PARA USUARIOS

Mi biblioteca

+ Añadir a la biblioteca

Buscar

Soporte 24 horas | Normas de contactar

Escribir

una solicitud al rellenar un formulario

Llamar

+7 (495) 789-45-86

Foro

Sus solicitudes

Todas: -
No cerradas: -
Última: -

Crear una nueva solicitud

Llamar

+7 (495) 789-45-86

ES

RU CN DE EN ES FR IT JP KZ UZ PL BY

Dr.Web vxCube

Entrar en el analizador

Peritaje de IIV

Biblioteca de virus

Base de conocimiento

Tecnologías

Términos

Formación y educación

Mitos

Mitos sobre los antivirus

Win32.HLLW.Autoruner1.30096

Added to the Dr.Web virus database: 2012-11-21

Virus description added: 2012-11-22

Technical Information

To ensure autorun and distribution:

Creates the following files on removable media:

<Drive name for removable media>:\fgwvwa.exe
<Drive name for removable media>:\autorun.inf

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:ipsec'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'

To complicate detection of its presence in the operating system,

forces the system hide from view:

hidden files

blocks the following features:

User Account Control (UAC)
Windows Security Center

Injects code into

the following system processes:

<Auxiliary element>

a large number of user processes.

Modifies file system :

Creates the following files:

%TEMP%\mtsmd.exe
%TEMP%\kmau.exe
%TEMP%\noggy.exe
%TEMP%\winrmxr.exe
%TEMP%\winasadfb.exe
%TEMP%\mameq.exe
%TEMP%\ifyave.exe
C:\autorun.inf
%TEMP%\qwtks.exe
%TEMP%\tmp.ini
C:\fpqb.exe
%TEMP%\winarxoub.exe
%TEMP%\twmn.exe
<DRIVERS>\fikos.sys

Sets the 'hidden' attribute to the following files:

<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\fgwvwa.exe
C:\autorun.inf
C:\fpqb.exe

Deletes the following files:

%TEMP%\winrmxr.exe
%TEMP%\mtsmd.exe
%TEMP%\ifyave.exe
%TEMP%\winasadfb.exe
%TEMP%\mameq.exe
%TEMP%\kmau.exe
<DRIVERS>\fikos.sys
%TEMP%\qwtks.exe
%TEMP%\twmn.exe
%TEMP%\noggy.exe
%TEMP%\winarxoub.exe

Network activity:

Connects to:

'ah###iye.net':80
'ap###-pie.in':80
'am####ilim.com.tr':80
'g2.###owhitech.com':80
'www.ca###rdesk.org':80
'al###wry.org':80
'am##mex.com':80
'ar####.niria.biz':80

TCP:

HTTP GET requests:

ah###iye.net/xs.jpg?4d###########
ap###-pie.in/images/xs.jpg?4c###########
am####ilim.com.tr/images/xs2.jpg?4e###########
g2.###owhitech.com/xs.jpg?4d###########
www.ca###rdesk.org/images/xs.jpg?4b###########
al###wry.org/images/xs.jpg?49###########
am##mex.com/xs.jpg?4c###########
ar####.niria.biz/xs.jpg?4c##########

UDP:

DNS ASK ah###iye.net
DNS ASK ap###-pie.in
DNS ASK am####ilim.com.tr
DNS ASK g2.###owhitech.com
DNS ASK www.ca###rdesk.org
DNS ASK al###wry.org
DNS ASK am##mex.com
DNS ASK ar####.niria.biz

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''