Win32.HLLW.Autoruner1.34499
Added to the Dr.Web virus database:
2013-03-27
Virus description added:
2013-04-07
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'm_l_<Virus name>' = '<SYSTEM32>\m_l_<Virus name>.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'm_l_<Virus name>' = '<SYSTEM32>\m_l_<Virus name>.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'm_l_<Virus name>' = '<SYSTEM32>\m_l_<Virus name>.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'm_l_<Virus name>' = '<SYSTEM32>\m_l_<Virus name>.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\<Virus name>.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\m_l_<Virus name>.exe' = '<SYSTEM32>\m_l_<Virus name>.exe:*:Enabled:m_l_winst'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\<Virus name>.exe' = '<SYSTEM32>\<Virus name>.exe:*:Enabled:winst'
Creates and executes the following:
- <SYSTEM32>\p_e_<Virus name>.exe /stext <SYSTEM32>\p_e.log
- <SYSTEM32>\p_r_<Virus name>.exe /stext <SYSTEM32>\p_r.log
- <SYSTEM32>\p_m_<Virus name>.exe /stext <SYSTEM32>\p_m.log
- <SYSTEM32>\p_n_<Virus name>.exe /stext <SYSTEM32>\p_n.log
- <SYSTEM32>\winst.exe
- <SYSTEM32>\p_c_<Virus name>.exe /stext <SYSTEM32>\p_c.log
- <SYSTEM32>\p_p_<Virus name>.exe /stext <SYSTEM32>\p_p.log
- <SYSTEM32>\p_d_<Virus name>.exe /stext <SYSTEM32>\p_d.log
- <SYSTEM32>\s_n_winst.exe sentinel
- <SYSTEM32>\p_f_<Virus name>.exe /stext <SYSTEM32>\p_f.log
- <SYSTEM32>\s_s_winst.exe sentinel
- <SYSTEM32>\p_i_<Virus name>.exe /stext <SYSTEM32>\p_i.log
- <SYSTEM32>\m_l_<Virus name>.exe
- <SYSTEM32>\<Virus name>.exe
- <SYSTEM32>\p_c_<Virus name>.exe (downloaded from the Internet)
- <SYSTEM32>\p_p_<Virus name>.exe (downloaded from the Internet)
- <SYSTEM32>\p_d_<Virus name>.exe (downloaded from the Internet)
- <SYSTEM32>\p_f_<Virus name>.exe (downloaded from the Internet)
- <SYSTEM32>\p_m_<Virus name>.exe (downloaded from the Internet)
- <SYSTEM32>\p_i_<Virus name>.exe (downloaded from the Internet)
- <SYSTEM32>\p_n_<Virus name>.exe (downloaded from the Internet)
- <SYSTEM32>\p_r_<Virus name>.exe (downloaded from the Internet)
- <SYSTEM32>\m_l_<Virus name>.exe (downloaded from the Internet)
- <SYSTEM32>\p_e_<Virus name>.exe (downloaded from the Internet)
Executes the following:
- <SYSTEM32>\cmd.exe /c ""<SYSTEM32>\log_master.bat" "
- %WINDIR%\explorer.exe <Current directory>\
Terminates or attempts to terminate
the following user processes:
- AVSYNMGR.EXE
- fsav.exe
- AVPCC.EXE
- AVPM.EXE
- fsavgui.exe
- NAVAPW32.EXE
- fsav32.exe
- fsavaui.exe
- avgcc.exe
- AVGCC32.EXE
- ashAvast.exe
- ashAvSrv.exe
- AVP.EXE
- AVP32.EXE
- AVGCTRL.EXE
- AVP.COM
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\p_r[1].exe
- <SYSTEM32>\p_r_<Virus name>.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\p_p[1].exe
- <SYSTEM32>\p_e_<Virus name>.exe
- <SYSTEM32>\p_n_<Virus name>.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\check[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\p_e[1].exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\p_c[1].exe
- <SYSTEM32>\p_c_<Virus name>.exe
- <SYSTEM32>\log_master.txt
- <SYSTEM32>\p_d_<Virus name>.exe
- <SYSTEM32>\p_p_<Virus name>.exe
- <SYSTEM32>\winst.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\p_d[1].exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\p_n[1].exe
- <SYSTEM32>\s_s_winst.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\m[1].exe
- <SYSTEM32>\m_l_<Virus name>.exe
- <SYSTEM32>\s_n_winst.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\check[1].php
- <SYSTEM32>\<Virus name>.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\check[1].php
- <SYSTEM32>\p_i_<Virus name>.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\p_m[1].exe
- <SYSTEM32>\p_m_<Virus name>.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\p_i[1].exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\p_f[1].exe
- <SYSTEM32>\p_f_<Virus name>.exe
- <SYSTEM32>\log_master.bat
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <SYSTEM32>\m_l_<Virus name>.exe
- <SYSTEM32>\winst.exe
- <Drive name for removable media>:\<Virus name>.exe
- <SYSTEM32>\<Virus name>.exe
- <SYSTEM32>\s_n_winst.exe
- <SYSTEM32>\s_s_winst.exe
Deletes the following files:
- <SYSTEM32>\p_p_<Virus name>.exe
- <SYSTEM32>\p_r_<Virus name>.exe
- <SYSTEM32>\p_e_<Virus name>.exe
- <SYSTEM32>\log_master.txt
- <SYSTEM32>\p_c_<Virus name>.exe
- <SYSTEM32>\p_d_<Virus name>.exe
- <SYSTEM32>\p_n_<Virus name>.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\check[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\check[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\check[1].php
- <SYSTEM32>\p_m_<Virus name>.exe
- <SYSTEM32>\p_i_<Virus name>.exe
- <SYSTEM32>\p_f_<Virus name>.exe
Network activity:
Connects to:
- 'localhost':1044
- 'localhost':1046
- 'localhost':1041
- 'localhost':1036
- 'www.la###ategia.com':80
TCP:
HTTP GET requests:
- www.la###ategia.com/winst/files/p_r.exe
- www.la###ategia.com/winst/files/p_e.exe
- www.la###ategia.com/winst/files/p_p.exe
- www.la###ategia.com/winst/files/p_c.exe
- www.la###ategia.com/winst/files/p_d.exe
- www.la###ategia.com/winst/files/p_n.exe
- www.la###ategia.com/winst/files/m.exe
- www.la###ategia.com/winst/???#########################
- www.la###ategia.com/winst/files/p_f.exe
- www.la###ategia.com/winst/files/p_m.exe
- www.la###ategia.com/winst/files/p_i.exe
UDP:
- DNS ASK www.la###ategia.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: ''
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息