JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner.58786
Added to the Dr.Web virus database:
2011-09-13
Virus description added:
2011-09-13
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Client Server Runtime Subsystem Server 7.20' = 'C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\csrss.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Session Manager Subsystem Server 3.91' = 'C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\smss.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Client Server Runtime Subsystem Server 7.20' = 'C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0115-0409-0000-0000000FF1CE}-c\temp\tag\HIVE08111145815PM.exe'
Creates or modifies the following files:
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\Windows update.lnk
%HOMEPATH%\Start Menu\Programs\Startup\Windows update.lnk
Creates the following files on removable media:
<Drive name for removable media>:\SpoolBin.exe
<Drive name for removable media>:\autorun.inf
Malicious functions:
Creates and executes the following:
C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\csrss.exe
C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\smss.exe
Modifies file system :
Creates the following files:
C:\SpoolBin.exe
C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\csrss.exe
C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\Default\Misc\Utilities\Settings\08-11-2011-04-58-23-PM.ini
C:\autorun.inf
C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\smss.exe
C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de.lnk
C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\MSWinUpdate.exe
Sets the 'hidden' attribute to the following files:
<Drive name for removable media>:\autorun.inf
C:\SpoolBin.exe
C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\csrss.exe
<Drive name for removable media>:\SpoolBin.exe
C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de.lnk
C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\smss.exe
C:\autorun.inf
C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\MSWinUpdate.exe
Moves itself:
from <Full path to virus> to C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0115-0409-0000-0000000FF1CE}-c\temp\tag\HIVE08111145815PM.exe
Deletes itself.
Network activity:
Connects to:
'np#####38.localdomain':139
'np#####38.localdomain':80
'np#####38.localdomain':445
UDP:
DNS ASK NP#####38.localdomain
Miscellaneous:
Searches for the following windows:
ClassName: '' WindowName: '0 Sm9ssE2039 E smss.exe 893'
ClassName: '' WindowName: '0 Sm9ssE2039 E csrss.exe 893'
ClassName: '' WindowName: '0 Sm9ssE2039 E INSTALLER 893'
ClassName: '' WindowName: '0 Sm9ssE2039 E SpoolBin.exe 893'
欢迎下载 Dr.Web for Android
免费3个月
可使用所有保护组件
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息
OK