Win32.HLLW.Autoruner1.14554
Added to the Dr.Web virus database:
2012-04-12
Virus description added:
2012-05-02
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Classes\VBSFile\Shell\Open\Command] '' = '%WINDIR%\winlog.EXE %1'
- [<HKLM>\SOFTWARE\Classes\chm.file\shell\open\command] '' = '%WINDIR%\winlog.EXE %1'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Classes\regfile\shell\open\command] '' = '%WINDIR%\winlog.EXE %1'
- [<HKLM>\SOFTWARE\Classes\inifile\shell\open\command] '' = '%WINDIR%\winlog.EXE %1'
- [<HKLM>\SOFTWARE\Classes\Drive\shell\open\command] '' = '%WINDIR%\winlog.EXE %1'
- [<HKLM>\SOFTWARE\Classes\txtfile\shell\open\command] '' = '%WINDIR%\winlog.EXE %1'
- [<HKLM>\SOFTWARE\Classes\inffile\shell\open\command] '' = '%WINDIR%\winlog.EXE %1'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe] 'Debugger' = '%WINDIR%\winlog.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe] 'Debugger' = '%WINDIR%\winlog.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\Recycled.{645FF040-5081-101B-9F08-00AA002F954E}\winlog.EXE
- <Drive name for removable media>:\autorun.inf
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
Creates and executes the following:
Modifies file system :
Creates the following files:
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
Network activity:
Connects to:
TCP:
HTTP GET requests:
- hu####520.11nn.net/lj/1.txt
UDP:
- DNS ASK hu####520.11nn.net
- '<Private IP address>':1035
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: ''
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息