FOR CUSTOMERS

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY

Support services

Dr.Web vxCube

Sign in to Dr.Web vxCube

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

Win32.HLLW.Autoruner.54774

Added to the Dr.Web virus database: 2011-07-21

Virus description added: 2011-07-22

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'MSWUpdate' = '"%APPDATA%\lsass.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'MSWUpdate' = '"%APPDATA%\lsass.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'wextract_cleanup0' = 'rundll32.exe <SYSTEM32>\advpack.dll,DelNodeRunDLL32 ""%TEMP%\IXP000.TMP\""'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe "%APPDATA%\lsass.exe"'

Creates the following files on removable media:

<Drive name for removable media>:\Autorun.inf
<Drive name for removable media>:\SYSTEM.EXE

Malicious functions:

Creates and executes the following:

%APPDATA%\lsass.exe /d "%TEMP%\svchost.exe"

Executes the following:

<SYSTEM32>\netsh.exe firewall add allowedprogram program = %APPDATA%\lsass.exename = Nero mode = ENABLE

Modifies file system :

Creates the following files:

%TEMP%\mrt3.tmp\kcfile.mfx
%TEMP%\mrt3.tmp\Download.mfx
%TEMP%\mrt3.tmp\KcActiveX.mfx
%TEMP%\mrt3.tmp\mmfs2.dll
%TEMP%\mrt3.tmp\kclist.mfx
%TEMP%\mrt3.tmp\Registry2.mfx
%APPDATA%\lsass.exe
%TEMP%\mrt3.tmp\volume.mfx
%TEMP%\IXP000.TMP\tubelist.dat
%TEMP%\mrt3.tmp\Yaso.mfx
%TEMP%\mrt3.tmp\kcwctrl.mfx
%TEMP%\mrt3.tmp\kctaskpr.mfx
%TEMP%\mrt3.tmp\stdrt.exe
%TEMP%\IXP000.TMP\flex.exe
%TEMP%\IXP000.TMP\pdvd.exe
%TEMP%\IXP000.TMP\PowerDVD10.sim
%TEMP%\Pdvd_Patch32.exe
%TEMP%\svchost.exe
%TEMP%\IXP000.TMP\CLAud.sim
%TEMP%\mrt2.tmp\Registry2.mfx
%TEMP%\mrt2.tmp\kcfile.mfx
%TEMP%\mrt2.tmp\KcBoxA.mfx
%TEMP%\mrt2.tmp\stdrt.exe
%TEMP%\mrt2.tmp\mmfs2.dll
%TEMP%\mrt2.tmp\KcBoxB.mfx

Sets the 'hidden' attribute to the following files:

<Drive name for removable media>:\Autorun.inf
<Drive name for removable media>:\SYSTEM.EXE
%APPDATA%\lsass.exe

Deletes the following files:

%TEMP%\mrt3.tmp\Yaso.mfx
%TEMP%\mrt3.tmp\KcActiveX.mfx
%TEMP%\mrt3.tmp\Download.mfx
%TEMP%\mrt3.tmp\volume.mfx
%TEMP%\mrt3.tmp\kctaskpr.mfx
%TEMP%\mrt3.tmp\kcwctrl.mfx
%TEMP%\mrt3.tmp\mmfs2.dll
%TEMP%\mrt3.tmp\stdrt.exe
%TEMP%\svchost.exe
%TEMP%\mrt3.tmp\kcfile.mfx
%TEMP%\mrt3.tmp\Registry2.mfx
%TEMP%\mrt3.tmp\kclist.mfx

Network activity:

Connects to:

't8#.#yndns.info':3175
'www.tu###kid.com':80

TCP:

HTTP GET requests:

www.tu###kid.com/tubeapp/tubelist.dat

UDP:

DNS ASK t8#.#yndns.info
DNS ASK www.tu###kid.com

Miscellaneous:

Searches for the following windows:

ClassName: '' WindowName: 'ibhikhii'
ClassName: 'Indicator' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: '' WindowName: 'HB'