold.net
DNS ASK da###old.net
DNS ASK da###one.net
DNS ASK ab###ruit.net
DNS ASK kn###ise.net
DNS ASK kn###ruit.net
DNS ASK cl###fire.net
DNS ASK da###ire.net
DNS ASK pi###ull.net
DNS ASK ju###oise.net
DNS ASK mo###ull.net
DNS ASK mo###oise.net
DNS ASK mo###ise.net
DNS ASK ju###ise.net
DNS ASK ju###ull.net
DNS ASK wh###ise.net
DNS ASK hi###oise.net
DNS ASK hi###ise.net
DNS ASK hi###ruit.net
DNS ASK wh###ruit.net
DNS ASK ro###ise.net
DNS ASK si###ise.net
DNS ASK si###ruit.net
DNS ASK so###ull.net
DNS ASK ro###ruit.net
DNS ASK ro###oise.net
DNS ASK mo###ruit.net
DNS ASK ju###ruit.net
DNS ASK si###ull.net
DNS ASK si###oise.net
DNS ASK ro###ull.net
DNS ASK ca###rote.net
DNS ASK he###rote.net
DNS ASK he###old.net
DNS ASK si###fire.net
DNS ASK ca###old.net
DNS ASK ca###one.net
DNS ASK qu###cold.net
DNS ASK th###old.net
DNS ASK he###ire.net
DNS ASK he###one.net
DNS ASK ca###ire.net
DNS ASK de###lxc.com
DNS ASK th###cold.net
DNS ASK be##lxc.com
DNS ASK ri###nstorm.net
DNS ASK af###sllc.com
DNS ASK si###cold.net
DNS ASK si###bone.net
DNS ASK th###fire.net
DNS ASK th###bone.net
DNS ASK th###wrote.net
DNS ASK si###wrote.net
DNS ASK me###old.net
DNS ASK si###old.net
DNS ASK mo###ire.net
DNS ASK mo###one.net
DNS ASK su###yfire.net
DNS ASK me###rote.net
DNS ASK me###ire.net
DNS ASK si###ire.net
DNS ASK si###one.net
DNS ASK si###rote.net
DNS ASK me###one.net
DNS ASK th###one.net
DNS ASK qu###fire.net
DNS ASK qu###bone.net
DNS ASK qu###wrote.net
DNS ASK th###rote.net
DNS ASK th###ire.net
DNS ASK mo###rote.net
DNS ASK su###ybone.net
DNS ASK su###ywrote.net
DNS ASK su###ycold.net
DNS ASK mo###old.net
'23#.#55.255.250':1900

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial