Win32.HLLW.Autohit.13952
Added to the Dr.Web virus database:
2013-11-26
Virus description added:
2013-11-26
Technical Information
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' = '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:*:Enabled:Windows Messanger'
- [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%APPDATA%\Roaming\cryptish.exe' = '%APPDATA%\Roaming\cryptish.exe:*:Enabled:Windows Messanger'
- [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
Executes the following:
- '<SYSTEM32>\reg.exe' -u -p 516 -s 4
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\conhost.exe'
- '<SYSTEM32>\conhost.exe' /pid=3016
- '<SYSTEM32>\reg.exe' /pid=1932
- '<SYSTEM32>\reg.exe' ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
- '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
- '<SYSTEM32>\reg.exe' ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /t REG_SZ /d "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:*:Enabled:Windows Messanger" /f
- '<SYSTEM32>\reg.exe' /pid=2980
- '<SYSTEM32>\reg.exe' ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "%APPDATA%\Roaming\cryptish.exe" /t REG_SZ /d "%APPDATA%\Roaming\cryptish.exe:*:Enabled:Windows Messanger" /f
Injects code into
the following system processes:
- %WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Modifies file system :
Creates the following files:
- %APPDATA%\Roaming\cryptish.exe
- %APPDATA%\Roaming\123
- %HOMEPATH%\Y55M18.EI9
- %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<Virus name>.exe
- %TEMP%\aut58AA.tmp
Sets the 'hidden' attribute to the following files:
Deletes the following files:
Network activity:
Connects to:
- 'un#####r1337.zapto.org':3333
UDP:
- DNS ASK 6u#####ar1337.zapto.org
- DNS ASK 5u#####ar1337.zapto.org
- DNS ASK 7u#####ar1337.zapto.org
- DNS ASK 9u#####ar1337.zapto.org
- DNS ASK 8u#####ar1337.zapto.org
- DNS ASK 4u#####ar1337.zapto.org
- DNS ASK dn#.##ftncsi.com
- DNS ASK un#####r1337.zapto.org
- DNS ASK 1u#####ar1337.zapto.org
- DNS ASK 3u#####ar1337.zapto.org
- DNS ASK 2u#####ar1337.zapto.org
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息