JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner.2985
Added to the Dr.Web virus database:
2008-10-19
Virus description added:
2014-07-13
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'CmdWindows' = '%WINDIR%\win32cmd.exe'
Creates the following files on removable media:
<Drive name for removable media>:\system32.vbs
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:Microsoft Windows Update Platform'
Creates and executes the following:
'%WINDIR%\nokia32.exe'
'%WINDIR%\win32explor.exe'
'%WINDIR%\systemerror.exe'
'<SYSTEM32>\xcopy.exe' (downloaded from the Internet)
'%WINDIR%\win32explor.exe' (downloaded from the Internet)
'%WINDIR%\systemerror.exe' (downloaded from the Internet)
'%WINDIR%\nokia32.exe' (downloaded from the Internet)
Executes the following:
'<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs C:\system32.vbs
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf M:\autorun.inf
'<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs E:\system32.vbs
'<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs <Drive name for removable media>:\system32.vbs
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf J:\autorun.inf
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf I:\autorun.inf
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf L:\autorun.inf
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf K:\autorun.inf
'<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs F:\system32.vbs
'<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs L:\system32.vbs
'<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs K:\system32.vbs
'<SYSTEM32>\xcopy.exe'
'<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs M:\system32.vbs
'<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs H:\system32.vbs
'<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs G:\system32.vbs
'<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs J:\system32.vbs
'<SYSTEM32>\xcopy.exe' /h <SYSTEM32>.vbs I:\system32.vbs
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe H:\win32cmd.exe
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe G:\win32cmd.exe
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe J:\win32cmd.exe
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe I:\win32cmd.exe
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe C:\win32cmd.exe
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe <Drive name for removable media>:\win32cmd.exe
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe E:\win32cmd.exe
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe F:\win32cmd.exe
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe K:\win32cmd.exe
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf F:\autorun.inf
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf E:\autorun.inf
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf H:\autorun.inf
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf G:\autorun.inf
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe M:\win32cmd.exe
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\win32cmd.exe L:\win32cmd.exe
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf <Drive name for removable media>:\autorun.inf
'<SYSTEM32>\xcopy.exe' /h %WINDIR%\autorun.inf C:\autorun.inf
Injects code into
the following system processes:
the following user processes:
Modifies file system :
Creates the following files:
%WINDIR%\systemerror.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\systeml[1].exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\system[1].exe
%WINDIR%\files\Lesbi.Games2.mpg.exe
%WINDIR%\files\Russian.Girls.avi.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\system[1].exe
%WINDIR%\mind32red.exe
%WINDIR%\win32explor.exe
%WINDIR%\nokia32.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\system[1].exe
%WINDIR%\multihosts.exe
%WINDIR%\files\ICQ.hacking.exe
%WINDIR%\win32cmd.exe
%WINDIR%\autorun.inf
<SYSTEM32>.vbs
%WINDIR%\files\My.Porno.Video.avi.exe
%WINDIR%\files\Lesbi.Games.mpg.exe
%WINDIR%\files\hotmail_hacker.exe
%WINDIR%\files\invisible_IP.exe
%WINDIR%\files\msn_crack.exe
Sets the 'hidden' attribute to the following files:
%WINDIR%\win32cmd.exe
<Drive name for removable media>:\system32.vbs
%WINDIR%\autorun.inf
<SYSTEM32>.vbs
Modifies the HOSTS file.
Network activity:
Connects to:
'www.po##pics.ru':80
'il####natigear.com':80
'www.dm##ca6.org':80
'localhost':1037
'www.ma###sallem.ro':80
TCP:
HTTP GET requests:
www.po##pics.ru/data/vt/system.exe
il####natigear.com/catalog/images/system.exe
www.ma###sallem.ro/forum/Smileys/system.exe
www.dm##ca6.org/systeml.exe
UDP:
DNS ASK www.po##pics.ru
DNS ASK il####natigear.com
DNS ASK www.ma###sallem.ro
DNS ASK www.dm##ca6.org
欢迎下载 Dr.Web for Android
免费3个月
可使用所有保护组件
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息
OK