Win32.HLLW.Autoruner1.61795
Added to the Dr.Web virus database:
2013-11-26
Virus description added:
2013-11-28
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'goeop' = '%HOMEPATH%\goeop.exe /r'
Creates the following files on removable media:
- <Drive name for removable media>:\lnye.exe
- <Drive name for removable media>:\autorun.inf
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\winlogon.exe' = '<SYSTEM32>\winlogon.exe:*:enabled:@shell32.dll,-1'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\FOUND.000.exe' = '%TEMP%\FOUND.000.exe:*:Enabled:ipsec'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- '%HOMEPATH%\goeop.exe'
- '%TEMP%\svchost.exe'
- '%TEMP%\FOUND.000.exe'
Executes the following:
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\vbc1.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\41-bvhsf.cmdline"
Injects code into
the following system processes:
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\cscript.exe
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
- <SYSTEM32>\winlogon.exe
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\ctfmon.exe
a large number of user processes.
Restores hooked functions in System Service Descriptor Table (SSDT).
Modifies file system :
Creates the following files:
- %TEMP%\RES2.tmp
- %TEMP%\txbqj.exe
- %TEMP%\vbc1.tmp
- %HOMEPATH%\goeop.exe
- C:\xnjhh.exe
- C:\autorun.inf
- %TEMP%\41-bvhsf.exe
- %TEMP%\41-bvhsf.out
- %TEMP%\svchost.exe
- %TEMP%\FOUND.000.exe
- %TEMP%\ZNUeqWyd.resources
- %TEMP%\3ZKQ714mO.resources
- %TEMP%\41-bvhsf.cmdline
- %TEMP%\41-bvhsf.0.vb
- %TEMP%\MSNPSharp.dll
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\lnye.exe
- C:\xnjhh.exe
- %HOMEPATH%\goeop.exe
- C:\autorun.inf
Deletes the following files:
- %TEMP%\41-bvhsf.cmdline
- %TEMP%\41-bvhsf.0.vb
- %TEMP%\41-bvhsf.exe
- %TEMP%\41-bvhsf.out
- %TEMP%\vbc1.tmp
- %TEMP%\svchost.exe
- %TEMP%\FOUND.000.exe
- %TEMP%\RES2.tmp
- %TEMP%\txbqj.exe
Network activity:
Connects to:
- 'ns#.##siczipz.com':8000
- 'il#.#renz.pl':80
UDP:
- DNS ASK ns#.##siczipz.com
- DNS ASK il#.#renz.pl
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息