用户服务中心

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

CN

RU CN DE EN ES FR IT JP KZ UZ PL BY ID

Dr.Web vxCube

打开分析仪

病毒知识库

病毒介绍

技术

术语

教育培训

误区

有关反病毒软件的误区

Win32.HLLW.Autoruner1.36870

Added to the Dr.Web virus database: 2013-05-12

Virus description added: 2021-03-25

Technical Information

To ensure autorun and distribution

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\netipers] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\netipers] 'ImagePath' = '%WINDIR%\IME\svchost.exe'
[<HKLM>\System\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '%WINDIR%\ime\WinRing0x64.sys'

Creates the following services

'netipers' %WINDIR%\IME\svchost.exe
'WinRing0_1_2_0' %WINDIR%\ime\WinRing0x64.sys

Malicious functions

Executes the following

'%WINDIR%\syswow64\net.exe' stop "Application Managements"
'%WINDIR%\syswow64\net.exe' stop ".NET Runtime Optimization Service"
'%WINDIR%\syswow64\taskkill.exe' /f /im schost.exe
'%WINDIR%\syswow64\taskkill.exe' /f /im svhost.exe
'%WINDIR%\syswow64\taskkill.exe' /f /im taskmgrs.exe
'%WINDIR%\syswow64\taskkill.exe' /f /im taskngr.exe
'%WINDIR%\syswow64\taskkill.exe' /f /im taskmgr.exe

Modifies file system

Creates the following files

%WINDIR%\ime\install.vbs
%WINDIR%\ime\cls.bat
%WINDIR%\ime\winring0x64.sys
%WINDIR%\ime\svchosts.exe
%WINDIR%\ime\svhostssss.exe
%TEMP%\hz~8342.tmp.bat
nul
%WINDIR%\ime\null

Sets the 'hidden' attribute to the following files

%WINDIR%\ime\svchost.exe
%WINDIR%\ime\taskmgr.exe
%WINDIR%\ime\winring0x64.sys

Moves the following files

from %WINDIR%\ime\svhostssss.exe to %WINDIR%\ime\taskmgr.exe
from %WINDIR%\ime\svchosts.exe to %WINDIR%\ime\svchost.exe

Deletes itself.

Network activity

Connects to

'od##.#uckdns.org':1454

TCP

'od##.#uckdns.org':1454

UDP

DNS ASK od##.#uckdns.org

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%WINDIR%\syswow64\wscript.exe' "%WINDIR%\IME\install.vbs"
'%WINDIR%\ime\svchost.exe' install netipers %WINDIR%\ime\taskmgr.exe
'%WINDIR%\ime\svchost.exe' start netipers
'%WINDIR%\ime\svchost.exe'
'%WINDIR%\ime\taskmgr.exe'
'%WINDIR%\syswow64\cmd.exe' /c "%TEMP%\HZ~8342.tmp.bat"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\IME\cls.bat" "' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c "%TEMP%\HZ~8342.tmp.bat"
'%WINDIR%\syswow64\attrib.exe' +s +h taskmgr.exe
'%WINDIR%\syswow64\attrib.exe' +s +h svchost.exe
'%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 2
'%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 5
'%WINDIR%\syswow64\svchost.exe' remove netipstarts confirm
'%WINDIR%\syswow64\svchost.exe' stop netipstarts
'%WINDIR%\syswow64\svchost.exe' remove netipstart confirm
'%WINDIR%\syswow64\svchost.exe' stop netipstart
'%WINDIR%\syswow64\svchost.exe' remove netips confirm
'%WINDIR%\syswow64\svchost.exe' stop netips
'%WINDIR%\syswow64\svchost.exe' remove netip confirm
'%WINDIR%\syswow64\svchost.exe' stop netip
'%WINDIR%\syswow64\attrib.exe' +s +h WinRing0x64.sys
'%WINDIR%\syswow64\svchost.exe' remove ipsercess confirm
'%WINDIR%\syswow64\svchost.exe' remove ipserces confirm
'%WINDIR%\syswow64\svchost.exe' stop ipserces
'%WINDIR%\syswow64\sc.exe' delete ".NET Runtime Optimization Service"
'%WINDIR%\syswow64\net1.exe' stop ".NET Runtime Optimization Service"
'%WINDIR%\syswow64\sc.exe' delete "Application Managements"
'%WINDIR%\syswow64\net1.exe' stop "Application Managements"
'%WINDIR%\syswow64\attrib.exe' -s -h taskmgr.exe
'%WINDIR%\syswow64\attrib.exe' -s -h taskmgrs.exe
'%WINDIR%\syswow64\attrib.exe' -s -h svhost.exe
'%WINDIR%\syswow64\attrib.exe' -s -h svchost.exe
'%WINDIR%\syswow64\sc.exe' QUERY netip
'%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\IME\cls.bat" "
'%WINDIR%\syswow64\svchost.exe' stop ipsercess
'%WINDIR%\syswow64\netsh.exe' ipsec static add policy name=win