用户服务中心

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

CN

RU CN DE EN ES FR IT JP KZ UZ PL BY ID
Close
服务
扫描仪
Dr.Web vxCube
试用
计算机病毒事件调查
病毒知识库
知识库

技术

术语

教育培训

误区

新闻

Win32.HLLW.Facebook.156.origin

Added to the Dr.Web virus database: 2025-01-31

Virus description added:

Technical Information

To ensure autorun and distribution
Sets the following service settings
  • [HKLM\System\CurrentControlSet\Services\ddnsfilter] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\ddnsfilter] 'ImagePath' = '<SYSTEM32>\SvchoSt.ExE -k ddnsfilter'
  • [HKLM\sYsTEM\CuRrenTcoNtroLsET\serVicES\dDNsFilter\pAraMEters] 'ServICeDll' = '%ProgramFiles(x86)%\DDnsFilter\DDnsFilter.dll'
  • [HKLM\System\CurrentControlSet\Services\DnsFilter] 'Start' = '00000001'
  • [HKLM\System\CurrentControlSet\Services\DnsFilter] 'ImagePath' = '<DRIVERS>\DnsFilter.sys'
Creates the following services
  • 'ddnsfilter' <SYSTEM32>\SvchoSt.ExE -k ddnsfilter
  • 'DnsFilter' <DRIVERS>\DnsFilter.sys
Malicious functions
Executes the following
  • '%WINDIR%\syswow64\netsh.exe' fIrewaLl AdD AllOWeDPrOgrAm naMe="ddnsfilter" prOGram="<SYSTEM32>\SvchoSt.ExE" mode=ENABLE
  • '%WINDIR%\syswow64\netsh.exe' fIrewaLl AdD pOrToPEnIng tcP 8085 ddnsfilter eNABLe
Modifies file system
Creates the following files
  • <Full path to file>.exe
  • %WINDIR%\syswow64\drivers\dnsfilter.sys
  • %ProgramFiles(x86)%\ddnsfilter\ddnsfilter.dll
  • %TEMP%\dnsfilter.bat
Deletes the following files
  • <Full path to file>.exe
Network activity
Connects to
  • 'localhost':8085
Miscellaneous
Creates and executes the following
  • '<Full path to file>.exe' /res
Executes the following
  • '%WINDIR%\syswow64\cmd.exe' /c copy "<Full path to file>" "<Full path to file>.exe"
  • '%WINDIR%\syswow64\cmd.exe' /c "<Full path to file>.exe" /res >%teMP%\DnsFilter.bat
  • '%WINDIR%\syswow64\cmd.exe' /c "%teMP%\DnsFilter.bat"
  • '%WINDIR%\syswow64\reg.exe' add "soFtWARe\miCRoSOfT\INTerNEt exPloREr\MAin" /v tp /t REG_SZ /d 8238
  • '%WINDIR%\syswow64\sc.exe' CreATe "ddnsfilter" tyPE= share start= auto binPaTh= "<SYSTEM32>\SvchoSt.ExE -k ddnsfilter"
  • '%WINDIR%\syswow64\reg.exe' adD "hklm\sYsTEM\CuRrenTcoNtroLsET\serVicES\dDNsFilter\pAraMEters" /v ServICeDll /t ReG_EXpaND_Sz /d "%ProgramFiles(x86)%\DDnsFilter\DDnsFilter.dll" /f
  • '%WINDIR%\syswow64\reg.exe' adD "hklm\sYsTEM\CuRrenTcoNtroLsET\serVicES\dDNsFilter" /v FailuREaCtIOns /t rEG_BInaRY /d 00000000000000000000000003000000140000000100000060EA00000100000060EA00000100000060EA0000 /f
  • '%WINDIR%\syswow64\reg.exe' adD "hklm\SOfTwaRe\mIcrOSoFt\WiNdoWs nt\CURrENtveRSiOn\svcHoSt" /v ddnsfilter /t rEg_mULti_sz /d "ddnsfilter\0" /f
  • '%WINDIR%\syswow64\sc.exe' start ddnsfilter
  • '%WINDIR%\syswow64\svchost.exe' -k ddnsfilter
  • '%WINDIR%\syswow64\sc.exe' boot ok
  • '%WINDIR%\syswow64\ipconfig.exe' /flushdns
  • '%WINDIR%\syswow64\cmd.exe' /c copy "<Full path to file>" "<Full path to file>.exe"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c "<Full path to file>.exe" /res >%teMP%\DnsFilter.bat' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c "%teMP%\DnsFilter.bat"' (with hidden window)
Wechat