Para el funcionamiento correcto del sitio web, debe activar el soporte de JavaScript en su navegador.
Win32.VirLock.18
Added to the Dr.Web virus database:
2017-08-08
Virus description added:
2021-03-19
Technical Information
To ensure autorun and distribution
Modifies the following registry keys
[<HKCU>\software\microsoft\windows\currentversion\run] 'BgkYkAMs.exe' = '%HOMEPATH%\qcgMoIYc\BgkYkAMs.exe'
[<HKLM>\software\Wow6432Node\microsoft\windows\currentversion\run] 'cUcsEgAE.exe' = '%ALLUSERSPROFILE%\hgEUUkMo\cUcsEgAE.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,%ALLUSERSPROFILE%\hgEUUkMo\cUcsEgAE.exe,'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = 'userinit.exe,%ALLUSERSPROFILE%\hgEUUkMo\cUcsEgAE.exe,'
Sets the following service settings
[<HKLM>\System\CurrentControlSet\Services\zYoUIYCJ] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\zYoUIYCJ] 'ImagePath' = '%ALLUSERSPROFILE%\vUAsAQAI\ZIwkMIUI.exe'
Creates the following services
'zYoUIYCJ' %ALLUSERSPROFILE%\vUAsAQAI\ZIwkMIUI.exe
Infects the following executable files
C:\far2\far.exe
C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\setup.exe
C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\dw20.exe
%ALLUSERSPROFILE%\adobe\arm\s\10428\adobearmhelper.exe
%ALLUSERSPROFILE%\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\setup.exe
Modifies file system
Creates the following files
%HOMEPATH%\qcgmoiyc\bgkykams
%ALLUSERSPROFILE%\hgeuukmo\cucsegae
%HOMEPATH%\qcgmoiyc\bgkykams.exe
%ALLUSERSPROFILE%\hgeuukmo\cucsegae.exe
%ALLUSERSPROFILE%\vuasaqai\ziwkmiui.exe
%ALLUSERSPROFILE%\jisa.txt
%HOMEPATH%\qcgmoiyc\zwwm.exe
%HOMEPATH%\qcgmoiyc\dkqe.exe
%WINDIR%\syswow64\config\systemprofile\qcgmoiyc\bgkykams
%HOMEPATH%\qcgmoiyc\aqey.exe
%HOMEPATH%\qcgmoiyc\skaa.exe
%TEMP%\fcgyskkw.bat
<PATH_SAMPLE>
%HOMEPATH%\qcgmoiyc\nkkw.exe
%HOMEPATH%\qcgmoiyc\bqug.exe
%ALLUSERSPROFILE%\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Deletes the following files
%HOMEPATH%\qcgmoiyc\zwwm.exe
%HOMEPATH%\qcgmoiyc\dkqe.exe
%HOMEPATH%\qcgmoiyc\aqey.exe
%HOMEPATH%\qcgmoiyc\skaa.exe
%TEMP%\fcgyskkw.bat
%HOMEPATH%\qcgmoiyc\nkkw.exe
%HOMEPATH%\qcgmoiyc\bqug.exe
Miscellaneous
Searches for the following windows
ClassName: '' WindowName: 'cUcsEgAE.exe'
ClassName: '' WindowName: 'Microsoft Windows'
Creates and executes the following
'%HOMEPATH%\qcgmoiyc\bgkykams.exe'
'%ALLUSERSPROFILE%\hgeuukmo\cucsegae.exe'
'%ALLUSERSPROFILE%\vuasaqai\ziwkmiui.exe'
'%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1' (with hidden window)
'%WINDIR%\syswow64\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f' (with hidden window)
'%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2' (with hidden window)
Executes the following
'%WINDIR%\syswow64\cmd.exe' /c "<PATH_SAMPLE>"
'%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
'%WINDIR%\syswow64\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
'%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Descargue Dr.Web para Android
Gratis por 3 meses
Todos los componentes de protección
Renovación de la demo a través de AppGallery/Google Pay
Si Vd. continúa usando este sitio web, esto significa que Vd. acepta el uso de archivos Cookie y otras tecnologías para que recabemos las estadísticas sobre los visitantes. Más información
OK