JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner2.13031
Added to the Dr.Web virus database:
2014-04-26
Virus description added:
2014-04-27
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'e896799a0a1e789892aa1eb7a09deeee' = '"%TEMP%\Win32.exe" ..'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'e896799a0a1e789892aa1eb7a09deeee' = '"%TEMP%\Win32.exe" ..'
Creates or modifies the following files:
%HOMEPATH%\Start Menu\Programs\Startup\e896799a0a1e789892aa1eb7a09deeee.exe
Creates the following files on removable media:
<Drive name for removable media>:\ncacl.pif
<Drive name for removable media>:\autorun.inf.lnk
<Drive name for removable media>:\e896799a0a1e789892aa1eb7a09deeee.exe
<Drive name for removable media>:\autorun.inf
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\Win32.exe' = '%TEMP%\Win32.exe:*:Enabled:Win32.exe'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\expressvpn.exe' = '%WINDIR%\expressvpn.exe:*:Enabled:ipsec'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
blocks the following features:
User Account Control (UAC)
Windows Security Center
Creates and executes the following:
'%TEMP%\Win32.exe'
'%WINDIR%\Crypted.exe'
'%WINDIR%\expressvpn.exe'
Executes the following:
'<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\Win32.exe" "Win32.exe" ENABLE
Injects code into
the following system processes:
a large number of user processes.
Modifies file system :
Creates the following files:
%TEMP%\nso4.tmp\modern-header.bmp
%TEMP%\nso4.tmp\modern-wizard.bmp
%TEMP%\nso4.tmp\ioSpecial.ini
%TEMP%\nso4.tmp\InstallOptions.dll
C:\vnxffr.exe
C:\autorun.inf
%TEMP%\winemao.exe
%TEMP%\nso4.tmp\UserInfo.dll
%TEMP%\aut2.tmp
%WINDIR%\expressvpn.exe
%TEMP%\aut1.tmp
%WINDIR%\Crypted.exe
%TEMP%\nso4.tmp\System.dll
%TEMP%\Win32.exe
%TEMP%\0002E9E9_Rar\expressvpn.exe
Sets the 'hidden' attribute to the following files:
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\ncacl.pif
C:\vnxffr.exe
<Drive name for removable media>:\e896799a0a1e789892aa1eb7a09deeee.exe
C:\autorun.inf
Deletes the following files:
%TEMP%\winemao.exe
%TEMP%\aut2.tmp
%TEMP%\aut1.tmp
Network activity:
Connects to:
'es####r94.no-ip.org':1177
UDP:
DNS ASK es####r94.no-ip.org
Miscellaneous:
Searches for the following windows:
ClassName: 'Indicator' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK