Win32.HLLW.MyBot.10079
Added to the Dr.Web virus database:
2013-04-06
Virus description added:
2013-04-14
Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Telnet Services v3.4.ef] 'Start' = '00000002'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'unwise_me.exe' = 'unwise_me.exe:*:Enabled:SYSTEM'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Fonts\unwise_me.exe' = '%WINDIR%\Fonts\unwise_me.exe:*:Enabled:workstation'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] 'unwise_me.exe' = 'unwise_me.exe:*:Enabled:SYSTEM'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
To complicate detection of its presence in the operating system,
blocks the following features:
Creates and executes the following:
- %WINDIR%\Fonts\unwise_me.exe
Executes the following:
- <SYSTEM32>\netsh.exe firewall set portopening TCP 9991 PORT2
- <SYSTEM32>\netsh.exe firewall add allowedprogram "%WINDIR%\Fonts\unwise_me.exe" workstation ENABLE ALL
- <SYSTEM32>\netsh.exe firewall set allowedprogram "%WINDIR%\Fonts\unwise_me.exe" workstation ENABLE ALL
- <SYSTEM32>\netsh.exe firewall set portopening TCP 9999 PORT1
- <SYSTEM32>\netsh.exe firewall set portopening TCP 445 NB
- <SYSTEM32>\netsh.exe firewall set portopening TCP 139 NB
- <SYSTEM32>\netsh.exe firewall set portopening TCP 1013 BS
Modifies file system :
Creates the following files:
- %WINDIR%\Fonts\unwise_me.exe
Sets the 'hidden' attribute to the following files:
- %WINDIR%\Fonts\unwise_me.exe
Deletes the following files:
- <SYSTEM32>\config\SysEvent.Evt
- <SYSTEM32>\config\SecEvent.Evt
- <SYSTEM32>\config\AppEvent.Evt
Deletes itself.
Network activity:
Connects to:
- 'ir#.#fnet.fr':6667
- 'ir#.#fnet.nl':6667
- 'ir#.##raphysics.net':6667
- 'ir#.#fnet.no':6667
- 'ir#.##ersible.com':6667
- 'ef###.#ultiplay.co.uk':6667
- 'ef###.port80.se':6667
- 'ir#.#zima.net':6667
- 'ir#.nac.net':6667
- 'ef###.xs4all.nl':6667
- 'ir#.##derworld.no':6667
- 'ir#.##outcast.com':6667
- 'ir#.#hoopa.ca':6667
- 'ir#.#fnet.pl':6667
UDP:
- DNS ASK ir#.#fnet.fr
- DNS ASK ir#.#fnet.nl
- DNS ASK ir#.##raphysics.net
- DNS ASK ir#.#fnet.no
- DNS ASK ir#.##ersible.com
- DNS ASK ef###.#ultiplay.co.uk
- DNS ASK ef###.port80.se
- DNS ASK ir#.#zima.net
- DNS ASK ir#.nac.net
- DNS ASK ef###.xs4all.nl
- DNS ASK ir#.##derworld.no
- DNS ASK ir#.##outcast.com
- DNS ASK ir#.#hoopa.ca
- DNS ASK ir#.#fnet.pl
Miscellaneous:
Searches for the following windows:
- ClassName: 'mIRC' WindowName: ''
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息