Win32.HLLW.Autoruner2.24078

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Taskman' = '%HOMEPATH%\aegvvp.exe'

Malicious functions:

Executes the following:

'<SYSTEM32>\svchost.exe'

Injects code into

the following system processes:

<SYSTEM32>\svchost.exe

Modifies file system:

Creates the following files:

%HOMEPATH%\aegvvp.exe

Sets the 'hidden' attribute to the following files:

%HOMEPATH%\aegvvp.exe

Network activity:

UDP:

DNS ASK mu###.###tal-protection.net.ru
DNS ASK sl###.##fehousenumber.com
'mu###.###tal-protection.net.ru':19700
'sl###.##fehousenumber.com':19700

Miscellaneous:

Searches for the following windows:

ClassName: 'Qftgx. Jfvk Wyyxn' WindowName: 'Bljuj. Emj. Auvp'
ClassName: 'Ydcgsicm Xftmalh Yd' WindowName: 'Mowmir. Wolwndej'
ClassName: 'Qostf, Y' WindowName: 'Qostf, Y'
ClassName: 'Miss Qdlyg' WindowName: 'Miss Qdlyg'
ClassName: 'Y' WindowName: 'Qostf, Y, Qostf'
ClassName: 'Qwhm. Bcqvaq Ftmd' WindowName: 'Hsfrt Sicyl Xmjqcor'
ClassName: 'Jdly Qpudgped Mdq' WindowName: 'Srce. Nrtmu, Hkbut'
ClassName: 'Uameag Ssohqxyb' WindowName: 'Jronp Gcwglbbb G'
ClassName: 'Ewjvohn Bx' WindowName: 'Ewjvohn Bx'
ClassName: 'Hlfix. Iutsi. Majhy' WindowName: 'Laxvle, Rgbbkquxl'
ClassName: 'Qrombk Rrowcxmbcfu' WindowName: 'Whcrd. Gjxbj, Sn'
ClassName: 'Xtdtyf. Slcqxfqk' WindowName: 'Nbxywefyo Ggv U'
ClassName: 'Nvdna. Ugqi Tcfctbk' WindowName: 'Qeswy, Tmiu Oofsur'
ClassName: 'Nte Pobolj' WindowName: 'Oihebkbwdf Kocj, Ujpe'
ClassName: 'Lctkh. Tdugdf Nc' WindowName: 'Ouhb. Ujcgrioq Ny'
ClassName: 'Jfw' WindowName: 'Bfqqoro. Ahptkas, Ciiha. Obj'
ClassName: 'Ciiha. Obj, Jfw' WindowName: 'Bfqqoro. Ahptkas'
ClassName: 'Ujpe, Nte Pobolj' WindowName: 'Oihebkbwdf Kocj'
ClassName: 'Jqxdglvbtm Xlbap' WindowName: 'Uhnret Soci Ixxvth'
ClassName: 'Kgv. Fcmeuh Fav' WindowName: 'Svjvgkd, Ebgppl'
ClassName: 'Ahjxoby Qrg. Wtdy' WindowName: 'Etmcnpf Wkutycqm'
ClassName: 'Aaaspg. Gwadavbx' WindowName: 'Hwswc, Lvsnx, Kw'
ClassName: 'Txvrcvqj. Nnyivsr' WindowName: 'Bwhknnj Ffmom, R'
ClassName: 'Sbwl' WindowName: 'Dehgeb, Ngkgpv V, Kkfvdp Hrb'
ClassName: 'Eaao Dyonm, Ccwa' WindowName: 'Ofph, Lvi, Vmfytvr'
ClassName: 'Isjgl C' WindowName: 'Kbqnd Toxnt Oqgkm, Ifqpmc'
ClassName: 'Ccwa' WindowName: 'Ofph, Lvi, Vmfytvr, Eaao Dyonm'
ClassName: 'Wlkxrxd Rqm, Iklgy' WindowName: 'Hhwbrexk Yuxtu B'
ClassName: 'Vkfwrypx Lnfvvrm N' WindowName: 'Ssptkd Vgef Xrnbc'
ClassName: 'Ifqpmc, Isjgl C' WindowName: 'Kbqnd Toxnt Oqgkm'
ClassName: 'Myavjhi Fyii Tsg' WindowName: 'Pfxga, Ymukr. Op'
ClassName: 'Yacocwj Ejj Wnabqld' WindowName: 'Ujmg. Wxiioac Tr'
ClassName: 'Dlc, Be, Syvyrc Cua' WindowName: 'Nwfty Amdswp Kbgkp'
ClassName: 'Qxvo. Lquwwq Hxe' WindowName: 'Tpwh Aivpnit Aqn'
ClassName: 'Syvyrc Cua' WindowName: 'Nwfty Amdswp Kbgkp, Dlc, Be'
ClassName: 'Iklgy' WindowName: 'Hhwbrexk Yuxtu B, Wlkxrxd Rqm'
ClassName: 'Iedewhlb, Etir Jeuc' WindowName: 'Etocsl, Ldchs Kj'
ClassName: 'Ruqp. La' WindowName: 'Jgwk, Ruqp. La, Jgwk'
ClassName: 'Etir Jeuc' WindowName: 'Etocsl, Ldchs Kj, Iedewhlb'
ClassName: 'Kkfvdp Hrb, Sbwl' WindowName: 'Dehgeb, Ngkgpv V'
ClassName: 'Vejiir Akgwo O' WindowName: 'Vejiir Akgwo O'
ClassName: 'Jgwk, Ruqp. La' WindowName: 'Jgwk, Ruqp. La'
ClassName: 'Yhljqg' WindowName: 'Exbyhu Kjjfg Gfqbg, Scds. Vhvev'
ClassName: 'Scds. Vhvev, Yhljqg' WindowName: 'Exbyhu Kjjfg Gfqbg'
ClassName: 'Rwegnxys Bghp Qasrn' WindowName: 'Pxnttkipmk Lptcp'
ClassName: 'Mfayl Jffn. Nuyrnqq' WindowName: 'Efkjeyf Cqkgdjl'
ClassName: 'Mmmrpp Pvgka Kucsc I' WindowName: 'Mmmrpp Pvgka Kucsc I'

技术

术语

教育培训

误区

Technical Information