Win32.HLLW.Autoruner.63910

Technical Information

To ensure autorun and distribution:

Creates the following files on removable media:

<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\system32_.exe
<Drive name for removable media>:\New Folder.exe

Malicious functions:

Executes the following:

<SYSTEM32>\cacls.exe "C:\system volume information" /e /g "%USERNAME%":f
<SYSTEM32>\at.exe 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\system32_.exe
<SYSTEM32>\at.exe /delete /yes

Sets a new unauthorized home page for Windows Internet Explorer.

Modifies file system :

Creates the following files:

<SYSTEM32>\autorun.ini
<SYSTEM32>_.exe
<SYSTEM32>\system32_.exe

Sets the 'hidden' attribute to the following files:

<Drive name for removable media>:\autorun.inf
<SYSTEM32>\autorun.ini
<SYSTEM32>\system32_.exe

Network activity:

Connects to:

'h1.##pway.com':80
're####ry.myvnc.com':80

TCP:

HTTP GET requests:

h1.##pway.com/sdb085/setting.ini
h1.##pway.com/sdb084/setting.ini
h1.##pway.com/sdb083/setting.ini
h1.##pway.com/sdb088/setting.ini
h1.##pway.com/sdb087/setting.ini
h1.##pway.com/sdb086/setting.ini
h1.##pway.com/sdb079/setting.ini
h1.##pway.com/sdb078/setting.ini
h1.##pway.com/sdb077/setting.ini
h1.##pway.com/sdb082/setting.ini
h1.##pway.com/sdb081/setting.ini
h1.##pway.com/sdb080/setting.ini
h1.##pway.com/sdb097/setting.ini
h1.##pway.com/sdb096/setting.ini
h1.##pway.com/sdb095/setting.ini
h1.##pway.com/sdb0100/setting.ini
h1.##pway.com/sdb099/setting.ini
h1.##pway.com/sdb098/setting.ini
h1.##pway.com/sdb091/setting.ini
h1.##pway.com/sdb090/setting.ini
h1.##pway.com/sdb089/setting.ini
h1.##pway.com/sdb094/setting.ini
h1.##pway.com/sdb093/setting.ini
h1.##pway.com/sdb092/setting.ini
h1.##pway.com/sdb076/setting.ini
h1.##pway.com/sdb060/setting.ini
h1.##pway.com/sdb059/setting.ini
h1.##pway.com/sdb058/setting.ini
h1.##pway.com/sdb063/setting.ini
h1.##pway.com/sdb062/setting.ini
h1.##pway.com/sdb061/setting.ini
h1.##pway.com/sdb054/setting.ini
h1.##pway.com/sdb070/setting.ini
re####ry.myvnc.com/setting.ini
h1.##pway.com/sdb057/setting.ini
h1.##pway.com/sdb056/setting.ini
h1.##pway.com/sdb055/setting.ini
h1.##pway.com/sdb072/setting.ini
h1.##pway.com/sdb071/setting.ini
h1.##pway.com/sdb053/setting.ini
h1.##pway.com/sdb075/setting.ini
h1.##pway.com/sdb074/setting.ini
h1.##pway.com/sdb073/setting.ini
h1.##pway.com/sdb066/setting.ini
h1.##pway.com/sdb065/setting.ini
h1.##pway.com/sdb064/setting.ini
h1.##pway.com/sdb069/setting.ini
h1.##pway.com/sdb068/setting.ini
h1.##pway.com/sdb067/setting.ini

UDP:

DNS ASK h1.##pway.com
DNS ASK re####ry.myvnc.com
'<Private IP address>':1033

技术

术语

教育培训

误区

Technical Information