Protégez votre univers

Nos autres ressources

  • free.drweb.fr — utilitaires gratuits, plugins, widgets
  • av-desk.com — service Internet pour les prestataires de services Dr.Web AV-Desk
  • curenet.drweb.com — l'utilitaire de désinfection réseau Dr.Web CureNet!
Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Win32.HLLW.Autoruner2.26715

Added to the Dr.Web virus database: 2016-11-27

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimpl.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashMaiSv.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccleaner.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serial.txt] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keygen.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regmon.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RootkitRevealer.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32w.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = '<SYSTEM32>\diskbus.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adialhk.dll] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msdev.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmount.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmount2.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.EXE] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWUPSRV.EXE] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVESVC.EXE] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idag.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spider.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Filemon.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Tcpview.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avg.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = '<SYSTEM32>\taskmon.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'kernel32' = '<SYSTEM32>\com_services.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cureit.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serial.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crack.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Process Explorer.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessExplorer.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\asc.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HiJackThis.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GetSystemInfo.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] 'Debugger' = '<SYSTEM32>\ServPnkBstr.exe'
Creates the following files on removable media:
  • <Drive name for removable media>:\drive.exe
  • <Drive name for removable media>:\Autorun.inf
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to file>' = '<Full path to file>:*:Enabled:updatekrn'
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
  • hidden files
modifies the following system settings:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
Searches for windows to
detect analytical utilities:
  • ClassName: 'PROCEXPL' WindowName: ''
  • ClassName: 'TCPViewClass' WindowName: ''
  • ClassName: 'Autoruns' WindowName: ''
  • ClassName: '' WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
  • ClassName: '' WindowName: 'TCPView - Sysinternals: www.sysinternals.com'
  • ClassName: '' WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
Modifies file system:
Creates the following files:
  • <SYSTEM32>\temp89.wlw
  • <SYSTEM32>\diskbus.exe
  • C:\drive.exe
  • C:\Autorun.inf
  • <SYSTEM32>\taskmon.exe
  • <SYSTEM32>\com_services.exe
  • <SYSTEM32>\ServPnkBstr.exe
  • <SYSTEM32>\lpstdrv.exe
Sets the 'hidden' attribute to the following files:
  • <SYSTEM32>\ServPnkBstr.exe
  • <SYSTEM32>\diskbus.exe
  • <SYSTEM32>\temp89.wlw
  • <SYSTEM32>\lpstdrv.exe
  • <Full path to file>
  • <SYSTEM32>\com_services.exe
  • <SYSTEM32>\taskmon.exe
Miscellaneous:
Searches for the following windows:
  • ClassName: '' WindowName: 'Kaspersky Internet Security 6.0'
  • ClassName: '' WindowName: 'Kaspersky Internet Security 7.0'
  • ClassName: '' WindowName: 'Kaspersky Internet Security 8.0'
  • ClassName: '' WindowName: 'Kaspersky Internet Security 9.0'
  • ClassName: 'Button' WindowName: '????????????'
  • ClassName: '' WindowName: 'SpIDer Guard обнаружил вирус'
  • ClassName: '' WindowName: 'SpIDer Guard ????????? ?????'
  • ClassName: '' WindowName: 'Редактор реестра'
  • ClassName: '' WindowName: 'Dr.Web? ?????? ??? Windows (???????????????)'
  • ClassName: '' WindowName: 'Сетевой экран: мониторинг сети'
  • ClassName: '' WindowName: '??????? ?????: ?????????? ????'
  • ClassName: '' WindowName: 'Dr.Web® Сканер для Windows (ознакомительная)'
  • ClassName: '' WindowName: '???????? ???????'
  • ClassName: '' WindowName: 'Dr.Web® Сканер для Windows'
  • ClassName: '' WindowName: 'Dr.Web? ?????? ??? Windows'
  • ClassName: '' WindowName: 'П&родолжить'
  • ClassName: '' WindowName: '?&?????????'
  • ClassName: '' WindowName: 'Не &показывать в следующий раз'
  • ClassName: '' WindowName: '?????????? ?????????? ????????????'
  • ClassName: '' WindowName: '&Закрыть'
  • ClassName: '' WindowName: '&???????'
  • ClassName: '' WindowName: 'Результаты последнего сканирования'
  • ClassName: '' WindowName: '?? &?????????? ? ????????? ???'
  • ClassName: '' WindowName: 'Malware-сканер'
  • ClassName: '' WindowName: 'Malware-??????'
  • ClassName: 'Button' WindowName: 'Игнорировать'
  • ClassName: '' WindowName: '??????'
  • ClassName: '' WindowName: 'avast! - Предупреждение'
  • ClassName: '' WindowName: 'avast! - ??????????????'
  • ClassName: '' WindowName: 'Отмена'
  • ClassName: '' WindowName: 'Диспетчер задач Windows'
  • ClassName: '' WindowName: 'Настройка системы'
  • ClassName: '' WindowName: '????????? ???????'
  • ClassName: 'RootkitRevealerClass' WindowName: ''
  • ClassName: '' WindowName: '????????? ??????'
  • ClassName: '' WindowName: 'NOD32 2.5 Control Center'
  • ClassName: '' WindowName: 'NOD32 2.7 Control Center'
  • ClassName: '' WindowName: 'Командная строка'
  • ClassName: '18467-41' WindowName: ''
  • ClassName: '' WindowName: '???????? ?????????'
  • ClassName: '' WindowName: 'RootkitRevealer - Sysinternals: www.sysinternals.com'
  • ClassName: '' WindowName: 'CCleaner'
  • ClassName: '' WindowName: 'Файловый Антивирус'
  • ClassName: '' WindowName: 'Антивирусная утилита AVZ'
  • ClassName: '' WindowName: '???????????? ??????? AVZ'
  • ClassName: '' WindowName: 'NOD32'
  • ClassName: '' WindowName: '?pe???pe??e??e a?????p?c?o? c?c?e?? NOD32: AMON - ?????? ?? ???????'
  • ClassName: '' WindowName: 'Обновление'
  • ClassName: '' WindowName: '??????????'
  • ClassName: '' WindowName: 'Пpeдупpeждeниe aнтивиpуcнoй cиcтeмы NOD32: AMON - сканер по доступу'
  • ClassName: '' WindowName: '????????? ????? Windows'
  • ClassName: '' WindowName: 'ZoneAlarm'
  • ClassName: '' WindowName: 'ZoneAlarm Security Alert'
  • ClassName: '' WindowName: 'Лог событий'
  • ClassName: '' WindowName: 'IMON - Интернет-монитор'
  • ClassName: '' WindowName: 'IMON - ????????-???????'
  • ClassName: '' WindowName: 'NOD32 3.0 Control Center'
  • ClassName: '' WindowName: 'AMON - ?????? ?? ???????'
  • ClassName: '' WindowName: 'Лог вирусов'
  • ClassName: '' WindowName: '??? ???????'
  • ClassName: '' WindowName: 'AMON - сканер по доступу'

Editeur russe des solutions antivirus Dr.Web

Expérience dans le développement depuis 1992

Les internautes dans plus de 200 pays utilisent Dr.Web

L'antivirus est fourni en tant que service depuis 2007

Support 24/24

© Doctor Web
2003 — 2019

Doctor Web - éditeur russe des solutions antivirus Dr.Web. Doctor Web développe les produits Dr.Web depuis 1992.

333b, Avenue de Colmar, 67100 Strasbourg