JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner2.64485
Added to the Dr.Web virus database:
2019-10-07
Virus description added:
2019-10-08
Technical Information
To ensure autorun and distribution
Modifies the following registry keys
[<HKCU>\software\Microsoft\Windows\CurrentVersion\Run] '0bbd2b07bbb34c7017fe80cc05f64a7b' = '"%TEMP%\server.exe" ..'
[<HKLM>\software\Microsoft\Windows\CurrentVersion\Run] '0bbd2b07bbb34c7017fe80cc05f64a7b' = '"%TEMP%\server.exe" ..'
Creates or modifies the following files
%HOMEPATH%\start menu\programs\startup\0bbd2b07bbb34c7017fe80cc05f64a7b.exe
Creates the following files on removable media
<Drive name for removable media>:\0bbd2b07bbb34c7017fe80cc05f64a7b.exe
<Drive name for removable media>:\autorun.inf
Malicious functions
To bypass firewall, removes or modifies the following registry keys
[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\server.exe' = '%TEMP%\server.exe:*:Enabled:server.exe'
To complicate detection of its presence in the operating system,
forces the system hide from view:
Executes the following
'<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\server.exe" "server.exe" ENABLE
Modifies file system
Creates the following files
Sets the 'hidden' attribute to the following files
<Drive name for removable media>:\0bbd2b07bbb34c7017fe80cc05f64a7b.exe
<Drive name for removable media>:\autorun.inf
%TEMP%\server.exe
%HOMEPATH%\start menu\programs\startup\0bbd2b07bbb34c7017fe80cc05f64a7b.exe
Network activity
UDP
DNS ASK em######ount01.myq-see.com
DNS ASK em######count02.ddns.net
DNS ASK em######count01.ddns.net
DNS ASK em######ount02.myq-see.com
DNS ASK em######count04.ddns.net
DNS ASK em#######ount01.publicvm.com
DNS ASK em######count03.ddns.net
DNS ASK em#######ount03.publicvm.com
DNS ASK em######count03.linkpc.net
DNS ASK em######count01.linkpc.net
Miscellaneous
Creates and executes the following
'%TEMP%\server.exe'
'<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\server.exe" "server.exe" ENABLE' (with hidden window)
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK