Win32.HLLW.Autoruner2.30207
Added to the Dr.Web virus database:
2017-11-13
Virus description added:
2017-11-13
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WordPress' = 'wscript.exe //B "%APPDATA%\WordPress.vbs"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WordPress' = 'wscript.exe //B "%APPDATA%\WordPress.vbs"'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\WordPress.vbs
Creates the following files on removable media:
- <Drive name for removable media>:\WordPress.vbs
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\wscript.exe' //B "%APPDATA%\WordPress.vbs"
- '<SYSTEM32>\wscript.exe' "%TEMP%\WordPress.vbs"
Executes the following:
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen %TEMP%\zerif-pro.jpg
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen %TEMP%\metro-wordpress-themes.jpg
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen %TEMP%\2.png
Modifies file system:
Creates the following files:
- %TEMP%\Requirements.docx
- %TEMP%\WordPress.vbs
- %APPDATA%\WordPress.vbs
- %TEMP%\2.png
- %TEMP%\metro-wordpress-themes.jpg
- %TEMP%\zerif-pro.jpg
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\WordPress.vbs
Network activity:
Connects to:
- 'ou######mpany2.hopto.org':1001
- 'localhost':1037
UDP:
- DNS ASK ou######mpany2.hopto.org
Miscellaneous:
Searches for the following windows:
- ClassName: 'ShImgVw:CPreviewWnd' WindowName: ''
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息