BEKv2 Gate Variant (q.php)

This variant is centered on large networks. These IP ranges have been malicious since at least September 2012 and should be blocked.

Currently affected networks:

129.121.0.0 – 129.121.255.255
149.47.0.0 – 149.47.63.255
65.75.160.0 – 65.75.175.255
64.247.176.0 – 64.247.191.255

HTTP Request Method = GET
Regex HTTP URI for “\/[a-f0-9]{16,32}\/q\.php”

hxxp://129.121. 126.40/3191945b9fd4baee19fe6d1a1f16341b/q.php
hxxp://129. 121.113.91/d3c25604f85a1ea4f1278802cd56ae67/q.php
hxxp://149.47.253. 180/5983387568aa76e343060cf644cef37a/q.php

See examples of BEKv2 q.php Gate Variant on UrlQuery.net

Reference: http://malware.dontneedcoffee.com/2012/09/ULockerAS36444BHEK.html

Comments are closed.