Para el funcionamiento correcto del sitio web, debe activar el soporte de JavaScript en su navegador.
Win32.HLLW.EmudBot.77
Added to the Dr.Web virus database:
2014-08-23
Virus description added:
2014-08-25
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] '9FD8E146' = '%TEMP%\mulkv.exe'
Creates the following services:
[<HKLM>\SYSTEM\ControlSet001\services\yddnaxteal] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
Executes the following:
'<SYSTEM32>\rundll32.exe' dfdts.dll,DfdGetDefaultPolicyAndSMART
Modifies file system :
Creates the following files:
<SYSTEM32>\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y3PNY1M8\settings[1].cfg
<SYSTEM32>\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y3PNY1M8\remote[1].php
%TEMP%\mulkv.exe
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\iLog[1].php
Deletes the following files:
<SYSTEM32>\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y3PNY1M8\remote[1].php
<SYSTEM32>\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y3PNY1M8\settings[1].cfg
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\iLog[1].php
Network activity:
Connects to:
'aj#.##oneypot.net':80
'oy#####.ihelloyou.net':80
'wt####.ifollowya.com':80
'qs####.ihoneypot.net':80
'jj##.#helloyou.net':80
'um#.#mnosy.com':80
'al###.emnosy.com':80
'ql##.#crondyou.com':80
'ce#####.icrondyou.com':80
'dk##.#followya.com':80
'mn##.#opololo.com':80
'xu####.popokopo.com':80
'pi##.#opokopo.com':80
'xn####.topololo.com':80
'dl#####.popokopo.com':80
'px###.#tripthere.com':80
'jo##.#tripthere.com':80
'te#####.yournailed.net':80
'jq####.yournailed.net':80
TCP:
HTTP GET requests:
aj#.##oneypot.net/mars/remote.php?os#########################################################################################
oy#####.ihelloyou.net/mars/settings.cfg?bu###################
wt####.ifollowya.com/mars/remote.php?os#########################################################################################
qs####.ihoneypot.net/mars/settings.cfg?bu###################
jj##.#helloyou.net/mars/remote.php?os#########################################################################################
um#.#mnosy.com/mars/settings.cfg?bu###################
al###.emnosy.com/mars/remote.php?os#########################################################################################
ql##.#crondyou.com/mars/settings.cfg?bu###################
ce#####.icrondyou.com/mars/remote.php?os#########################################################################################
dk##.#followya.com/mars/settings.cfg?bu###################
mn##.#opololo.com/mars/remote.php?os#########################################################################################
xu####.popokopo.com/mars/settings.cfg?bu###################
pi##.#opokopo.com/mars/iLog.php?dl#########################
xn####.topololo.com/mars/settings.cfg?bu###################
dl#####.popokopo.com/mars/remote.php?os#########################################################################################
px###.#tripthere.com/mars/settings.cfg?bu###################
jo##.#tripthere.com/mars/remote.php?os#########################################################################################
te#####.yournailed.net/mars/settings.cfg?bu###################
jq####.yournailed.net/mars/remote.php?os#########################################################################################
UDP:
DNS ASK aj#.##oneypot.net
DNS ASK oy#####.ihelloyou.net
DNS ASK wt####.ifollowya.com
DNS ASK qs####.ihoneypot.net
DNS ASK jj##.#helloyou.net
DNS ASK um#.#mnosy.com
DNS ASK al###.emnosy.com
DNS ASK ql##.#crondyou.com
DNS ASK ce#####.icrondyou.com
DNS ASK dk##.#followya.com
DNS ASK mn##.#opololo.com
DNS ASK xu####.popokopo.com
DNS ASK pi##.#opokopo.com
DNS ASK xn####.topololo.com
DNS ASK dl#####.popokopo.com
DNS ASK px###.#tripthere.com
DNS ASK jo##.#tripthere.com
DNS ASK te#####.yournailed.net
DNS ASK jq####.yournailed.net
Descargue Dr.Web para Android
Gratis por 3 meses
Todos los componentes de protección
Renovación de la demo a través de AppGallery/Google Pay
Si Vd. continúa usando este sitio web, esto significa que Vd. acepta el uso de archivos Cookie y otras tecnologías para que recabemos las estadísticas sobre los visitantes. Más información
OK