Win32.HLLW.Autohit.16767
Added to the Dr.Web virus database:
2017-12-27
Virus description added:
2017-12-27
Technical Information
Malicious functions:
Injects code into
the following system processes:
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Searches for registry branches where third party applications store passwords:
- [<HKCU>\Software\SimonTatham\PuTTY\Sessions]
- [<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKLM>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
- [<HKLM>\Software\Martin Prikryl]
- [<HKLM>\Software\SimonTatham\PuTTY\Sessions]
- [<HKCU>\Software\NCH Software\Fling\Accounts]
- [<HKCU>\Software\Far\Plugins\FTP\Hosts]
- [<HKCU>\Software\Martin Prikryl]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\NCH Software\Fling\Accounts]
- [<HKCU>\Software\VanDyke\SecureFX]
- [<HKCU>\Software\Far2\Plugins\FTP\Hosts]
Modifies file system:
Creates the following files:
- %APPDATA%\Microsoft\Protect\CREDHIST
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %APPDATA%\517D9D\DE2515.lck
- %TEMP%\QLORMW.exe
- %TEMP%\aut1.tmp
- %TEMP%\hdeoaxv
- %TEMP%\aut2.tmp
Deletes the following files:
- %APPDATA%\517D9D\DE2515.lck
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %TEMP%\aut2.tmp
- %TEMP%\aut1.tmp
- %TEMP%\hdeoaxv
Moves the following system files:
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe to %APPDATA%\517D9D\DE2515.exe
Substitutes the following files:
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
Network activity:
Connects to:
- '18#.#65.29.132':80
- '78.##0.176.208':1339
TCP:
HTTP POST requests:
- http://18#.#65.29.132/fhgtxrfg/Panel/five/fre.php
Miscellaneous:
Creates and executes the following:
Executes the following:
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe'
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息