Win32.HLLW.Autoruner2.19208
Added to the Dr.Web virus database:
2015-02-06
Virus description added:
2015-02-06
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Classes\txtfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\7zfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\.exe] '' = 'exefile'
- [<HKLM>\SOFTWARE\Classes\rarfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\WMVFile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\wavfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\zipfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\AVIFile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\isofile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\mdbfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\ecfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '360.' = '%WINDIR%\svchest.exe'
- [<HKLM>\SOFTWARE\Classes\icofile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\dbfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\ghostfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\ghofile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\urlfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\pnffile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\batfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\.bat] '' = 'batfile'
- [<HKLM>\SOFTWARE\Classes\comfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\.com] '' = 'comfile'
- [<HKLM>\SOFTWARE\Classes\giffile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\jpgfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '<Virus name>.exe' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Classes\bmpfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\pngfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\.cmd] '' = 'cmdfile'
- [<HKLM>\SOFTWARE\Classes\lnkfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\inifile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\mp4file\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\mp3file\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\sysfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\VBSFile\Shell\Open\Command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\cmdfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\dllfile\shell\open\command] '' = '<Full path to virus> %1'
- [<HKLM>\SOFTWARE\Classes\JSFile\Shell\Open\Command] '' = '<Full path to virus> %1'
Creates the following files on removable media:
- <Drive name for removable media>:\AutoRun.inf
- <Drive name for removable media>:\AutoRun.exe
Malicious functions:
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Command Prompt (CMD)
- Registry Editor (RegEdit)
Executes the following:
- '<SYSTEM32>\taskkill.exe' /f /im 360tray.exe
- '<SYSTEM32>\taskkill.exe' /f /im VsTskMgr.exe
- '%WINDIR%\explorer.exe'
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '<SYSTEM32>\rundll32.exe' fldrclnr.dll,Wizard_RunDLL
- '<SYSTEM32>\taskkill.exe' /f /im KVXP.kxp
- '<SYSTEM32>\taskkill.exe' /f /im kavsvc.exe
- '<SYSTEM32>\taskkill.exe' /f /im Rav.exe
- '<SYSTEM32>\taskkill.exe' /f /im Mcshield.exe
- '<SYSTEM32>\taskkill.exe' /f /im Ravmon.exe
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\cmd.exe
- %WINDIR%\Explorer.EXE
the following user processes:
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRecentDocsMenu' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoClose' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoViewContextMenu' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoLogOff' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoControlPanel' = '00000001'
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- C:\tianshideshouhu
- <Auxiliary element>
- <Current directory>\KillFile.sys
- <Current directory>\LianXue_SuperKill.sys
- \Device\CdRom0
- <Current directory>\Bypass.sys
- <Current directory>\Hook.dll
- C:\AutoRun.inf
- C:\AutoRun.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\AutoRun.inf
- C:\tianshideshouhu
- <Current directory>\Hook.dll
- C:\AutoRun.exe
- C:\AutoRun.inf
- <Drive name for removable media>:\AutoRun.exe
Deletes the following files:
- <Current directory>\LianXue_SuperKill.sys
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: 'iexplore.exe'
- ClassName: '' WindowName: 'cmd.exe'
- ClassName: 'BaseBar' WindowName: 'ChanApp'
- ClassName: 'CSCHiddenWindow' WindowName: ''
- ClassName: 'SystemTray_Main' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
- ClassName: 'Proxy Desktop' WindowName: ''
- ClassName: '' WindowName: 'DF5Serve.exe'
- ClassName: '' WindowName: 'FrzState2k.exe'
- ClassName: '' WindowName: ''
- ClassName: '' WindowName: 'deepfeeze'
- ClassName: '' WindowName: 'explorer.exe'
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'deepfeeze.exe'
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息