Win32.HLLW.Autoruner1.56153
Added to the Dr.Web virus database:
2013-09-15
Virus description added:
2013-09-15
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'Startup Scan' = '%WINDIR%\<Virus name>.exe/check'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run] 'TST' = '%WINDIR%\inf\<Virus name>.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run] 'TSystem' = '<SYSTEM32>\Restore\THole.exe'
Creates or modifies the following files:
- %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Startup.exe
Creates the following files on removable media:
- <Drive name for removable media>:\SYS\SYS.exe
- <Drive name for removable media>:\Autorun.inf
- <Drive name for removable media>:\SYS\AAR.exe
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
Executes the following:
- '<SYSTEM32>\attrib.exe' /pid=1144
- '<SYSTEM32>\attrib.exe' /pid=2576
- '<SYSTEM32>\net1.exe' /pid=2680
- '<SYSTEM32>\attrib.exe' /pid=2796
- '<SYSTEM32>\attrib.exe' /pid=2620
- '<SYSTEM32>\reg.exe' /pid=2840
- '<SYSTEM32>\reg.exe' /pid=2500
- '<SYSTEM32>\attrib.exe' /pid=2832
- '<SYSTEM32>\attrib.exe' /pid=2720
- '<SYSTEM32>\net1.exe' +S +H +R G:\SYS
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v DefaultValue /t REG_DWORD /d 2 /f
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v DefaultValue /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt /v UncheckedValue /t REG_DWORD /d 1 /f
- '<SYSTEM32>\net1.exe' +S +H +R E:\SYS
- '<SYSTEM32>\net1.exe' +S +H +R F:\SYS
- '<SYSTEM32>\net1.exe' /pid=1720
- '<SYSTEM32>\net1.exe' /pid=2692
- '<SYSTEM32>\reg.exe' /pid=2860
- '<SYSTEM32>\net1.exe' +S +H +R Y:\SYS
- '<SYSTEM32>\net1.exe' /pid=3936
- '<SYSTEM32>\net1.exe' +S +H +R N:\SYS
- '<SYSTEM32>\net1.exe' +S +H +R X:\SYS
- '<SYSTEM32>\net1.exe' /pid=3968
- '<SYSTEM32>\net1.exe' /pid=3780
- '<SYSTEM32>\attrib.exe' /pid=412
- '<SYSTEM32>\net1.exe' +S +H +R <SYSTEM32>\Restore\THole.exe
- '<SYSTEM32>\attrib.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
- '<SYSTEM32>\attrib.exe' stop "zvregmon"
- '<SYSTEM32>\net1.exe' /pid=3528
- '<SYSTEM32>\net1.exe' /pid=3492
- '<SYSTEM32>\reg.exe' /pid=2736
- '<SYSTEM32>\net1.exe' /pid=3008
- '<SYSTEM32>\net1.exe' /pid=1608
- '<SYSTEM32>\attrib.exe' stop "acssrv"
- '<SYSTEM32>\attrib.exe' stop "scanwscs"
- '<SYSTEM32>\attrib.exe' stop "Online Protection System"
- '<SYSTEM32>\attrib.exe' stop "Core Mail Protection"
- '<SYSTEM32>\net1.exe' stop "acssrv"
- '<SYSTEM32>\net1.exe' stop "scanwscs"
- '<SYSTEM32>\net1.exe' stop "Quick Update Service"
- '<SYSTEM32>\net1.exe' stop "Core Mail Protection"
- '<SYSTEM32>\net1.exe' stop "ZeroVProtect"
- '<SYSTEM32>\attrib.exe' +S +H +R E:\SYS
- '<SYSTEM32>\attrib.exe' +S +H +R F:\SYS
- '<SYSTEM32>\net1.exe' stop "zvregmon"
- '<SYSTEM32>\attrib.exe' +S +H +R <Drive name for removable media>:\SYS
- '<SYSTEM32>\net.exe' stop "zvregmon"
- '<SYSTEM32>\net.exe' stop "Quick Update Service"
- '<SYSTEM32>\net.exe' stop "Core Mail Protection"
- '<SYSTEM32>\net.exe' STOP acssrv
- '<SYSTEM32>\net.exe' stop "Online Protection System"
- '<SYSTEM32>\net.exe' stop "acssrv"
- '<SYSTEM32>\net.exe' stop "ZeroVProtect"
- '<SYSTEM32>\net1.exe' stop "Online Protection System"
- '<SYSTEM32>\net.exe' stop "scanwscs"
- '<SYSTEM32>\net1.exe' STOP acssrv
- '<SYSTEM32>\attrib.exe' +S +H +R G:\SYS
- '<SYSTEM32>\attrib.exe' +S +H +R <SYSTEM32>\com\THole.exe
- '<SYSTEM32>\attrib.exe' +S +H +R %WINDIR%\inf\<Virus name>.exe
- '<SYSTEM32>\attrib.exe' +S +H +R Z:\SYS
- '<SYSTEM32>\attrib.exe' +S +H +R <SYSTEM32>\Restore\THole.exe
- '<SYSTEM32>\attrib.exe' +S +H +R %HOMEPATH%\<Virus name>.exe
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden /v CheckedValue /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden /v UncheckedValue /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
- '<SYSTEM32>\attrib.exe' +S +H +R Y:\SYS
- '<SYSTEM32>\attrib.exe' +S +H +R J:\SYS
- '<SYSTEM32>\attrib.exe' +S +H +R K:\SYS
- '<SYSTEM32>\attrib.exe' +S +H +R H:\SYS
- '<SYSTEM32>\attrib.exe' +S +H +R I:\SYS
- '<SYSTEM32>\attrib.exe' +S +H +R L:\SYS
- '<SYSTEM32>\attrib.exe' +S +H +R N:\SYS
- '<SYSTEM32>\attrib.exe' +S +H +R X:\SYS
- '<SYSTEM32>\attrib.exe' +S +H +R M:\SYS
- '<SYSTEM32>\attrib.exe' +S +H +R M:\Autorun.inf
Injects code into
the following system processes:
- <SYSTEM32>\attrib.exe
- <SYSTEM32>\reg.exe
- <SYSTEM32>\net.exe
- <SYSTEM32>\net1.exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\Com\THole.exe
- <SYSTEM32>\Restore\Thole.exe
- %WINDIR%\WINDOWS.exe
- %WINDIR%\<Virus name>.exe
- %ALLUSERSPROFILE%\Start Menu\Programs\NudeFuck.exe
- %WINDIR%\inf\<Virus name>.exe
- C:\RECYCLER\RECYCLER.exe
- C:\Documents and Settings\Documents and Settings.exe
- <Current directory>\bf32d3b0.exe
- %PROGRAM_FILES%\Program Files.exe
- <Auxiliary element>
- C:\Far2\Far2.exe
Sets the 'hidden' attribute to the following files:
- %WINDIR%\inf\<Virus name>.exe
- <SYSTEM32>\Com\THole.exe
- <SYSTEM32>\Restore\Thole.exe
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息