Para el funcionamiento correcto del sitio web, debe activar el soporte de JavaScript en su navegador.
Win32.HLLW.Autoruner1.37693
Added to the Dr.Web virus database:
2013-05-22
Virus description added:
2013-09-21
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe] 'Debugger' = 'cwrdsye_.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe] 'Debugger' = 'dttezfx_.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe] 'Debugger' = 'xxyiof_.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe] 'Debugger' = 'gjmynan_.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows License Check' = '%CommonProgramFiles%\Windows License Check.{2227A280-3AEA-1069-A2DE-08002B30309D}\vvhweqgtk.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'Windows License Check' = '%CommonProgramFiles%\Windows License Check.{2227A280-3AEA-1069-A2DE-08002B30309D}\vvhweqgtk.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows License Check' = '%CommonProgramFiles%\Windows License Check.{2227A280-3AEA-1069-A2DE-08002B30309D}\vvhweqgtk.exe'
Creates the following services:
[<HKLM>\SYSTEM\ControlSet001\Services\SSDPSRV] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
Creates and executes the following:
'%CommonProgramFiles%\Windows License Check.{2227A280-3AEA-1069-A2DE-08002B30309D}\vvhweqgtk.exe'
Executes the following:
Searches for registry branches where third party applications store passwords:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander]
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander Deluxe]
[<HKCU>\Software\FTPWare\CoreFTP\Sites]
[<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions]
Modifies settings of Windows Internet Explorer:
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2500' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '2500' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '2500' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2500' = '00000003'
Modifies file system :
Creates the following files:
%CommonProgramFiles%\Windows License Check.{2227A280-3AEA-1069-A2DE-08002B30309D}\vvhweqgtk.exe
Sets the 'hidden' attribute to the following files:
%CommonProgramFiles%\Windows License Check.{2227A280-3AEA-1069-A2DE-08002B30309D}\vvhweqgtk.exe
Network activity:
Connects to:
UDP:
DNS ASK as####.hfgfr56745fg.com
DNS ASK microsoft.com
Miscellaneous:
Searches for the following windows:
ClassName: 'cccccccc' WindowName: 'uuuuuuuu'
ClassName: 'vohohoho' WindowName: 'giaiaiai'
ClassName: 'fdhzbbbb' WindowName: 'ysauiiii'
ClassName: 'txtxtxtx' WindowName: 'gcgcgcgc'
ClassName: 'zmlkripg' WindowName: 'uusccgug'
ClassName: 'uuuuuuuu' WindowName: 'aaaaaaaa'
ClassName: 'xjtnprlv' WindowName: 'cygiucsg'
ClassName: 'xxxxxxxx' WindowName: 'cccccccc'
ClassName: 'ndfxdfxd' WindowName: 'isycsycs'
ClassName: 'imwwwwww' WindowName: 'guyyyyyy'
ClassName: 'raxqzsby' WindowName: 'cicsuyis'
ClassName: 'hfptvtvt' WindowName: 'ayuggggg'
ClassName: 'xvdxvdxv' WindowName: 'cgscgscg'
ClassName: 'eeeeeeee' WindowName: 'cccccccc'
ClassName: 'vcxwdqfs' WindowName: 'gucyssyy'
ClassName: 'djtflnpj' WindowName: 'sygysiuy'
ClassName: 'gggggggg' WindowName: 'gggggggg'
ClassName: 'xtxtxtxt' WindowName: 'cgcgcgcg'
ClassName: 'ffffffff' WindowName: 'yyyyyyyy'
ClassName: 'fyrapkpk' WindowName: 'ysciucuc'
ClassName: 'pppppppp' WindowName: 'uuuuuuuu'
ClassName: 'rixgveby' WindowName: 'cgcggcis'
ClassName: 'xsvqbytw' WindowName: 'cygsisgy'
ClassName: 'bdfztptp' WindowName: 'isyugugu'
ClassName: 'wwwwwwww' WindowName: 'yyyyyyyy'
ClassName: 'kmqaiuyi' WindowName: 'cusigasg'
ClassName: 'zzzzzzzz' WindowName: 'uuuuuuuu'
ClassName: 'Indicator' WindowName: '(null)'
ClassName: '' WindowName: ''
ClassName: 'hyxqjotc' WindowName: 'ascsyigu'
ClassName: 'vunopqrk' WindowName: 'gaiiuscc'
ClassName: 'bdbdbdbd' WindowName: 'isisisis'
ClassName: 'hbphbphb' WindowName: 'aiuaiuai'
ClassName: 'dddddddd' WindowName: 'ssssssss'
ClassName: 'zuxsdmfo' WindowName: 'uacysuyi'
ClassName: 'oooooooo' WindowName: 'iiiiiiii'
ClassName: 'jmpknitg' WindowName: 'yuuciggg'
ClassName: 'bzjbzjbz' WindowName: 'iuyiuyiu'
ClassName: 'nxbfvlzn' WindowName: 'iciygsui'
ClassName: 'fahqhqhq' WindowName: 'yiasasas'
ClassName: 'bnrjxxxx' WindowName: 'iicycccc'
ClassName: 'lhlhlhlh' WindowName: 'sasasasa'
ClassName: 'zevirmpk' WindowName: 'ucggcuuc'
Descargue Dr.Web para Android
Gratis por 3 meses
Todos los componentes de protección
Renovación de la demo a través de AppGallery/Google Pay
Si Vd. continúa usando este sitio web, esto significa que Vd. acepta el uso de archivos Cookie y otras tecnologías para que recabemos las estadísticas sobre los visitantes. Más información
OK