Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLW.Autoruner.60152

Added to the Dr.Web virus database: 2011-09-27

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates the following services:
  • [<HKLM>\SYSTEM\ControlSet001\Services\thmus] 'Start' = '00000002'
Creates the following files on removable media:
  • <Drive name for removable media>:\autorun.inf
  • <Drive name for removable media>:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
Malicious functions:
Creates and executes the following:
  • <Current directory>\b.exe (downloaded from the Internet) 
  • <Current directory>\a.exe (downloaded from the Internet) 
Executes the following:
  • <SYSTEM32>\svchost.exe
Injects code into
the following system processes:
  • <SYSTEM32>\svchost.exe
Modifies file system :
Creates the following files:
  • \Device\LanmanRedirector\192.168.19.2\pipe\browser
  • \Device\LanmanRedirector\192.168.19.3\pipe\browser
  • C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IJBU4WF7\jxkpme[1].bmp
  • <SYSTEM32>\x
  • C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\TUSE347B\wpad[1].dat
  • \Device\LanmanRedirector\192.168.19.7\pipe\browser
  • \Device\LanmanRedirector\192.168.19.8\pipe\browser
  • \Device\LanmanRedirector\192.168.19.6\pipe\browser
  • \Device\LanmanRedirector\192.168.19.4\pipe\browser
  • \Device\LanmanRedirector\192.168.19.5\pipe\browser
  • <Current directory>\a.exe
  • C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IJBU4WF7\desktop.ini
  • <SYSTEM32>\01.tmp
  • <SYSTEM32>\qqqqqqqq.vmx
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\file1[1].exe
  • C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\TUSE347B\desktop.ini
  • <Current directory>\b.exe
  • \Device\LanmanRedirector\192.168.19.1\pipe\browser
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\file2[1].exe
  • C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\23CHAXSZ\desktop.ini
  • C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0YZLJ20S\desktop.ini
Sets the 'hidden' attribute to the following files:
  • C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0YZLJ20S\desktop.ini
  • <Drive name for removable media>:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
  • <Drive name for removable media>:\autorun.inf
  • C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\23CHAXSZ\desktop.ini
  • <SYSTEM32>\kvzgmyr.dll
  • C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IJBU4WF7\desktop.ini
  • C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\TUSE347B\desktop.ini
Deletes the following files:
  • <SYSTEM32>\01.tmp
Network activity:
Connects to:
  • 'wpad.localdomain':80
  • '<Private IP address>':139
  • '<Private IP address>':2370
  • 'www.wh###smyip.org':80
  • 'ch####p.dyndns.org':80
  • 'www.ge##yip.org':80
  • 'localhost':1040
  • '8s##ing.ru':80
  • 'localhost':1038
  • 'localhost':1047
  • 'www.wh#####ipaddress.com':80
  • '<Private IP address>':445
TCP:
HTTP GET requests:
  • www.ge##yip.org/
  • ch####p.dyndns.org/
  • www.wh###smyip.org/
  • wpad.localdomain/wpad.dat
  • 8s##ing.ru/file1.exe
  • 8s##ing.ru/file2.exe
  • www.wh#####ipaddress.com/
UDP:
  • DNS ASK www.ge##yip.org
  • DNS ASK ch####p.dyndns.org
  • DNS ASK www.wh###smyip.org
  • DNS ASK wpad.localdomain
  • DNS ASK 8s##ing.ru
  • DNS ASK www.wh#####ipaddress.com
  • '23#.#55.255.250':1900
The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2020

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124