Para el funcionamiento correcto del sitio web, debe activar el soporte de JavaScript en su navegador.
Win32.HLLW.Autoruner.22222
Added to the Dr.Web virus database:
2010-05-31
Virus description added:
2013-11-24
Technical Information
To ensure autorun and distribution:
Creates the following services:
[<HKLM>\SYSTEM\ControlSet001\Services\AppMgmt] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\63B5559E] 'Start' = '00000002'
Changes the following executable system files:
Infects the following executable files:
%PROGRAM_FILES%\FireFox\xpcshell.exe
%PROGRAM_FILES%\FireFox\updater.exe
%PROGRAM_FILES%\FireFox\uninstall\helper.exe
%PROGRAM_FILES%\FireFox\xpidl.exe
<Auxiliary element>
%PROGRAM_FILES%\FireFox\xpt_link.exe
%PROGRAM_FILES%\FireFox\xpt_dump.exe
%PROGRAM_FILES%\FireFox\shlibsign.exe
%PROGRAM_FILES%\FireFox\firefox.exe
%PROGRAM_FILES%\FireFox\crashreporter.exe
C:\Far2\Far.exe
%PROGRAM_FILES%\FireFox\js.exe
%PROGRAM_FILES%\FireFox\plugin-container.exe
%PROGRAM_FILES%\FireFox\nsinstall.exe
%PROGRAM_FILES%\FireFox\mangle.exe
Malicious functions:
Executes the following:
'<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Services\63B5559E /v Type /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Services\63B5559E /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\63B5559E.sys /f
'<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Services\63B5559E /v ErrorControl /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Enum\SW\{eec12db6-ad9c-4168-8658-b03daef417fe}\{ABD61E00-9350-47e2-A632-4438B90C6641} /v Service /t REG_SZ /d 63B5559E /f
'<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Enum\SW\{eec12db6-ad9c-4168-8658-b03daef417fe}\{ABD61E00-9350-47e2-A632-4438B90C6641} /v ConfigFlags /t REG_DWORD /d 0 /f
'<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Services\63B5559E /v Start /t REG_DWORD /d 2 /f
Restores hooked functions in System Service Descriptor Table (SSDT).
Modifies file system :
Creates the following files:
<DRIVERS>\63B5559E.sys
<SYSTEM32>\43883815.tmp
C:\Documents and Settings\Infotmp.txt
Deletes the following files:
<SYSTEM32>\43883815.tmp
C:\Documents and Settings\Infotmp.txt
Modifies the HOSTS file.
Deletes itself.
Network activity:
UDP:
DNS ASK 17#.#AP517.NET
DNS ASK 17#.#AP517.INFO
DNS ASK 17#.#AP517.US
DNS ASK 17#.#AP517.ME
DNS ASK www.ba##u.com
DNS ASK 17#.#AP517.BIZ
DNS ASK 17#.#AP517.COM
'<Private IP address>':0
Miscellaneous:
Searches for the following windows:
ClassName: 'CicLoaderWndClass' WindowName: '(null)'
ClassName: '(null)' WindowName: 'Program Manager'
Descargue Dr.Web para Android
Gratis por 3 meses
Todos los componentes de protección
Renovación de la demo a través de AppGallery/Google Pay
Si Vd. continúa usando este sitio web, esto significa que Vd. acepta el uso de archivos Cookie y otras tecnologías para que recabemos las estadísticas sobre los visitantes. Más información
OK