JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner1.17832
Added to the Dr.Web virus database:
2012-06-23
Virus description added:
2012-07-14
Technical Information
To ensure autorun and distribution:
Creates the following files on removable media:
<Drive name for removable media>:\gwnxa.exe
<Drive name for removable media>:\autorun.inf
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\winlogon.exe' = '<SYSTEM32>\winlogon.exe:*:enabled:@shell32.dll,-1'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Explorer.EXE' = '%WINDIR%\Explorer.EXE:*:Enabled:ipsec'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:ipsec'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
blocks the following features:
User Account Control (UAC)
Windows Security Center
Injects code into
the following system processes:
a large number of user processes.
Restores hooked functions in System Service Descriptor Table (SSDT).
Modifies file system :
Creates the following files:
%TEMP%\wjns.exe
C:\autorun.inf
C:\yhgt.exe
%TEMP%\winvbiy.exe
%TEMP%\qyjvgx.exe
%TEMP%\winxysvl.exe
<DRIVERS>\ehpro.sys
Sets the 'hidden' attribute to the following files:
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\gwnxa.exe
C:\autorun.inf
C:\yhgt.exe
Deletes the following files:
%TEMP%\winvbiy.exe
%TEMP%\wjns.exe
%TEMP%\winxysvl.exe
<DRIVERS>\ehpro.sys
Network activity:
Connects to:
'cj.#erdo.at':80
'it##ah.com':443
'dd#.bton.pl':80
UDP:
DNS ASK cj.#erdo.at
DNS ASK it##ah.com
DNS ASK dd#.bton.pl
Miscellaneous:
Searches for the following windows:
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: '' WindowName: 'Message Console Manager'
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK