Win32.HLLW.Autoruner2.8356
Added to the Dr.Web virus database:
2014-02-22
Virus description added:
2014-02-23
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,'
Creates or modifies the following files:
- %WINDIR%\Tasks\KeepRadmin.job
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Schedule] 'Start' = '00000002'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\KeepRadmin.exe
Malicious functions:
Creates and executes the following:
- '%TEMP%\7za.exe' x "%ALLUSERSPROFILE%\Application Data\KeepRadmin\rserver3.7z" -y
Executes the following:
- '<SYSTEM32>\schtasks.exe' /Create /RU SYSTEM /SC HOURLY /MO 1 /TN KeepRadmin /TR "\"%ALLUSERSPROFILE%\Application Data\KeepRadmin\KeepRadmin.exe\""
- '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\rserver3" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000014000000020000000000000002000000000000000200000000000000 /f
- '<SYSTEM32>\sc.exe' config Schedule start= auto
- '<SYSTEM32>\sc.exe' start Schedule
Modifies file system :
Creates the following files:
- %ALLUSERSPROFILE%\Application Data\KeepRadmin\keepradmin_error.log
- %TEMP%\7za.exe
- %ALLUSERSPROFILE%\Application Data\KeepRadmin\rserver3.7z
- %ALLUSERSPROFILE%\Application Data\KeepRadmin\keepradmin.log
- %ALLUSERSPROFILE%\Application Data\KeepRadmin\KeepRadmin.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\KeepRadmin.exe
Network activity:
Connects to:
- 'ip##gger.ru':80
- '2i#.ru':80
- '89.##5.81.51':443
- 'ip##e.ru':80
- 'zx####.suroot.com':443
- 'zx###6.pp.ua':80
- 'sd##ni.ru':80
TCP:
HTTP GET requests:
- ip##gger.ru/12P73.jpg
- 2i#.ru/member_photo/2819.gif
- ip##e.ru/
- zx###6.pp.ua/hf/PortableRadmin.7z
- sd##ni.ru/173628
UDP:
- DNS ASK ip##e.ru
- DNS ASK ip##gger.ru
- DNS ASK 2i#.ru
- DNS ASK zx####.suroot.com
- DNS ASK zx###6.pp.ua
- DNS ASK sd##ni.ru
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息