Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Win32.HLLW.Autoruner1.34499

Added to the Dr.Web virus database: 2013-03-27

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'm_l_<Virus name>' = '<SYSTEM32>\m_l_<Virus name>.exe'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'm_l_<Virus name>' = '<SYSTEM32>\m_l_<Virus name>.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'm_l_<Virus name>' = '<SYSTEM32>\m_l_<Virus name>.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'm_l_<Virus name>' = '<SYSTEM32>\m_l_<Virus name>.exe'
Creates the following files on removable media:
  • <Drive name for removable media>:\autorun.inf
  • <Drive name for removable media>:\<Virus name>.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\m_l_<Virus name>.exe' = '<SYSTEM32>\m_l_<Virus name>.exe:*:Enabled:m_l_winst'
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\<Virus name>.exe' = '<SYSTEM32>\<Virus name>.exe:*:Enabled:winst'
Creates and executes the following:
  • <SYSTEM32>\p_e_<Virus name>.exe /stext <SYSTEM32>\p_e.log
  • <SYSTEM32>\p_r_<Virus name>.exe /stext <SYSTEM32>\p_r.log
  • <SYSTEM32>\p_m_<Virus name>.exe /stext <SYSTEM32>\p_m.log
  • <SYSTEM32>\p_n_<Virus name>.exe /stext <SYSTEM32>\p_n.log
  • <SYSTEM32>\winst.exe
  • <SYSTEM32>\p_c_<Virus name>.exe /stext <SYSTEM32>\p_c.log
  • <SYSTEM32>\p_p_<Virus name>.exe /stext <SYSTEM32>\p_p.log
  • <SYSTEM32>\p_d_<Virus name>.exe /stext <SYSTEM32>\p_d.log
  • <SYSTEM32>\s_n_winst.exe sentinel
  • <SYSTEM32>\p_f_<Virus name>.exe /stext <SYSTEM32>\p_f.log
  • <SYSTEM32>\s_s_winst.exe sentinel
  • <SYSTEM32>\p_i_<Virus name>.exe /stext <SYSTEM32>\p_i.log
  • <SYSTEM32>\m_l_<Virus name>.exe
  • <SYSTEM32>\<Virus name>.exe
  • <SYSTEM32>\p_c_<Virus name>.exe (downloaded from the Internet)
  • <SYSTEM32>\p_p_<Virus name>.exe (downloaded from the Internet)
  • <SYSTEM32>\p_d_<Virus name>.exe (downloaded from the Internet)
  • <SYSTEM32>\p_f_<Virus name>.exe (downloaded from the Internet)
  • <SYSTEM32>\p_m_<Virus name>.exe (downloaded from the Internet)
  • <SYSTEM32>\p_i_<Virus name>.exe (downloaded from the Internet)
  • <SYSTEM32>\p_n_<Virus name>.exe (downloaded from the Internet)
  • <SYSTEM32>\p_r_<Virus name>.exe (downloaded from the Internet)
  • <SYSTEM32>\m_l_<Virus name>.exe (downloaded from the Internet)
  • <SYSTEM32>\p_e_<Virus name>.exe (downloaded from the Internet)
Executes the following:
  • <SYSTEM32>\cmd.exe /c ""<SYSTEM32>\log_master.bat" "
  • %WINDIR%\explorer.exe <Current directory>\
Terminates or attempts to terminate
the following user processes:
  • AVSYNMGR.EXE
  • fsav.exe
  • AVPCC.EXE
  • AVPM.EXE
  • fsavgui.exe
  • NAVAPW32.EXE
  • fsav32.exe
  • fsavaui.exe
  • avgcc.exe
  • AVGCC32.EXE
  • ashAvast.exe
  • ashAvSrv.exe
  • AVP.EXE
  • AVP32.EXE
  • AVGCTRL.EXE
  • AVP.COM
Modifies file system :
Creates the following files:
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\p_r[1].exe
  • <SYSTEM32>\p_r_<Virus name>.exe
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\p_p[1].exe
  • <SYSTEM32>\p_e_<Virus name>.exe
  • <SYSTEM32>\p_n_<Virus name>.exe
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\check[1].php
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\p_e[1].exe
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\p_c[1].exe
  • <SYSTEM32>\p_c_<Virus name>.exe
  • <SYSTEM32>\log_master.txt
  • <SYSTEM32>\p_d_<Virus name>.exe
  • <SYSTEM32>\p_p_<Virus name>.exe
  • <SYSTEM32>\winst.exe
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\p_d[1].exe
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\p_n[1].exe
  • <SYSTEM32>\s_s_winst.exe
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\m[1].exe
  • <SYSTEM32>\m_l_<Virus name>.exe
  • <SYSTEM32>\s_n_winst.exe
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\check[1].php
  • <SYSTEM32>\<Virus name>.exe
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\check[1].php
  • <SYSTEM32>\p_i_<Virus name>.exe
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\p_m[1].exe
  • <SYSTEM32>\p_m_<Virus name>.exe
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\p_i[1].exe
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\p_f[1].exe
  • <SYSTEM32>\p_f_<Virus name>.exe
  • <SYSTEM32>\log_master.bat
Sets the 'hidden' attribute to the following files:
  • <Drive name for removable media>:\autorun.inf
  • <SYSTEM32>\m_l_<Virus name>.exe
  • <SYSTEM32>\winst.exe
  • <Drive name for removable media>:\<Virus name>.exe
  • <SYSTEM32>\<Virus name>.exe
  • <SYSTEM32>\s_n_winst.exe
  • <SYSTEM32>\s_s_winst.exe
Deletes the following files:
  • <SYSTEM32>\p_p_<Virus name>.exe
  • <SYSTEM32>\p_r_<Virus name>.exe
  • <SYSTEM32>\p_e_<Virus name>.exe
  • <SYSTEM32>\log_master.txt
  • <SYSTEM32>\p_c_<Virus name>.exe
  • <SYSTEM32>\p_d_<Virus name>.exe
  • <SYSTEM32>\p_n_<Virus name>.exe
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\check[1].php
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\check[1].php
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\check[1].php
  • <SYSTEM32>\p_m_<Virus name>.exe
  • <SYSTEM32>\p_i_<Virus name>.exe
  • <SYSTEM32>\p_f_<Virus name>.exe
Network activity:
Connects to:
  • 'localhost':1044
  • 'localhost':1046
  • 'localhost':1041
  • 'localhost':1036
  • 'www.la###ategia.com':80
TCP:
HTTP GET requests:
  • www.la###ategia.com/winst/files/p_r.exe
  • www.la###ategia.com/winst/files/p_e.exe
  • www.la###ategia.com/winst/files/p_p.exe
  • www.la###ategia.com/winst/files/p_c.exe
  • www.la###ategia.com/winst/files/p_d.exe
  • www.la###ategia.com/winst/files/p_n.exe
  • www.la###ategia.com/winst/files/m.exe
  • www.la###ategia.com/winst/???#########################
  • www.la###ategia.com/winst/files/p_f.exe
  • www.la###ategia.com/winst/files/p_m.exe
  • www.la###ategia.com/winst/files/p_i.exe
UDP:
  • DNS ASK www.la###ategia.com
Miscellaneous:
Searches for the following windows:
  • ClassName: 'Indicator' WindowName: ''
  • ClassName: '' WindowName: ''