用户服务中心

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

CN

RU CN DE EN ES FR IT JP KZ UZ PL BY

Dr.Web vxCube

打开分析仪

计算机病毒事件调查

病毒知识库

技术

术语

教育培训

误区

有关反病毒软件的误区

Win32.HLLW.Autoruner2.25079

Added to the Dr.Web virus database: 2016-08-28

Virus description added: 2016-08-28

Technical Information

Malicious functions:

Creates and executes the following:

'<SYSTEM32>\cscript.exe' //NoLogo %TEMP%\hd.vbs
'%TEMP%\ZvuInstaller.exe' (downloaded from the Internet)

Executes the following:

'%TEMP%\ZvuInstaller.exe' /S /INI="%TEMP%\ZvuInstaller.exe.ini"

Modifies file system:

Creates the following files:

%TEMP%\ZvuInstaller.exe
%TEMP%\ZvuInstaller.exe.ini
%TEMP%\hd.vbs
%TEMP%\ZvuInstall.log
%APPDATA%\Zvu\init.xml

Network activity:

Connects to:

'zv#.com':80
'st##.zvu.com':80
'localhost':1037

TCP:

HTTP GET requests:

http://dl.#vu.com/dl/zvu-18.0.1.ru.winxp_32.installer.exe via zv#.com
http://zv#.com/img/no-cover.jpg
http://st##.zvu.com/installer.html?pa############################################################################################################################################################...

UDP:

DNS ASK dl.#vu.com
DNS ASK zv#.com
DNS ASK st##.zvu.com

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''