Win32.HLLW.Autoruner1.34479

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Classes\.4u\shell\open\command] '' = 'notepad.exe %1'

Creates or modifies the following files:

%WINDIR%\Tasks\AUTO.job
%WINDIR%\Tasks\At6.job
%WINDIR%\Tasks\logon.job
%HOMEPATH%\Start Menu\Programs\Startup\msg.4u
%WINDIR%\Tasks\Folderw.job
%WINDIR%\Tasks\At2.job
%WINDIR%\Tasks\At1.job
%WINDIR%\Tasks\At3.job
%WINDIR%\Tasks\At5.job
%WINDIR%\Tasks\At4.job

Creates the following files on removable media:

<Drive name for removable media>:\AUTORUN.INF

Malicious functions:

To complicate detection of its presence in the operating system,

forces the system hide from view:

hidden files
file extensions

blocks execution of the following system utilities:

Command Prompt (CMD)
Registry Editor (RegEdit)

blocks the following features:

System Restore (SR)

Executes the following:

<SYSTEM32>\xcopy.exe "%APPDATA%\desktop.exe" "%HOMEPATH%\UsrData~\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%APPDATA%\Microsoft\ren\*.*" "%HOMEPATH%\UsrData~\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "%WINDIR%\MSOChe$\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "<SYSTEM32>\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "%HOMEPATH%\UsrData~\" /h /c /y /i
<SYSTEM32>\xcopy.exe "msg.4u" "%HOMEPATH%\Start Menu\Programs\Startup" /h /c /y /i
<SYSTEM32>\reg.exe add "HKEY_CLASSES_ROOT\.4u\DefaultIcon" /v "" /d "<SYSTEM32>\SHELL32.dll,156" /f
<SYSTEM32>\xcopy.exe "%APPDATA%\Microsoft\windata\*.*" "%APPDATA%\Microsoft\ren\*.*" /h /c /y /i
<SYSTEM32>\attrib.exe +h "%APPDATA%\Microsoft\ren\Bunga_X.exe"
<SYSTEM32>\attrib.exe +s +h "%APPDATA%\Microsoft\ren\desktop.exe"
<SYSTEM32>\taskkill.exe /f /im b2e.exe
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" F:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" E:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" F:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" G:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" G:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" C:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" C:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" <Drive name for removable media>:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" E:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" <Drive name for removable media>:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "O:\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "O:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "O:\autorun.inf"
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "P:\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "P:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "M:\autorun.inf"
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "M:\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "N:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "N:\autorun.inf"
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "N:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "P:\autorun.inf"
<SYSTEM32>\reg.exe add "hklm\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
<SYSTEM32>\reg.exe add "hkcu\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d 0 /f
<SYSTEM32>\reg.exe add "hklm\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
<SYSTEM32>\reg.exe add "HKEY_CLASSES_ROOT\.4u\shell\edit\command" /v "" /d "narrator.exe" /f
<SYSTEM32>\reg.exe add "HKEY_CLASSES_ROOT\.4u\shell\open\command" /v "" /d "notepad.exe %1" /f
<SYSTEM32>\reg.exe add "hkcu\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f
<SYSTEM32>\reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVP" /f
<SYSTEM32>\reg.exe add "hkcu\Software\Microsoft\RegEdt32\Settings" /v "SaveSettings" /t REG_SZ /d 1 /f
<SYSTEM32>\reg.exe add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\system" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
<SYSTEM32>\reg.exe add "hkcu\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 1 /f
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" U:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" U:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" V:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" W:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" V:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" S:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" R:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" S:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" T:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" T:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" W:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "%PROGRAM_FILES%\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" Z:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%APPDATA%\Microsoft\SystemCertificates\My\msg.4u" "%HOMEPATH%\Desktop" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "%HOMEPATH%\Desktop\msg.txt"
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UserData\msg.4u" "%HOMEPATH%\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" X:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" X:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" Y:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" Z:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" Y:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" K:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" J:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" K:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" L:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" L:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" H:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" H:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" I:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" J:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" I:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" M:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" P:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" P:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" Q:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" R:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" Q:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" N:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" M:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" N:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" O:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" O:\ /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "M:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "%APPDATA%\Microsoft\windata\desktop.exe"
<SYSTEM32>\xcopy.exe "%APPDATA%\Microsoft\windata\*.*" "%APPDATA%\Microsoft\ren\" /h /c /y /i
<SYSTEM32>\attrib.exe +h "%APPDATA%\Microsoft\windata\Bunga_X.exe"
<SYSTEM32>\attrib.exe +s +h msg.4u
<SYSTEM32>\xcopy.exe "%APPDATA%\Microsoft\ren\*.*" "%HOMEPATH%\UsrData~\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\AUTORUN.INF" "%HOMEPATH%\UsrData~\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\AUTORUN.INF" "%WINDIR%\MSOChe$\" /h /c /y /i
<SYSTEM32>\attrib.exe +s -h "%APPDATA%\Microsoft\windata\desktop.exe"
<SYSTEM32>\attrib.exe +s -h "%APPDATA%\Microsoft\windata\__ARESTRA__best.exe"
<SYSTEM32>\attrib.exe +s -h "%APPDATA%\Microsoft\windata\Bunga_X.exe"
<SYSTEM32>\attrib.exe +s +h "%WINDIR%\*.hex"
<SYSTEM32>\attrib.exe +s +h "%WINDIR%\MSOChe$"
<SYSTEM32>\attrib.exe +s +h "%APPDATA%\Microsoft"
<SYSTEM32>\attrib.exe +s +h "%WINDIR%\MSOChe$\desktop.exe"
<SYSTEM32>\attrib.exe +s +h "%WINDIR%\MSOChe$\AUTORUN.INF"
<SYSTEM32>\attrib.exe +h "%WINDIR%\MSOChe$\Bunga_X.exe"
<SYSTEM32>\xcopy.exe "msg.4u" "%HOMEPATH%\UserData\" /h /c /y /i
<SYSTEM32>\xcopy.exe "msg.4u" "%APPDATA%\Microsoft\SystemCertificates\My\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h desktop.exe
<SYSTEM32>\attrib.exe +s +h %WINDIR%\tasks\*.*
<SYSTEM32>\attrib.exe +s +h "%WINDIR%\tasks"
<SYSTEM32>\at.exe 1:40pm /every:M,T,W,Th,S,Su msg * Sembahyang Zuhur.....from Bunga_X
<SYSTEM32>\at.exe 6:10am /every:M,T,W,Th,F,S,Su msg * Sembahyang Subuh.....from Bunga_X
<SYSTEM32>\at.exe 4:55pm /every:M,T,W,Th,F,S,Su msg * Sembahyang Asar.....from Bunga_X
<SYSTEM32>\at.exe 8:45pm /every:M,T,W,Th,F,S,Su msg * Sembahyang Isyak.....from Bunga_X
<SYSTEM32>\at.exe 7:45pm /every:M,T,W,Th,F,S,Su msg * Sembahyang Maghrib.....from Bunga_X
<SYSTEM32>\taskkill.exe /f /im Ad-Watch.exe /im password_viewer.exe /im Flash.10.exe /im Macromedia.10.exe
<SYSTEM32>\attrib.exe +s +h <Full path to virus>
<SYSTEM32>\shutdown.exe -a
<SYSTEM32>\schtasks.exe /delete /tn * /f
<SYSTEM32>\attrib.exe +s +h prcs.bat
<SYSTEM32>\at.exe 1:25pm /every:F msg * Sembahyang Jumaat...( lelaki je ).....from Bunga_X
<SYSTEM32>\xcopy.exe "__ARESTRA__best.exe" "%WINDIR%\MSOChe$\" /h /c /y /i
<SYSTEM32>\xcopy.exe "__ARESTRA__best.exe" "<SYSTEM32>\" /h /c /y /i
<SYSTEM32>\xcopy.exe "__ARESTRA__best.exe" "%HOMEPATH%\UsrData~\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "%HOMEPATH%\AUTORUN.INF"
<SYSTEM32>\schtasks.exe /create /tn "Folderw" /tr "%HOMEPATH%\UsrData~\__ARESTRA__best.exe" /sc weekly /mo 1 /ru "System"
<SYSTEM32>\schtasks.exe /create /tn "logon" /tr "%WINDIR%\data$~.cmd" /sc onlogon /ru "System"
<SYSTEM32>\schtasks.exe /create /tn "AUTO" /tr "%WINDIR%\data$~.cmd" /sc minute /mo 3 /ru "System"
<SYSTEM32>\attrib.exe +s +h "%WINDIR%\data$~.cmd"
<SYSTEM32>\xcopy.exe "__ARESTRA__best.exe" "%APPDATA%\Microsoft\windata\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "<SYSTEM32>\userinit.cmd"
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "H:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "G:\autorun.inf"
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "H:\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "I:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "H:\autorun.inf"
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "F:\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "F:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "F:\autorun.inf"
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "G:\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "G:\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "I:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "K:\autorun.inf"
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "K:\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "L:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "L:\autorun.inf"
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "L:\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "J:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "I:\autorun.inf"
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "J:\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "K:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "J:\autorun.inf"
<SYSTEM32>\attrib.exe +s -h "%HOMEPATH%\Start Menu\Programs\Startup\msg.4u"
<SYSTEM32>\attrib.exe +s -h "%HOMEPATH%\Start Menu\Programs\Startup\BuNga_pEace.4u"
<SYSTEM32>\attrib.exe +s +h "<SYSTEM32>\config\systemprofile\Local Settings\Temp"
<SYSTEM32>\attrib.exe +s +h %TEMP%\*.tmp
<SYSTEM32>\attrib.exe +s +h %HOMEPATH%\Local Settings\Temp
<SYSTEM32>\attrib.exe +s +h "%HOMEPATH%\UsrData~"
<SYSTEM32>\attrib.exe +s +h "%PROGRAM_FILES%\Microsoft Visual Studio\VC98\MFC\Include\Res\desktop.exe"
<SYSTEM32>\attrib.exe +s +h "%HOMEPATH%\UsrData~\desktop.exe"
<SYSTEM32>\attrib.exe +h "%HOMEPATH%\UsrData~\AUTORUN.INF"
<SYSTEM32>\attrib.exe +h "%HOMEPATH%\UsrData~\Bunga_X.exe"
<SYSTEM32>\attrib.exe +s +h %TEMP%\*.bat
<SYSTEM32>\attrib.exe +s +h "<Drive name for removable media>:\autorun.inf"
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "<Drive name for removable media>:\" /h /c /y /i
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "E:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "E:\autorun.inf"
<SYSTEM32>\xcopy.exe "%HOMEPATH%\UsrData~\*.*" "E:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "%WINDIR%\pchealth\helpctr\Temp\*.*"
<SYSTEM32>\attrib.exe +s +h "%WINDIR%\Temp\*.*"
<SYSTEM32>\attrib.exe +s +h "%APPDATA%\Microsoft\ren"
<SYSTEM32>\xcopy.exe "%WINDIR%\MSOChe$\*.*" "<Drive name for removable media>:\" /h /c /y /i
<SYSTEM32>\attrib.exe +s +h "%APPDATA%\Microsoft\windata"

Modifies file system :

Creates the following files:

%HOMEPATH%\UserData\msg.4u
<SYSTEM32>\AUTORUN.INF
%WINDIR%\2H.hex
%APPDATA%\Microsoft\SystemCertificates\My\msg.4u
C:\AUTORUN.INF
%HOMEPATH%\Desktop\msg.4u
%HOMEPATH%\msg.4u
%WINDIR%\3H.hex
%PROGRAM_FILES%\AUTORUN.INF
<SYSTEM32>\userinit.cmd
%WINDIR%\data$~.cmd
%TEMP%\a30557.bat
<Current directory>\prcs.bat
%HOMEPATH%\AUTORUN.INF
%WINDIR%\1H.hex
<Current directory>\msg.4u
%WINDIR%\MSOChe$\AUTORUN.INF
%HOMEPATH%\UsrData~\AUTORUN.INF

Sets the 'hidden' attribute to the following files:

%WINDIR%\Tasks\Folderw.job
%WINDIR%\Tasks\logon.job
%WINDIR%\MSOChe$\AUTORUN.INF
%WINDIR%\Tasks\At5.job
%WINDIR%\Tasks\At6.job
%WINDIR%\Tasks\AUTO.job
%HOMEPATH%\UsrData~\AUTORUN.INF
C:\AUTORUN.INF
%WINDIR%\3H.hex
%PROGRAM_FILES%\AUTORUN.INF
<Drive name for removable media>:\AUTORUN.INF
%HOMEPATH%\Start Menu\Programs\Startup\BuNga_pEace.4u
<SYSTEM32>\AUTORUN.INF
%WINDIR%\data$~.cmd
<SYSTEM32>\userinit.cmd
%HOMEPATH%\AUTORUN.INF
%TEMP%\a30557.bat
<Full path to virus>
<Current directory>\prcs.bat
<Current directory>\msg.4u
%WINDIR%\Tasks\At2.job
%WINDIR%\Tasks\At3.job
%WINDIR%\Tasks\At4.job
%WINDIR%\1H.hex
%WINDIR%\2H.hex
%WINDIR%\Tasks\At1.job

Deletes the following files:

%HOMEPATH%\AUTORUN.INF
%WINDIR%\Temp\Perflib_Perfdata_7e8.dat
<SYSTEM32>\userinit.cmd
<Current directory>\msg.4u
%WINDIR%\data$~.cmd

Miscellaneous:

Searches for the following windows:

ClassName: '' WindowName: ''

Tecnologías

Términos

Formación y educación

Mitos

Technical Information