Protégez votre univers

Nos autres ressources

  • free.drweb.fr — utilitaires gratuits, plugins, widgets
  • av-desk.com — service Internet pour les prestataires de services Dr.Web AV-Desk
  • curenet.drweb.com — l'utilitaire de désinfection réseau Dr.Web CureNet!
Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Win32.HLLW.Autoruner2.26940

Added to the Dr.Web virus database: 2016-12-22

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows Update' = '%APPDATA%\WindowsUpdate.exe'
Creates the following files on removable media:
  • <Drive name for removable media>:\Sys.exe
  • <Drive name for removable media>:\autorun.inf
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
  • hidden files
Executes the following:
  • '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext "%TEMP%\holderwb.txt"
  • '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext "%TEMP%\holdermail.txt"
  • '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE' -nohome
Injects code into
the following system processes:
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Terminates or attempts to terminate
the following system processes:
  • <SYSTEM32>\cmd.exe
Searches for registry branches where third party applications store passwords:
  • [<HKCU>\Software\Microsoft\IdentityCRL]
  • [<HKCU>\Software\Microsoft\MSNMessenger]
  • [<HKCU>\Software\Microsoft\Internet Explorer\IntelliForms\Storage2]
  • [<HKCU>\Software\Microsoft\Windows Live Mail]
  • [<HKCU>\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
  • [<HKCU>\Software\Microsoft\Internet Account Manager\Accounts]
  • [<HKCU>\Identities\{5518F2FB-DB74-45A3-BEC1-4575D8D9DC84}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
  • [<HKCU>\Identities\{5518F2FB-DB74-45A3-BEC1-4575D8D9DC84}\Software\Microsoft\Internet Account Manager\Accounts]
Modifies file system:
Creates the following files:
  • %TEMP%\holdermail.txt
  • %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\youtube[1]
  • %TEMP%\holderwb.txt
  • %APPDATA%\pid.txt
  • %APPDATA%\pidloc.txt
  • %APPDATA%\WindowsUpdate.exe
Sets the 'hidden' attribute to the following files:
  • <Drive name for removable media>:\Sys.exe
  • <Drive name for removable media>:\autorun.inf
Deletes the following files:
  • %TEMP%\holderwb.txt
  • %TEMP%\holdermail.txt
Modifies the HOSTS file.
Network activity:
Connects to:
  • 'localhost':1043
  • 'www.yo##ube.com':80
  • 'sm##.mail.com':587
  • 'wp#d':80
  • 'wh#####yipaddress.com':80
TCP:
HTTP GET requests:
  • http://www.yo##ube.com/
  • http://wh#####yipaddress.com/
  • http://11#.#11.111.1/wpad.dat via wp#d
UDP:
  • DNS ASK sm##.mail.com
  • DNS ASK www.yo##ube.com
  • DNS ASK wp#d
  • DNS ASK wh#####yipaddress.com
Miscellaneous:
Searches for the following windows:
  • ClassName: 'MS_AutodialMonitor' WindowName: ''
  • ClassName: 'MS_WebcheckMonitor' WindowName: ''
  • ClassName: 'IEFrame' WindowName: ''
  • ClassName: '' WindowName: ''
  • ClassName: 'Shell_TrayWnd' WindowName: ''

Editeur russe des solutions antivirus Dr.Web

Expérience dans le développement depuis 1992

Les internautes dans plus de 200 pays utilisent Dr.Web

L'antivirus est fourni en tant que service depuis 2007

Support 24/24

© Doctor Web
2003 — 2019

Doctor Web - éditeur russe des solutions antivirus Dr.Web. Doctor Web développe les produits Dr.Web depuis 1992.

333b, Avenue de Colmar, 67100 Strasbourg