Defend what you create

Other Resources


My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2010-11-12

Virus description added:

Technical Information

To ensure autorun and distribution
Creates or modifies the following files
  • %WINDIR%\system.ini
Creates the following services
  • [<HKLM>\System\CurrentControlSet\Services\amsint32] 'ImagePath' = '<DRIVERS>\hnlifn.sys'
Infects the following executable files
  • <Drive name for removable media>:\notepad.exe
  • <Drive name for removable media>:\jre-7u75-windows-i586-iftw.exe
  • <Drive name for removable media>:\chromesetup.exe
  • <Drive name for removable media>:\calc.exe
  • <Drive name for removable media>:\tcm851ax32.exe
  • %ALLUSERSPROFILE%\application data\adobe\setup\{ac76ba86-7ad7-1033-7b44-aa1000000001}\setup.exe
  • %ProgramFiles%\microsoft office\office12\excel.exe
  • %ProgramFiles%\microsoft office\office12\winword.exe
  • %ProgramFiles%\microsoft office\office12\powerpnt.exe
  • %ProgramFiles%\microsoft office\office12\infopath.exe
  • %ProgramFiles%\opera\launcher.exe
  • %ProgramFiles%\adobe\reader 10.0\reader\acrord32.exe
  • %ProgramFiles%\microsoft office\office12\msohtmed.exe
  • %ProgramFiles%\Microsoft Office\Office12\OIS.EXE
  • %ProgramFiles%\winrar\winrar.exe
Creates the following files on removable media
  • <Drive name for removable media>:\autorun.inf
  • <Drive name for removable media>:\toqms.exe
Malicious functions
To bypass firewall, removes or modifies the following registry keys
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to file>' = '<Full path to file>:*:Enabled:ipsec'
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Explorer.EXE' = '%WINDIR%\Explorer.EXE:*:Enabled:ipsec'
To complicate detection of its presence in the operating system,
forces the system hide from view:
  • hidden files
blocks execution of the following system utilities:
  • Windows Security Center
blocks the following features:
  • User Account Control (UAC)
  • Windows Security Center
Injects code into
the following system processes:
  • <SYSTEM32>\ctfmon.exe
the following user processes:
  • firefox.exe
Modifies file system
Creates the following files
  • %TEMP%\windsaiot.exe
  • %TEMP%\winbrbloe.exe
  • <DRIVERS>\hnlifn.sys
  • %TEMP%\winehhomd.exe
  • amsint32
  • %TEMP%\ugrrvw.exe
  • C:\autorun.inf
  • C:\cubhx.exe
  • D:\autorun.inf
  • D:\kqkps.exe
Sets the 'hidden' attribute to the following files
  • C:\autorun.inf
  • C:\cubhx.exe
  • D:\autorun.inf
  • D:\kqkps.exe
  • <Drive name for removable media>:\autorun.inf
  • <Drive name for removable media>:\toqms.exe
Deletes the following files
  • %TEMP%\windsaiot.exe
  • %TEMP%\winbrbloe.exe
  • <DRIVERS>\hnlifn.sys
  • %TEMP%\winehhomd.exe
  • %TEMP%\ugrrvw.exe

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2020

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040