JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner2.25381
Added to the Dr.Web virus database:
2016-09-25
Virus description added:
2016-09-25
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
%HOMEPATH%\Start Menu\Programs\Startup\taskhost.exe
Creates the following files on removable media:
<Drive name for removable media>:\USBDriver.exe
<Drive name for removable media>:\autorun.inf
Malicious functions:
Executes the following:
'%TEMP%\RarSFX1\run.exe'
'%TEMP%\RarSFX0\run.sfx.exe' -p00000 -d
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\RarSFX0\run.bat" "
Modifies file system:
Creates the following files:
<LS_APPDATA>\taskhost\run.exe_Url_chz5dt0ejeeimedro0cb0nb3bby1odvc\1.0.0.0\_muklth3.newcfg
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\gate[1].php
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\gate[2].php
%TEMP%\RarSFX0\run.bat
%TEMP%\RarSFX0\run.sfx.exe
%TEMP%\RarSFX1\run.exe
Sets the 'hidden' attribute to the following files:
%HOMEPATH%\Start Menu\Programs\Startup\taskhost.exe
<Drive name for removable media>:\USBDriver.exe
<Drive name for removable media>:\autorun.inf
Moves the following files:
from <LS_APPDATA>\taskhost\run.exe_Url_chz5dt0ejeeimedro0cb0nb3bby1odvc\1.0.0.0\_muklth3.newcfg to <LS_APPDATA>\taskhost\run.exe_Url_chz5dt0ejeeimedro0cb0nb3bby1odvc\1.0.0.0\user.config
Network activity:
Connects to:
'ze##ttp.ml':80
'localhost':1038
TCP:
HTTP GET requests:
http://ze##ttp.ml/Panel/robots/gate.php
UDP:
Miscellaneous:
Searches for the following windows:
ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebcheckMonitor' WindowName: ''
ClassName: 'EDIT' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
欢迎下载 Dr.Web for Android
免费3个月
可使用所有保护组件
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息
OK