JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Siggen.8980
Added to the Dr.Web virus database:
2017-01-01
Virus description added:
2019-07-22
Technical Information
To ensure autorun and distribution
Creates or modifies the following files
<LS_APPDATA>\start\update_backup.exe
<LS_APPDATA>\start\rcx2944.tmp
Creates the following files on removable media
<Drive name for removable media>:\bloc-notes.exe
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
hidden files
file extensions
Modifies file system
Creates the following files
%TEMP%\uphwlmc.resources
%TEMP%\edam3q-f.0.vb
%TEMP%\xrzfrk.resources
%TEMP%\gnhpyy.resources
%TEMP%\windowsupdate.ico
%TEMP%\res2713.tmp
%TEMP%\vbc26f2.tmp
%TEMP%\n63t3tkh.out
%TEMP%\n63t3tkh.cmdline
%TEMP%\n63t3tkh.0.vb
%TEMP%\whatdafock.txt
%TEMP%\jp.resources
%TEMP%\lbr.resources
%TEMP%\apvvdv0-.exe
%TEMP%\res1ce1.tmp
%TEMP%\vbc1cd1.tmp
%TEMP%\apvvdv0-.out
%TEMP%\apvvdv0-.cmdline
%TEMP%\apvvdv0-.0.vb
%TEMP%\msnpsharp.dll
%TEMP%\8h425w.resources
<LS_APPDATA>\start\update.exe
%TEMP%\svchost.exe
%TEMP%\update.exe
%TEMP%\edam3q-f.cmdline
%TEMP%\edam3q-f.out
Deletes the following files
%TEMP%\res1ce1.tmp
%TEMP%\edam3q-f.cmdline
%TEMP%\edam3q-f.out
%TEMP%\edam3q-f.0.vb
<LS_APPDATA>\start\update.exe
%TEMP%\windowsupdate.ico
%TEMP%\jp.resources
%TEMP%\lbr.resources
%TEMP%\n63t3tkh.out
%TEMP%\n63t3tkh.cmdline
%TEMP%\n63t3tkh.0.vb
%TEMP%\vbc26f2.tmp
%TEMP%\res2713.tmp
%TEMP%\apvvdv0-.exe
%TEMP%\apvvdv0-.0.vb
%TEMP%\apvvdv0-.out
%TEMP%\apvvdv0-.cmdline
%TEMP%\vbc1cd1.tmp
%TEMP%\gnhpyy.resources
%TEMP%\xrzfrk.resources
Miscellaneous
Creates and executes the following
'%TEMP%\update.exe'
'%TEMP%\svchost.exe'
'%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\apvvdv0-.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1CE1.tmp" "%TEMP%\vbc1CD1.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\n63t3tkh.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2713.tmp" "%TEMP%\vbc26F2.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\edam3q-f.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES782C.tmp" "%TEMP%\vbc780B.tmp"' (with hidden window)
Executes the following
'%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\apvvdv0-.cmdline"
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1CE1.tmp" "%TEMP%\vbc1CD1.tmp"
'%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\n63t3tkh.cmdline"
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2713.tmp" "%TEMP%\vbc26F2.tmp"
'%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\edam3q-f.cmdline"
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES782C.tmp" "%TEMP%\vbc780B.tmp"
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK