Win32.HLLW.Autoruner1.61362
Added to the Dr.Web virus database:
2013-11-11
Virus description added:
2013-11-17
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Classes\piffile\shell\open\command] '' = '"<SYSTEM32>\toxic.exe" "%1" %*'
- [<HKLM>\SOFTWARE\Classes\lnkfile\shell\open\command] '' = '"<SYSTEM32>\toxic.exe" "%1" %*'
- [<HKLM>\SOFTWARE\Classes\comfile\shell\open\command] '' = '"<SYSTEM32>\toxic.exe" "%1" %*'
- [<HKLM>\SOFTWARE\Classes\batfile\shell\open\command] '' = '"<SYSTEM32>\toxic.exe" "%1" %*'
- [<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = '"<SYSTEM32>\toxic.exe" "%1" %*'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'poison' = '<SYSTEM32>\poison.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'cetix' = '%WINDIR%\cetix.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\poison.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe "<SYSTEM32>\poison.exe"'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\vserve.exe
Creates the following files on removable media:
- <Drive name for removable media>:\xz.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\%USERNAME%'s Files.exe
- <Drive name for removable media>:\Untitled.exe
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
Creates and executes the following:
- '<SYSTEM32>\toxic.exe'
- '%HOMEPATH%\Start Menu\Programs\Startup\vserve.exe'
- '%WINDIR%\cetix.exe'
- '<SYSTEM32>\poison.exe'
Injects code into
the following system processes:
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\ctfmon.exe
- %WINDIR%\Explorer.EXE
a large number of user processes.
Terminates or attempts to terminate
the following system processes:
Modifies file system :
Creates the following files:
- C:\xz.exe
- C:\Untitled.exe
- C:\%USERNAME%'s Files.exe
- C:\autorun.inf
- %WINDIR%\system\msvbvm60.dll
- %WINDIR%\msvbvm60.dll
- %WINDIR%\ctxproc.tmp
- %HOMEPATH%\Desktop\aboutCetix.html
- <SYSTEM32>\toxic.exe
- %WINDIR%\cetix.exe
- <SYSTEM32>\poison.exe
- C:\infoBali.txt
- C:\aboutCetix.html
- %WINDIR%\racun.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\xz.exe
- %WINDIR%\system\msvbvm60.dll
- %WINDIR%\msvbvm60.dll
- C:\autorun.inf
- <SYSTEM32>\poison.exe
- %WINDIR%\cetix.exe
- C:\xz.exe
- <SYSTEM32>\toxic.exe
Deletes the following files:
- %TEMP%\~DFB291.tmp
- %TEMP%\~DF3F5C.tmp
- %TEMP%\~DFF18B.tmp
- %TEMP%\~DF5834.tmp
Miscellaneous:
Searches for the following windows:
- ClassName: '(null)' WindowName: 'ctxwarrior3'
- ClassName: 'PROCEXPL' WindowName: '(null)'
- ClassName: 'CabinetWClass' WindowName: '(null)'
- ClassName: 'ExploreWClass' WindowName: '(null)'
- ClassName: '(null)' WindowName: 'ctxwarrior1'
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: 'ANVIECLAZZ' WindowName: '(null)'
- ClassName: '(null)' WindowName: 'ctxwarrior2'
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息