Win32.HLLW.Gedzac.10
Added to the Dr.Web virus database:
2012-07-28
Virus description added:
2012-08-18
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Classes\regfile\shell\open\command] '' = '%WINDIR%\MSRundll32.exe "%1" %*'
- [<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = '%WINDIR%\MSRundll32.exe "%1" %*'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
blocks the following features:
- System Restore (SR)
- System File Checker (SFC)
Creates and executes the following:
Executes the following:
- <SYSTEM32>\net1.exe stop SharedAccess
- <SYSTEM32>\net.exe stop SharedAccess
- %WINDIR%\regedit.exe /s c:\l.reg
Terminates or attempts to terminate
the following user processes:
- bdagent.exe
- bdss.exe
- AVPM.EXE
- AVSYNMGR.EXE
- ccapp.exe
- Drweb32w.exe
- drweb386.exe
- ClamWin.exe
- drweb.exe
- AVPCC.EXE
- ashAvSrv.exe
- avgcc.exe
- ash.exe
- ashAvast.exe
- AVGCC32.EXE
- AVP.EXE
- AVP32.EXE
- AVGCTRL.EXE
- AVP.COM
Modifies file system :
Creates the following files:
- %WINDIR%\ymsg\chicas_girls.zip
- %WINDIR%\ymsg\Mi foto.zip
- %WINDIR%\ymsg\Video.zip
- %WINDIR%\ymsg\amor_love.zip
- %WINDIR%\ymsg\mi poema.zip
- C:\l.reg
- %WINDIR%\MSRundll32.exe
- C:\hst.sys
- %WINDIR%\Leliel.zip
- %WINDIR%\Wininit.ini
Network activity:
Connects to:
- '<Private IP address>':80
- '<Private IP address>':139
- '<Private IP address>':445
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'RegEdit_RegEdit' WindowName: ''
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息