Win32.HLLW.Autoruner1.51068
Added to the Dr.Web virus database:
2013-07-20
Virus description added:
2013-07-20
Technical Information
Malicious functions:
Creates and executes the following:
- '%TEMP%\javaSetup.exe' /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0
- '%TEMP%\javaSetup.exe' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\cscript.exe' //NoLogo %TEMP%\hd.vbs
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\Zona\License_uk.rtf
- %PROGRAM_FILES%\Zona\License_ru.rtf
- %PROGRAM_FILES%\Zona\License_en.rtf
- %TEMP%\appdata.7z
- %TEMP%\Zona.7z
- %PROGRAM_FILES%\Zona\utils.jar
- %APPDATA%\Zona\init.xml
- %TEMP%\ZonaInstall.log
- %TEMP%\hd.vbs
- %TEMP%\javaSetup.exe
- %TEMP%\zon2.tmp
Network activity:
Connects to:
- 'i2.#8.net':80
- 'zo#a.ru':80
TCP:
HTTP GET requests:
- zo#a.ru/Zona.7z
- zo#a.ru/appdata.7z
- i2.#8.net/T/gJr_X.jpeg
- zo#a.ru/jre_latest.exe
UDP:
- DNS ASK dl.#ona.ru
- DNS ASK i2.#8.net
- DNS ASK zo#a.ru
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息