PARA USUARIOS

Cerrar

Mi biblioteca
Mi biblioteca

+ Añadir a la biblioteca

Buscar
Buscar

Soporte
Soporte 24 horas | Normas de contactar

Escribir

una solicitud al rellenar un formulario

Llamar

+7 (495) 789-45-86

Foro

Sus solicitudes

Crear una nueva solicitud

Llamar

+7 (495) 789-45-86

Perfil

ES

RU CN DE EN ES FR IT JP KZ UZ PL BY
Cerrar
Servicios
Escáneres
Dr.Web vxCube
Demo
Peritaje de IIV
Biblioteca de virus
Base de conocimiento

Tecnologías

Términos

Formación y educación

Mitos

Noticias

Joke.Rickroll.1

Added to the Dr.Web virus database: 2024-01-18

Virus description added:

Technical Information

To ensure autorun and distribution
Creates or modifies the following files
  • C:\programsx64\filestack\temp.bat
  • %APPDATA%\microsoft\windows\start menu\programs\startup\nibba.bat
Malicious functions
Executes the following
  • '<SYSTEM32>\net.exe' user R hacked /ADD
  • '<SYSTEM32>\net.exe' user 2652 13177 /ADD
  • '<SYSTEM32>\net.exe' user 31794 22417 /ADD
  • '<SYSTEM32>\net.exe' user 27330 4689 /ADD
  • '<SYSTEM32>\net.exe' user 32316 10343 /ADD
  • '<SYSTEM32>\net.exe' user 28655 30337 /ADD
  • '<SYSTEM32>\net.exe' user 28682 6517 /ADD
  • '<SYSTEM32>\net.exe' user 26845 30576 /ADD
  • '<SYSTEM32>\net.exe' user 23934 13352 /ADD
  • '<SYSTEM32>\net.exe' user 10679 19549 /ADD
  • '<SYSTEM32>\net.exe' user 18094 23497 /ADD
  • '<SYSTEM32>\net.exe' user 27309 5596 /ADD
  • '<SYSTEM32>\net.exe' user 24782 6928 /ADD
  • '<SYSTEM32>\net.exe' user 26260 31729 /ADD
  • '<SYSTEM32>\net.exe' user 5374 30572 /ADD
  • '<SYSTEM32>\net.exe' user 25222 31598 /ADD
  • '<SYSTEM32>\net.exe' user 870 8099 /ADD
  • '<SYSTEM32>\net.exe' user 794 17661 /ADD
  • '<SYSTEM32>\net.exe' user 3053 30946 /ADD
  • '<SYSTEM32>\net.exe' user 30917 31105 /ADD
  • '<SYSTEM32>\net.exe' user 28726 14186 /ADD
  • '<SYSTEM32>\net.exe' user 11756 32513 /ADD
  • '<SYSTEM32>\net.exe' user 13073 13115 /ADD
  • '<SYSTEM32>\net.exe' user 10003 12824 /ADD
  • '<SYSTEM32>\net.exe' user 18841 25652 /ADD
  • '<SYSTEM32>\net.exe' user 379 2976 /ADD
  • '<SYSTEM32>\net.exe' user 30707 5222 /ADD
  • '<SYSTEM32>\net.exe' user 6841 10169 /ADD
  • '<SYSTEM32>\net.exe' user 28925 2156 /ADD
  • '<SYSTEM32>\net.exe' user 21996 15370 /ADD
  • '<SYSTEM32>\net.exe' user 20896 14649 /ADD
  • '<SYSTEM32>\net.exe' user 11198 469 /ADD
  • '<SYSTEM32>\net.exe' user 28403 7653 /ADD
  • '<SYSTEM32>\net.exe' user 29634 21147 /ADD
  • '<SYSTEM32>\net.exe' user 4536 26403 /ADD
  • '<SYSTEM32>\net.exe' user 22157 24868 /ADD
  • '<SYSTEM32>\net.exe' user 11992 18294 /ADD
  • '<SYSTEM32>\net.exe' user 26836 23162 /ADD
  • '<SYSTEM32>\net.exe' user 18140 32495 /ADD
  • '<SYSTEM32>\net.exe' user 23322 12875 /ADD
  • '<SYSTEM32>\net.exe' user 3651 7273 /ADD
  • '<SYSTEM32>\net.exe' user 30332 20124 /ADD
  • '<SYSTEM32>\net.exe' user 17034 24861 /ADD
  • '<SYSTEM32>\net.exe' user 8722 10520 /ADD
  • '<SYSTEM32>\net.exe' user 15157 7463 /ADD
  • '<SYSTEM32>\net.exe' user L hacked /ADD
  • '<SYSTEM32>\net.exe' user O hacked /ADD
  • '<SYSTEM32>\net.exe' user K hacked /ADD
  • '<SYSTEM32>\net.exe' user C hacked /ADD
  • '<SYSTEM32>\net.exe' user I hacked /ADD
  • '<SYSTEM32>\net.exe' user 10662 7643 /ADD
  • '<SYSTEM32>\net.exe' user 14209 12328 /ADD
  • '<SYSTEM32>\net.exe' user 1651 4857 /ADD
  • '<SYSTEM32>\net.exe' user 23593 14839 /ADD
  • '<SYSTEM32>\net.exe' user 19697 10580 /ADD
  • '<SYSTEM32>\net.exe' user 30203 1785 /ADD
  • '<SYSTEM32>\net.exe' user 14890 21600 /ADD
  • '<SYSTEM32>\net.exe' user 31013 1817 /ADD
  • '<SYSTEM32>\net.exe' user 6594 25234 /ADD
  • '<SYSTEM32>\net.exe' user 13629 6054 /ADD
  • '<SYSTEM32>\net.exe' user 19012 18454 /ADD
  • '<SYSTEM32>\net.exe' user 14400 15958 /ADD
  • '<SYSTEM32>\net.exe' user 25445 11509 /ADD
  • '<SYSTEM32>\net.exe' user 20492 16513 /ADD
  • '<SYSTEM32>\net.exe' user 3894 28217 /ADD
  • '<SYSTEM32>\net.exe' user 18574 16461 /ADD
  • '<SYSTEM32>\net.exe' user 10730 31984 /ADD
  • '<SYSTEM32>\net.exe' user 17925 7411 /ADD
  • '<SYSTEM32>\net.exe' user 4227 5057 /ADD
  • '<SYSTEM32>\net.exe' user 21364 14418 /ADD
  • '<SYSTEM32>\net.exe' user 19415 11873 /ADD
  • '<SYSTEM32>\net.exe' user 13455 10577 /ADD
Launches a large number of processes
Terminates or attempts to terminate
the following system processes:
  • <SYSTEM32>\cmd.exe
Modifies file system
Creates the following files
  • %TEMP%\e771.tmp\e772.tmp\e773.bat
  • %TEMP%\f21b.tmp\f21c.tmp\f21d.bat
  • C:\programsx64\filestack\hackmsg.vbs
  • C:\programsx64\filestack\extra's.bat
  • C:\programsx64\filestack\taskverify.bat
  • C:\programsx64\filestack\helphack.bat
  • C:\programsx64\filestack\hackstore.bat
  • C:\programsx64\filestack\temp.bat
Deletes the following files
  • %TEMP%\e771.tmp\e772.tmp\e773.bat
  • %TEMP%\f21b.tmp\f21c.tmp\f21d.bat
Miscellaneous
Creates and executes the following
  • '<SYSTEM32>\cscript.exe' "C:\Programsx64\Filestack\hackmsg.vbs"
Restarts the analyzed sample
Executes the following
  • '<SYSTEM32>\cmd.exe' /c "%TEMP%\E771.tmp\E772.tmp\E773.bat <Full path to file>"
  • '<SYSTEM32>\net1.exe' user 27330 4689 /ADD
  • '<SYSTEM32>\net1.exe' user 32316 10343 /ADD
  • '<SYSTEM32>\net1.exe' user 28655 30337 /ADD
  • '<SYSTEM32>\net1.exe' user 28682 6517 /ADD
  • '<SYSTEM32>\net1.exe' user 23934 13352 /ADD
  • '<SYSTEM32>\net1.exe' user 25222 31598 /ADD
  • '<SYSTEM32>\net1.exe' user 10679 19549 /ADD
  • '<SYSTEM32>\net1.exe' user 18094 23497 /ADD
  • '<SYSTEM32>\net1.exe' user 27309 5596 /ADD
  • '<SYSTEM32>\net1.exe' user 24782 6928 /ADD
  • '<SYSTEM32>\net1.exe' user 26260 31729 /ADD
  • '<SYSTEM32>\net1.exe' user 5374 30572 /ADD
  • '<SYSTEM32>\net1.exe' user 870 8099 /ADD
  • '<SYSTEM32>\net1.exe' user 26845 30576 /ADD
  • '<SYSTEM32>\net1.exe' user 4536 26403 /ADD
  • '<SYSTEM32>\net1.exe' user 31794 22417 /ADD
  • '<SYSTEM32>\net1.exe' user 794 17661 /ADD
  • '<SYSTEM32>\net1.exe' user 19415 11873 /ADD
  • '<SYSTEM32>\net1.exe' user 30707 5222 /ADD
  • '<SYSTEM32>\net1.exe' user 30917 31105 /ADD
  • '<SYSTEM32>\net1.exe' user 28726 14186 /ADD
  • '<SYSTEM32>\net1.exe' user 11756 32513 /ADD
  • '<SYSTEM32>\net1.exe' user 13073 13115 /ADD
  • '<SYSTEM32>\net1.exe' user 10003 12824 /ADD
  • '<SYSTEM32>\net1.exe' user 18841 25652 /ADD
  • '<SYSTEM32>\net1.exe' user 29634 21147 /ADD
  • '<SYSTEM32>\net1.exe' user 3053 30946 /ADD
  • '<SYSTEM32>\net1.exe' user 6841 10169 /ADD
  • '<SYSTEM32>\net1.exe' user 28925 2156 /ADD
  • '<SYSTEM32>\net1.exe' user 21996 15370 /ADD
  • '<SYSTEM32>\net1.exe' user 20896 14649 /ADD
  • '<SYSTEM32>\net1.exe' user 11198 469 /ADD
  • '<SYSTEM32>\net1.exe' user 28403 7653 /ADD
  • '<SYSTEM32>\net1.exe' user 379 2976 /ADD
  • '<SYSTEM32>\net1.exe' user 22157 24868 /ADD
  • '<SYSTEM32>\net1.exe' user 2652 13177 /ADD
  • '<SYSTEM32>\net1.exe' user 11992 18294 /ADD
  • '<SYSTEM32>\net1.exe' user 1651 4857 /ADD
  • '<SYSTEM32>\net1.exe' user 18140 32495 /ADD
  • '<SYSTEM32>\net1.exe' user 23322 12875 /ADD
  • '<SYSTEM32>\net1.exe' user 3651 7273 /ADD
  • '<SYSTEM32>\net1.exe' user 30332 20124 /ADD
  • '<SYSTEM32>\net1.exe' user 8722 10520 /ADD
  • '<SYSTEM32>\net1.exe' user 10662 7643 /ADD
  • '<SYSTEM32>\net1.exe' user 15157 7463 /ADD
  • '<SYSTEM32>\net1.exe' user L hacked /ADD
  • '<SYSTEM32>\net1.exe' user O hacked /ADD
  • '<SYSTEM32>\net1.exe' user K hacked /ADD
  • '<SYSTEM32>\net1.exe' user C hacked /ADD
  • '<SYSTEM32>\net1.exe' user I hacked /ADD
  • '<SYSTEM32>\net1.exe' user R hacked /ADD
  • '<SYSTEM32>\cmd.exe' /c "%TEMP%\F21B.tmp\F21C.tmp\F21D.bat <Full path to file> am_admin"
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Start-Process -Verb RunAs -FilePath '<Full path to file>' -ArgumentList 'am_admin'"
  • '<SYSTEM32>\net1.exe' user 26836 23162 /ADD
  • '<SYSTEM32>\net1.exe' user 17034 24861 /ADD
  • '<SYSTEM32>\net1.exe' user 14890 21600 /ADD
  • '<SYSTEM32>\net1.exe' user 14209 12328 /ADD
  • '<SYSTEM32>\net1.exe' user 31013 1817 /ADD
  • '<SYSTEM32>\net1.exe' user 6594 25234 /ADD
  • '<SYSTEM32>\net1.exe' user 13629 6054 /ADD
  • '<SYSTEM32>\net1.exe' user 19012 18454 /ADD
  • '<SYSTEM32>\net1.exe' user 14400 15958 /ADD
  • '<SYSTEM32>\net1.exe' user 30203 1785 /ADD
  • '<SYSTEM32>\net1.exe' user 25445 11509 /ADD
  • '<SYSTEM32>\net1.exe' user 3894 28217 /ADD
  • '<SYSTEM32>\net1.exe' user 18574 16461 /ADD
  • '<SYSTEM32>\net1.exe' user 10730 31984 /ADD
  • '<SYSTEM32>\net1.exe' user 17925 7411 /ADD
  • '<SYSTEM32>\net1.exe' user 4227 5057 /ADD
  • '<SYSTEM32>\net1.exe' user 21364 14418 /ADD
  • '<SYSTEM32>\net1.exe' user 20492 16513 /ADD
  • '<SYSTEM32>\net1.exe' user 23593 14839 /ADD
  • '<SYSTEM32>\net1.exe' user 19697 10580 /ADD
  • '<SYSTEM32>\net1.exe' user 13455 10577 /ADD

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play