Pour le fonctionnement correct du site, vous devez activer JavaScript dans votre navigateur.
Win32.HLLW.Autoruner.55788
Added to the Dr.Web virus database:
2011-08-07
Virus description added:
2011-08-07
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Intel Database Manager' = '<SYSTEM32>\igfxdn32.exe'
Creates the following files on removable media:
<Drive name for removable media>:\Autorun.inf
<Drive name for removable media>:\SysDrivers\drv-x4960436.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '<SYSTEM32>\igfxdn32.exe' = '<SYSTEM32>\igfxdn32.exe:*:Enabled:xLAN'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\igfxdn32.exe' = '<SYSTEM32>\igfxdn32.exe:*:Enabled:xLAN'
Creates and executes the following:
<SYSTEM32>\igfxdn32.exe <Full path to virus>
Executes the following:
<SYSTEM32>\sc.exe stop SPIDERNT
<SYSTEM32>\net.exe stop SPIDERNT
<SYSTEM32>\sc.exe config SPIDERNT start= disabled
<SYSTEM32>\net1.exe stop SPIDERNT
<SYSTEM32>\sc.exe delete SPIDERNT
<SYSTEM32>\sc.exe stop DrWebEngine
<SYSTEM32>\net.exe stop DrWebEngine
<SYSTEM32>\sc.exe config DrWebEngine start= disabled
<SYSTEM32>\sc.exe delete DrWebEngine
<SYSTEM32>\net1.exe stop DrWebEngine
Injects code into
the following system processes:
Searches for windows to
detect analytical utilities:
ClassName: 'PROCMON_WINDOW_CLASS' WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
detect programs and games:
ClassName: 'gdkWindowToplevel' WindowName: 'The Wireshark Network Analyzer'
Hides the following processes:
<Full path to virus>
<SYSTEM32>\igfxdn32.exe
Modifies file system :
Creates the following files:
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\y01[1].zip
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\qdat01[1].txt
%PROGRAM_FILES%\Wireshark\wireshark.exe
<SYSTEM32>\igfxdn32.exe
C:\cwsandbox\cwsandbox.exe
Sets the 'hidden' attribute to the following files:
Deletes itself.
Network activity:
Connects to:
'sv##.##telsystems.su':5949
'14#.#48.35.28':80
'sv##.##telsecurity.su':41040
'vp####.#ntelbackupsvc.su':80
TCP:
HTTP GET requests:
14#.#48.35.28/awstats/qdat01.txt
vp####.#ntelbackupsvc.su/net/y01.zip
UDP:
DNS ASK sv##.##telsystems.su
DNS ASK vp####.#ntelbackupsvc.su
DNS ASK sv##.##telsecurity.su
Miscellaneous:
Searches for the following windows:
ClassName: 'TCPViewClass' WindowName: ''
ClassName: '#32770' WindowName: 'Regshot 1.8.2'
ClassName: 'PROCEXPL' WindowName: ''
ClassName: 'CNetmonMainFrame' WindowName: 'Microsoft Network Monitor 3.3'
ClassName: 'SmartSniff' WindowName: 'SmartSniff'
ClassName: 'CurrPorts' WindowName: 'CurrPorts'
Téléchargez Dr.Web pour Android
Gratuit pour 3 mois
Tous les composants de protection
Renouvellement de la démo via AppGallery/Google Pay
Nous utilisons des cookies sur notre site web à des fins uniques d’analyse de la fréquentation et de récolte de données statistiques. En naviguant sur notre site, vous pouvez accepter ou refuser l’utilisation de ces fichiers cookies.
En savoir plus : Politique de confidentialité
Accepter
Refuser