Para el funcionamiento correcto del sitio web, debe activar el soporte de JavaScript en su navegador.
Win32.HLLW.Autoruner1.45519
Added to the Dr.Web virus database:
2013-07-07
Virus description added:
2013-07-07
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Classes\.scr] '' = '<SYSTEM32>'
[<HKLM>\SOFTWARE\Classes\.scr\shell\open\command] '' = '<SYSTEM32>'
[<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = '<SYSTEM32>\Win32Run.exe %1'
[<HKLM>\SOFTWARE\Classes\.scr] '' = '<SYSTEM32>\Win32Run.exe %1'
[<HKLM>\SOFTWARE\Classes\.scr\shell\open\command] '' = '<SYSTEM32>\Win32Run.exe %1'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '6331905' = '<SYSTEM32>'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '6331905' = '<SYSTEM32>\Win32Run.exe'
[<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = 'c:\1.exe %1'
[<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = '<SYSTEM32>'
[<HKLM>\SOFTWARE\Classes\txtfile\shell\open\command] '' = 'C:\1.exe'
Creates the following files on removable media:
<Drive name for removable media>:\Autorun.inf
<Drive name for removable media>:\Win32Run.exe
Malicious functions:
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
Registry Editor (RegEdit)
Creates and executes the following:
'<SYSTEM32>\Win32Run.exe' <SYSTEM32>\ichelper.exe
'<SYSTEM32>\Win32Run.exe' <Current directory>\ichelper.exe
Executes the following:
'<SYSTEM32>\ntvdm.exe' -f -i16
'<SYSTEM32>\ntvdm.exe' -f -i15
'<SYSTEM32>\ntvdm.exe' -f -i18
'<SYSTEM32>\ntvdm.exe' -f -i17
'<SYSTEM32>\ntvdm.exe' -f -i12
'<SYSTEM32>\ntvdm.exe' -f -i11
'<SYSTEM32>\ntvdm.exe' -f -i14
'<SYSTEM32>\ntvdm.exe' -f -i13
'<SYSTEM32>\ntvdm.exe' -f -i1e
'<SYSTEM32>\ntvdm.exe' -f -i1d
'<SYSTEM32>\ntvdm.exe' -f -i20
'<SYSTEM32>\ntvdm.exe' -f -i1f
'<SYSTEM32>\ntvdm.exe' -f -i1a
'<SYSTEM32>\ntvdm.exe' -f -i19
'<SYSTEM32>\ntvdm.exe' -f -i1c
'<SYSTEM32>\ntvdm.exe' -f -i1b
'<SYSTEM32>\ntvdm.exe' -f -i10
'<SYSTEM32>\ntvdm.exe' -f -i5
'<SYSTEM32>\ntvdm.exe' -f -i4
'<SYSTEM32>\ntvdm.exe' -f -i7
'<SYSTEM32>\ntvdm.exe' -f -i6
'<SYSTEM32>\ntvdm.exe' -f -i1
'%WINDIR%\explorer.exe'
'<SYSTEM32>\ntvdm.exe' -f -i3
'<SYSTEM32>\ntvdm.exe' -f -i2
'<SYSTEM32>\ntvdm.exe' -f -id
'<SYSTEM32>\ntvdm.exe' -f -ic
'<SYSTEM32>\ntvdm.exe' -f -if
'<SYSTEM32>\ntvdm.exe' -f -ie
'<SYSTEM32>\ntvdm.exe' -f -i9
'<SYSTEM32>\ntvdm.exe' -f -i8
'<SYSTEM32>\ntvdm.exe' -f -ib
'<SYSTEM32>\ntvdm.exe' -f -ia
Injects code into
the following user processes:
Terminates or attempts to terminate
the following system processes:
the following user processes:
bdss.exe
360tray.exe
NAVAPW32.EXE
Sets a new unauthorized home page for Windows Internet Explorer.
Miscellaneous:
Searches for the following windows:
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d88.c60.4a0017'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c84.c88.490016'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c64.cec.4c0019'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d44.df0.4b0018'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b04.ae8.480015'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-638.594.450012'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-70c.700.440011'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-a14.bb8.470014'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-72c.b98.460013'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c18.c28.4d001a'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1064.1074.540021'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1060.1070.530020'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-10a0.10a4.560023'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1080.1084.550022'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1054.105c.52001f'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ec0.d68.4f001c'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bbc.e1c.4e001b'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1030.1034.51001e'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1028.102c.50001d'
ClassName: 'CSCHiddenWindow' WindowName: '(null)'
ClassName: 'SystemTray_Main' WindowName: '(null)'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-98c.964.390002'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-980.968.380001'
ClassName: 'OleMainThreadWndClass' WindowName: '(null)'
ClassName: 'Proxy Desktop' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
ClassName: 'SysListView32' WindowName: '(null)'
ClassName: 'BaseBar' WindowName: 'ChanApp'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-568.9d0.3a0007'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ac8.adc.41000e'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ab8.acc.40000d'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-690.a54.430010'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-6bc.6b8.42000f'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-a84.a80.3f000c'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-5ec.a34.3c0009'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-9e0.9e4.3b0008'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-a6c.a68.3e000b'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-a38.a3c.3d000a'
Descargue Dr.Web para Android
Gratis por 3 meses
Todos los componentes de protección
Renovación de la demo a través de AppGallery/Google Pay
Si Vd. continúa usando este sitio web, esto significa que Vd. acepta el uso de archivos Cookie y otras tecnologías para que recabemos las estadísticas sobre los visitantes. Más información
OK