Win32.HLLW.Autoruner1.30162
Added to the Dr.Web virus database:
2012-11-23
Virus description added:
2012-11-23
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'csrss' = 'C:\Users\Public\smxss.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'csrss' = 'C:\Users\Public\smxss.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\SandiskU3.exe
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
Creates and executes the following:
- C:\Users\Public\rar.exe e kays.rar
- C:\Users\Public\smxss.exe
- C:\Users\Public\rar.exe e bm.rar
- C:\Users\Public\rar.exe (downloaded from the Internet)
Executes the following:
- <SYSTEM32>\tskill.exe /A threatwork
- <SYSTEM32>\taskkill.exe /f /im threatwork.exe
- <SYSTEM32>\tskill.exe /A Ad-Aware
- <SYSTEM32>\tskill.exe /A avp
- <SYSTEM32>\net1.exe stop aawservice
- <SYSTEM32>\taskkill.exe /f /im avp.exe
- <SYSTEM32>\taskkill.exe /f /im AAWTray.exe
- <SYSTEM32>\tskill.exe /A AAWService
- <SYSTEM32>\taskkill.exe /f /im regedit.exe
- <SYSTEM32>\taskkill.exe /f /im Ad-Aware.exe
- <SYSTEM32>\net.exe stop aawservice
- <SYSTEM32>\tskill.exe /A AAWTray
- <SYSTEM32>\tskill.exe /A fuckyou
- <SYSTEM32>\taskkill.exe /f /im fuckyou.exe
- <SYSTEM32>\net1.exe /A taskmgr
- <SYSTEM32>\reg.exe /f /im regedit.exe
- <SYSTEM32>\tskill.exe /pid=2876
- <SYSTEM32>\tskill.exe /A <Virus name>
- <SYSTEM32>\tskill.exe /pid=3756
- <SYSTEM32>\tskill.exe /f /im TeaTimer.exe
- <SYSTEM32>\cmd.exe /c C:\Users\Public\cpx.bat
- <SYSTEM32>\taskkill.exe /pid=3332
- <SYSTEM32>\tskill.exe /pid=3584
- <SYSTEM32>\net1.exe /pid=3448
- <SYSTEM32>\cmd.exe /c C:\Users\Public\instv.bat
- <SYSTEM32>\tskill.exe /A taskmgr
- <SYSTEM32>\reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v csrss /d C:\Users\Public\smxss.exe /f
- <SYSTEM32>\taskkill.exe /f /im <Virus name>.exe
- <SYSTEM32>\cmd.exe /c C:\Users\Public\load.bat
- <SYSTEM32>\taskkill.exe /f /im taskmgr.exe
- <SYSTEM32>\taskkill.exe /f /im smxss.exe
- <SYSTEM32>\tskill.exe /A smxss
- <SYSTEM32>\cmd.exe /c C:\mkxxosrw.bat
- <SYSTEM32>\cmd.exe /c C:\Users\Public\instmnr.bat
- <SYSTEM32>\reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v csrss /d C:\Users\Public\smxss.exe /f
- <SYSTEM32>\cmd.exe /c C:\Users\Public\aiasodjfapughaw.bat
- <SYSTEM32>\tskill.exe /A Update
- <SYSTEM32>\taskkill.exe /f /im Update.exe
- <SYSTEM32>\tskill.exe /A SUpdate
- <SYSTEM32>\taskkill.exe /f /im AAWService.exe
- <SYSTEM32>\tskill.exe /A mbam
- <SYSTEM32>\taskkill.exe /f /im mbam.exe
- <SYSTEM32>\tskill.exe /A TeaTimer
- <SYSTEM32>\tskill.exe /A regedit
- <SYSTEM32>\taskkill.exe /f /im TeaTimer.exe
- <SYSTEM32>\taskkill.exe /f /im SUpdate.exe
- <SYSTEM32>\tskill.exe /A SpybotSD
- <SYSTEM32>\taskkill.exe /f /im SpybotSD.exe
Injects code into
the following system processes:
- <SYSTEM32>\taskkill.exe
- <SYSTEM32>\reg.exe
- <SYSTEM32>\tskill.exe
- <SYSTEM32>\net1.exe
Terminates or attempts to terminate
the following user processes:
Modifies file system :
Creates the following files:
- C:\Users\Public\instv.bat
- C:\Users\Public\instlx9xz7b8x.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\kays[1].rar
- C:\Users\Public\kays.rar
- C:\Users\Public\load.bat
- C:\SandiskU3.exe
- C:\autorun.inf
- C:\Users\Public\ar.i
- C:\Users\Public\cpx.bat
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\rar[1].exe
- C:\Users\Public\rar.exe
- C:\mkxxosrw.bat
- C:\Users\Public\aiasodjfapughaw.bat
- C:\Users\Public\bm.rar
- C:\Users\Public\instmnr.bat
- C:\Users\Public\smxss.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\bm[1].rar
Deletes the following files:
- %TEMP%\8d92_appcompat.txt
- <SYSTEM32>\dllcache\NT5.CAT
- <Drive name for removable media>:\autorun.inf
- %TEMP%\8deb_appcompat.txt
- C:\Users\Public\ar.i
- C:\Users\Public\bm.rar
- <SYSTEM32>\dllcache\NT5INF.CAT
- <SYSTEM32>\fuckyou.exe
Moves the following system files:
- from <SYSTEM32>\taskmgr.exe to <SYSTEM32>\fuckyou.exe
Network activity:
Connects to:
- 'dl.##opbox.com':80
- 'localhost':1035
TCP:
HTTP GET requests:
- dl.##opbox.com/u/99035685/kays.rar
- dl.##opbox.com/u/99035685/bm.rar
- dl.##opbox.com/u/99035685/rar.exe
UDP:
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: ''
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息