Para el funcionamiento correcto del sitio web, debe activar el soporte de JavaScript en su navegador.
Win32.HLLW.Autoruner2.1815
Added to the Dr.Web virus database:
2014-01-06
Virus description added:
2014-01-07
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avupgsvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysInspector.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysRescue.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrzState2k.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DF5Serv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Armor2net.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boda fire-wall.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smsniff.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regshot.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KeyScrambler.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiLogger.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TIGeR-Firewall.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUC30.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVASTSS.scr] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VisthUpd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashAvast.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimpl.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimp2.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashCmd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswupdsv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '<Virus name>' = '%WINDIR%\%USERNAME%.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashserv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashMaisv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgscanx.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixcfg.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgupd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcmgr.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcfgex.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgdumpx.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgiproxy.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgfrw.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe] 'Debugger' = 'ntsd -d'
Creates the following files on removable media:
<Drive name for removable media>:\System32.exe
<Drive name for removable media>:\System32\<Virus name>.exe
<Drive name for removable media>:\Autorun.inf
Malicious functions:
Creates and executes the following:
'%WINDIR%\WarNet.exe' -modify %WINDIR%\%USERNAME%.exe , %WINDIR%\%USERNAME%.exe , %WINDIR%\WarNet.ico , ICONGROUP, 1, 0
'%WINDIR%\WarNet.exe' -extract <SYSTEM32>\shell32.dll , %WINDIR%\WarNet.ico , ICONGROUP, 4,1036
Terminates or attempts to terminate
the following user processes:
ekrn.exe
AVP.EXE
ashAvast.exe
Modifies file system :
Creates the following files:
Sets the 'hidden' attribute to the following files:
%WINDIR%\WarNet.exe
%WINDIR%\WarNet.ini
%WINDIR%\WarNet.log
<Drive name for removable media>:\System32\<Virus name>.exe
<Current directory>\Autorun.inf
C:\System32\<Virus name>.exe
<Drive name for removable media>:\Autorun.inf
Deletes the following files:
%WINDIR%\Temp\tmp6.tmp
%WINDIR%\Temp\tmp5.tmp
Moves the following files:
from <SYSTEM32>\wbem\mof\good.exe to <SYSTEM32>\wbem\mof\bad\good.exe
from <SYSTEM32>\wbem\mof\bad.exe to <SYSTEM32>\wbem\mof\bad\bad.exe
Miscellaneous:
Searches for the following windows:
ClassName: 'MS_WINHELP' WindowName: '(null)'
Descargue Dr.Web para Android
Gratis por 3 meses
Todos los componentes de protección
Renovación de la demo a través de AppGallery/Google Pay
Si Vd. continúa usando este sitio web, esto significa que Vd. acepta el uso de archivos Cookie y otras tecnologías para que recabemos las estadísticas sobre los visitantes. Más información
OK