Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLM.Perf

(W32/Areses.dr, MalwareScope.Trojan-PSW.Pinch.1, TR/Crypt.XPACK.Gen, Email-Worm.Win32.Scano.ay, WORM_SCANO.AY, EXP/Scano, Trojan.HTML.Dropper.A, W32/Areses.f, VBS/Inor, Email-Worm.Win32.Scano.gen, I-Worm/Scano, TrojanDropper:VBS/Scano.gen, WORM_SCANO.BH, VBS/Drop.Inor.CT, I-Worm/Scano.BJ, Dropper.Inor, TR/Crypt.UPKM.Gen, W32/Areses.a@MM, Worm:Win32/Scano.dr, Mal_VBSDrpr, TR/Vundo.Gen, I-Worm/Scano.BP, Generic.dw, Generic.SGO, I-Worm/Scano.AR, HTML/Drop.Scano.L)

Virus description added:

Virus Type: Mass mailing worm

Affected OS: Win95/98/Me/NT/2000/XP

Size: 17 872 byte

Packed by: No

Technical Information

  • Spreads via e-mail in form of application. Falsifies sender’s address.
  • Mail subjects and bodies are in Russian.
  • .cab archive is created as an application. This archive contains dropper of the main virus body. File name starts with "new", "me","you","cool" or "Re" and has double extension. First extension is from ".doc", ".txt",".avi", ".mpeg" list and the second one is " .cpl". Example "me.doc .cpl" inside me.cab archive.
  • Copies itself in system folder with %systemroot%\csrss.exe name (present csrss.exe is located in %systemroot%\system32\csrss.exe).
  • Loads optional processes services.exe и svchost.exe. Implants code which supports autorun record in registry and integrity of its csrss.exe carrier.
  • If virus body is deleted, it will be immediately restored from copy which is kept in the memory of services.exe process which is infected. At the same time "Windows file protection" operation is simulated.
  • Main part of the virus in svchost.exe process scans all available disks in search of mail addresses for distribution. For that it uses files with the following extensions:
    adb, .asp, .cfg, .cgi .mra, .dbx, .dhtm, .eml, .htm, .html, .jsp, .mbx, .mdx, .mht, .mmf, .msg, .nch, .ods, .oft, .php, .pl, .sht, .shtm, .stm, .tbb, .txt, .uin, .wab, .wsh, .xls, .xml, .dhtml
  • Extracted addresses shouldn’t contain the following substrings:

    "@example.""Mailer-Daemon@""-0"
    "2003""@subscribe"".00"
    "2004" "kasp" "@."
    "2005" "admin" "---"
    "2006" "icrosoft" "abuse"
    "@hotmail" "support" "panda"
    "@msn" "ntivi" "cafee"
    "@microsoft" "unix" "spam"
    "rating@" "bsd" "pgp"
    "f-secur" "linux" "@avp."
    "news" "listserv" "noreply"
    "update" "certific" "local"
    ".qmail" "torvalds@" "root@"
    ".gif" "sopho" "postmaster@"
    "anyone@" "@foo" ".0"
    "bugs@" "@iana" ".1"
    "contract@" "free-av" ".2"
    "feste" "@messagelab" ".3"
    "gold-certs@""winzip" ".4"
    "help@" "google" ".5"
    "info@" "winrar" ".6"
    "nobody@" "samples" ".7"
    "noone@" "spm111@" ".8"
    "0000" ".." ".9"

  • During launching this virus tries to download and execute directly .exe file.

    http: // 85.249.23.43 / 0.exe

    or tries to get encrypted address list for further downloading:

    http: // 85.249.23.35/m2/ g.php
    http: // 207.46.250.119/g/ m.php
    http: // 84.22.161.192/s/ f.php

  • In case of virtual machine detection virus opens www.nauy.com site and completes its operation.
  • Provides its autorun during system reboot via recording in registry:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Debugger = "C:\WINDOWS\csrss.exe"

  • System Recovery References

    a) Download Dr.Web CureIt! utility.
    b) Disconnect the computer from local network and/or Internet.
    c) Load Windows in "Safe mode with command prompt" mode.
    d) Enter and execute command:
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /v Debugger /f
    e) Run the
    Dr.Web CureIt! utility or antivirus disk scanner (if present). Scan directory: %SystemRoot% (C:\Windows by default). Apply "delete" action for objects infected with Win32.HLLM.Perf.

    The Russian developer of Dr.Web anti-viruses

    Doctor Web has been developing anti-virus software since 1992

    Dr.Web is trusted by users around the world in 200+ countries

    The company has delivered an anti-virus as a service since 2007

    24/7 tech support

    Dr.Web © Doctor Web
    2003 — 2020

    Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

    2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040