Win32.HLLW.Rubbish.266
Added to the Dr.Web virus database:
2012-11-27
Virus description added:
2012-11-28
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qqsc.exe.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ati2evxx.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinDbg.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idag.exexe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxtray.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qqkav.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rising.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVsvcUI.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVsrvXP.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtimer.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
Creates or modifies the following files:
Malicious functions:
Executes the following:
- <SYSTEM32>\svchost.exe -k netsvcs
- <SYSTEM32>\dumprep.exe 1136 -dm 7 7 %TEMP%\WER1db7.dir00\svchost.exe.mdmp 16325836412032028
- <SYSTEM32>\cmd.exe /c <SYSTEM32>\tpnc.bat
Modifies file system :
Creates the following files:
- %TEMP%\nctfub1.tmp
- <SYSTEM32>\atielf.dat
- %TEMP%\~wxp2ins.312.tmp
- <SYSTEM32>\tpnc.bat
- %TEMP%\WER1db7.dir00\svchost.exe.mdmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\url[1].txt
Deletes the following files:
- %TEMP%\~wxp2ins.312.tmp
- %TEMP%\nctfub1.tmp
- <SYSTEM32>\tpnc.bat
Deletes itself.
Network activity:
Connects to:
- '<Private IP address>':80
- 'ur#.#ao365.org':80
- '<Private IP address>':139
- '<Private IP address>':445
- 'localhost':1037
TCP:
UDP:
Miscellaneous:
Searches for the following windows:
- ClassName: 'Notifywnd' WindowName: ''
- ClassName: '' WindowName: '??m+?'
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息