Win32.HLLW.Medbod.1333
Added to the Dr.Web virus database:
2013-03-19
Virus description added:
2013-03-19
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '.nvsvc' = '%WINDIR%\system\smss.exe /w'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\svchost.exe' = '<SYSTEM32>\svchost.exe:*:Enabled:Microsoft Update'
Executes the following:
- <SYSTEM32>\wbem\wmiadap.exe /R /T
- <SYSTEM32>\alg.exe
- <SYSTEM32>\svchost.exe
Injects code into
the following system processes:
Modifies file system :
Creates the following files:
- <SYSTEM32>\wbem\Performance\WmiApRpl_new.ini
- %WINDIR%\system\smss.exe
Moves the following files:
- from <SYSTEM32>\wbem\Performance\WmiApRpl_new.ini to <SYSTEM32>\wbem\Performance\WmiApRpl.ini
- from <SYSTEM32>\wbem\Performance\WmiApRpl_new.h to <SYSTEM32>\wbem\Performance\WmiApRpl.h
Network activity:
Connects to:
UDP:
- DNS ASK cu#.#amaner.com
- '21#.#55.189.85':1900
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息