Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLM.Limar.4384

Added to the Dr.Web virus database: 2012-10-21

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SonyAgent' = '<Full path to virus>'
Malicious functions:
Searches for registry branches where third party applications store passwords:
  • [<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
  • [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
  • [<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
  • [<HKLM>\Software\FlashFXP\3]
  • [<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
  • [<HKCU>\Software\BPFTP]
  • [<HKCU>\Software\South River Technologies\WebDrive\Connections]
  • [<HKCU>\Software\FTP Explorer\Profiles]
  • [<HKCU>\Software\FTPWare\COREFTP\Sites]
  • [<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions]
  • [<HKCU>\Software\Sota\FFFTP\Options]
  • [<HKLM>\Software\FlashFXP]
  • [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
  • [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
  • [<HKCU>\SOFTWARE\Far2\Plugins\FTP\Hosts]
  • [<HKCU>\SOFTWARE\Microsoft\MessengerService]
  • [<HKCU>\SOFTWARE\Far\Plugins\FTP\Hosts]
  • [<HKCU>\Software\Ghisler\Windows Commander]
  • [<HKCU>\Software\FlashFXP]
  • [<HKCU>\Software\FlashFXP\3]
  • [<HKLM>\Software\Ghisler\Total Commander]
  • [<HKCU>\Software\Ghisler\Total Commander]
  • [<HKLM>\Software\Ghisler\Windows Commander]
Modifies file system :
Creates the following files:
  • <DRIVERS>\npf.sys
  • <SYSTEM32>\wpcap.dll
  • <SYSTEM32>\Packet.dll
Sets the 'hidden' attribute to the following files:
  • <Full path to virus>
Network activity:
Connects to:
  • 'localhost':1077
  • '92.##5.166.215':80
  • '87.##0.119.10':80
  • '79.##8.194.70':80
  • 'localhost':1080
  • '14#.#.185.13':80
  • 'localhost':1068
  • 'localhost':1071
  • 'localhost':1074
  • '81.##8.14.80':80
  • 'localhost':1083
  • '95.##.129.43':80
  • 'localhost':1092
  • '79.##5.122.22':80
  • '81.##8.146.8':80
  • '78.#7.9.4':80
  • 'localhost':1086
  • '18#.#5.137.11':80
  • '89.##8.127.38':80
  • '82.##3.189.2':80
  • 'localhost':1089
  • '87.#7.20.76':80
  • 'localhost':1044
  • '81.##.120.102':80
  • '94.##2.234.249':80
  • '89.##.212.14':80
  • 'localhost':1047
  • '94.##4.149.214':80
  • 'localhost':1035
  • 'localhost':1038
  • 'localhost':1041
  • '46.##1.27.18':80
  • 'localhost':1050
  • '86.##6.205.237':80
  • 'localhost':1059
  • 'localhost':1062
  • 'localhost':1065
  • '46.##1.158.11':80
  • 'localhost':1053
  • '37.##0.123.85':80
  • '89.##.221.16':80
  • '78.#4.70.95':80
  • 'localhost':1056
TCP:
HTTP GET requests:
  • 81.##8.146.8/default.htm
  • 78.#7.9.4/default.htm
  • 79.##5.122.22/start.htm