Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Win32.HLLW.Autoruner2.6280

Added to the Dr.Web virus database: 2014-02-09

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '7338b198ca7e6af6b13b5bb7a8a46c2b' = '"%HOMEPATH%\Google Chrome.exe" ..'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '7338b198ca7e6af6b13b5bb7a8a46c2b' = '"%HOMEPATH%\Google Chrome.exe" ..'
Creates or modifies the following files:
  • %HOMEPATH%\Start Menu\Programs\Startup\7338b198ca7e6af6b13b5bb7a8a46c2b.exe
Creates the following files on removable media:
  • <Drive name for removable media>:\usjf.exe
  • <Drive name for removable media>:\autorun.inf
  • <Drive name for removable media>:\7338b198ca7e6af6b13b5bb7a8a46c2b.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%HOMEPATH%\Google Chrome.exe' = '%HOMEPATH%\Google Chrome.exe:*:Enabled:Google Chrome.exe'
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%HOMEPATH%\Local Settings\Tempface.exe' = '%HOMEPATH%\Local Settings\Tempface.exe:*:Enabled:ipsec'
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
  • hidden files
blocks the following features:
  • User Account Control (UAC)
  • Windows Security Center
Creates and executes the following:
  • '%HOMEPATH%\Google Chrome.exe'
  • '%HOMEPATH%\Local Settings\Tempsexy1.exe'
  • '%HOMEPATH%\Local Settings\Tempface.exe'
Executes the following:
  • '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%HOMEPATH%\Google Chrome.exe" "Google Chrome.exe" ENABLE
Injects code into
the following system processes:
  • <SYSTEM32>\cscript.exe
  • <SYSTEM32>\netsh.exe
  • <SYSTEM32>\cmd.exe
  • %WINDIR%\Explorer.EXE
  • <SYSTEM32>\ctfmon.exe
a large number of user processes.
Modifies file system :
Creates the following files:
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\hbspam.xpg.com[1]
  • %TEMP%\wineyamnu.exe
  • %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.new
  • <DRIVERS>\jhnln.sys
  • %TEMP%\windoyuha.exe
  • C:\autorun.inf
  • C:\axxel.pif
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new
  • %HOMEPATH%\Local Settings\Tempface.exe
  • %HOMEPATH%\Local Settings\Tempsexy1.exe
  • %HOMEPATH%\Google Chrome.exe
  • %TEMP%\winxaxw.exe
  • %TEMP%\0007AD93_Rar\Tempface.exe
  • %TEMP%\0007AF77_Rar\Tempface.exe
Sets the 'hidden' attribute to the following files:
  • <Drive name for removable media>:\autorun.inf
  • <Drive name for removable media>:\usjf.exe
  • C:\axxel.pif
  • <Drive name for removable media>:\7338b198ca7e6af6b13b5bb7a8a46c2b.exe
  • C:\autorun.inf
Deletes the following files:
  • %TEMP%\0007AF77_Rar\Tempface.exe
  • <DRIVERS>\jhnln.sys
  • %TEMP%\windoyuha.exe
  • %TEMP%\wineyamnu.exe
  • %TEMP%\winxaxw.exe
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2736.500984
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2736.501000
Moves the following files:
  • from %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.new to %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch
  • from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2736.501000
  • from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2736.500984
  • from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
  • from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
Network activity:
Connects to:
  • 'localhost':445
  • '<Private IP address>':80
  • 'localhost':1039
  • 'hb####.xpg.com.br':80
TCP:
HTTP GET requests:
  • hb####.xpg.com.br/
UDP:
  • DNS ASK go#####chrome.sytes.net
  • DNS ASK hb####.xpg.com.br
Miscellaneous:
Searches for the following windows:
  • ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
  • ClassName: 'Indicator' WindowName: '(null)'
  • ClassName: 'Shell_TrayWnd' WindowName: '(null)'
  • ClassName: 'MS_AutodialMonitor' WindowName: '(null)'