Win32.HLLW.Autohit.16213
Added to the Dr.Web virus database:
2017-03-14
Virus description added:
2017-03-14
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\Microsoft Update.lnk
Malicious functions:
Executes the following:
- '%TEMP%\bot.exebot.exe'
- '<SYSTEM32>\schtasks.exe' /Create /TN "Update\update" /XML "%TEMP%\z25"
- '<SYSTEM32>\schtasks.exe' /Create /TN "Update\update" /XML "%TEMP%\z319"
- '%APPDATA%\Soid\pali.exe'
- '%TEMP%\APMCVS.exe'
- '%TEMP%\MHZFFJ.exe'
- '<SYSTEM32>\schtasks.exe' /Create /TN "Update\update" /XML "%TEMP%\z178"
- '%TEMP%\QSCCKM.exe'
Injects code into
the following system processes:
a large number of user processes.
Searches for registry branches where third party applications store passwords:
- [<HKCU>\Software\Microsoft\Internet Account Manager]
- [<HKCU>\SOFTWARE\ftpware\coreftp\sites]
- [<HKCU>\Software\Microsoft\Windows Live Mail]
- [<HKCU>\Software\Microsoft\Internet Account Manager\Accounts]
- [<HKLM>\SOFTWARE\martin prikryl\winscp 2\sessions]
- [<HKCU>\SOFTWARE\Far\Plugins\ftp\hosts]
- [<HKCU>\SOFTWARE\Ghisler\Total Commander]
- [<HKCU>\SOFTWARE\martin prikryl\winscp 2\sessions]
- [<HKCU>\SOFTWARE\Far2\Plugins\ftp\hosts]
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1A03' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1A10' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A10' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A05' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'WarnonBadCertRecving' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1A06' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1A05' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1A02' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1406' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1406' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1406' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1609' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1609' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1609' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1609' = '00000000'
Modifies file system:
Creates the following files:
- %TEMP%\Cab1F.tmp
- %TEMP%\Cab1D.tmp
- %TEMP%\Cab23.tmp
- %TEMP%\Cab21.tmp
- %TEMP%\Cab1B.tmp
- %TEMP%\Cab15.tmp
- %TEMP%\Cab13.tmp
- %TEMP%\Cab19.tmp
- %TEMP%\Cab17.tmp
- %APPDATA%\svchost
- %TEMP%\bot.exebot.exe
- %TEMP%\z319
- <LS_APPDATA>\Identities\{5518F2FB-DB74-45A3-BEC1-4575D8D9DC84}\Microsoft\Outlook Express\Sent Items.dbx
- %APPDATA%\Soid\pali.exe
- %TEMP%\z25
- %TEMP%\Cab25.tmp
- %TEMP%\z178
- %TEMP%\Cab29.tmp
- %TEMP%\Cab27.tmp
- %TEMP%\aut4.tmp
- %TEMP%\APMCVS.exe
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
- %TEMP%\QSCCKM.exe
- %TEMP%\aut3.tmp
- %TEMP%\sgxkzem
- %TEMP%\aut1.tmp
- %TEMP%\MHZFFJ.exe
- %TEMP%\aut2.tmp
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
- %TEMP%\CabD.tmp
- %TEMP%\CabB.tmp
- %TEMP%\Cab11.tmp
- %TEMP%\CabF.tmp
- %TEMP%\Cab9.tmp
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
- %TEMP%\Cab7.tmp
- %TEMP%\Cab5.tmp
Sets the 'hidden' attribute to the following files:
Deletes the following files:
- %TEMP%\Cab1B.tmp
- %TEMP%\Cab1D.tmp
- %TEMP%\Cab1F.tmp
- %TEMP%\Cab15.tmp
- %TEMP%\Cab17.tmp
- %TEMP%\Cab19.tmp
- %TEMP%\Cab27.tmp
- %TEMP%\Cab29.tmp
- %TEMP%\z178
- %TEMP%\Cab21.tmp
- %TEMP%\Cab23.tmp
- %TEMP%\Cab25.tmp
- %TEMP%\Cab13.tmp
- %TEMP%\aut3.tmp
- %TEMP%\aut4.tmp
- %TEMP%\Cab5.tmp
- %TEMP%\aut1.tmp
- %TEMP%\sgxkzem
- %TEMP%\aut2.tmp
- %TEMP%\CabD.tmp
- %TEMP%\CabF.tmp
- %TEMP%\Cab11.tmp
- %TEMP%\Cab7.tmp
- %TEMP%\Cab9.tmp
- %TEMP%\CabB.tmp
Network activity:
Connects to:
- 'ca#####.digicert.com':80
- 'any':1337
- 'bl####ills.ddns.net':1337
- 'wp#d':80
- 'www.download.windowsupdate.com':80
TCP:
HTTP GET requests:
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
- http://ca#####.digicert.com/DigiCertAssuredIDRootCA.crt
- http://11#.#11.111.1/wpad.dat via wp#d
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
UDP:
- DNS ASK ca#####.digicert.com
- DNS ASK de###sing.top
- DNS ASK bl####ills.ddns.net
- DNS ASK wp#d
- DNS ASK www.download.windowsupdate.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息