FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Win32.HLLP.Zakk

(Win32/Delf.AM, Backdoor.Win32.Delf.qw, Backdoor.Delf.NL, BackDoor.Generic.SIF, W32/HLLP.Zakk.b, BDS/Delf.NL.2, Trojan:Win32/Sisron, W32.Zakk, BDS/Delf.HQ, Backdoor.Win32.Delf.hq, W32/Backdoor.EZT, Virus.Win32.Zakk.a, BKDR_DELF.NP, Parser error, Virus.Win32.HLLP.Zakk.a, PE_Generic, Backdoor.Generic.32723, BDS/Delf.anw.1, TR/Dldr.Delphi.Gen2, Backdoor:Win32/Delf, BehavesLike:Trojan.RegistryDisabler, Win32/MySoft.B, BackDoor.Delf.15.J, Win32/Delf.BL, Win32/Zakk.A)

Added to the Dr.Web virus database: 2004-12-09

Virus description added:

Virus Type: Virus-parasite

Affected OS: Win95/98/Me/NT/2000/XP

Size: 758 784 byte

Packed by: No

Technical Information

  • Virus parasitizing on executable files with .exe extension.

  • Creates its own copy with svshost.exe filename in system folder (C:\%WinDir%\SYSTEM32 for Windows NT/2000/XP, C:\%WinDir%\SYSTEM for Windows 9x/Me).

  • To provide its own run after rebooting Windows, virus registers itself on the following registry path::
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Microsoft = "C:\WINDOWS\System32\svshost.exe"

    • HKEY_CLASSES_ROOT\exefile\shell\open\command
    @= "C:\WINDOWS\System32\svshost.exe "%1" %*"

  • Deletes keys from registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    SKYNET Personal FireWall iDuba Personal FireWall
    iamapp
    popproxy
    RavMon
    RavTimer
    KVFW

  • During starting, virus creates latent cured copy of the infected file and launches it. For hiding this latent cured copy of the infected file in Explorer, virus modifies values in registry paths:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

  • Locks running of such applications:

    pfw.exe
    kvfw.exe
    KAVPFW.EXE
    iamapp.exe
    nmain.exe
    rfw.exe
    freepp.EXE
    freekav.EXE
    freesys.EXE
    Iparmor.exe
    trojan_hunter.exe

  • In case if application has been already started, virus stops it and deletes from disk both application and files, which are in its folder.

  • Virus contain backdoor and keylogger.

    • System Recovery References.

    a. In Safe Mode scan system with Dr.Web CureIt! antivirus utility from write-protected disk. Apply action "Cure" to all infected files.

    b.
    1. Recover HKEY_CLASSES_ROOT\exefile\shell\open\command key value on standard "%1" %*. 2. Export registry file which was received.
    3. Reboot the computer in Normal Mode.
    4. Import registry file.
    5. Reboot the computer in Normal Mode.