FOR CUSTOMERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLM.Breacuk.10

Added to the Dr.Web virus database: 2012-09-18

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xbkil' = '%WINDIR%\Tasks\yupqh.exe'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'nxssp' = '%WINDIR%\Fonts\yupqh.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'reybi' = '%WINDIR%\system\yupqh.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'wpvjw' = '<SYSTEM32>\yupqh.exe'
Creates or modifies the following files:
  • %WINDIR%\Tasks\cts2
  • %WINDIR%\Tasks\ma1.tmp
  • %WINDIR%\Tasks\codm
  • %WINDIR%\Tasks\yupqh.exe
  • %WINDIR%\Tasks\b6.log
Infects the following executable system files:
  • <SYSTEM32>\dllcache\cmd.exe
  • <SYSTEM32>\cmd.exe
  • %WINDIR%\pchealth\helpctr\binaries\msconfig.exe
  • <SYSTEM32>\wupdmgr.exe
  • <SYSTEM32>\dllcache\wupdmgr.exe
  • %WINDIR%\regedit.exe
  • <SYSTEM32>\regedt32.exe
  • <SYSTEM32>\dllcache\regedt32.exe
  • <SYSTEM32>\dllcache\taskmgr.exe
  • <SYSTEM32>\dllcache\regedit.exe
  • <SYSTEM32>\taskmgr.exe
Substitutes the following executable system files:
  • <SYSTEM32>\dllcache\msconfig.exe with <SYSTEM32>\dllcache\msconfig.exe.new
  • %WINDIR%\pchealth\helpctr\binaries\msconfig.exe with %WINDIR%\pchealth\helpctr\binaries\msconfig.exe.new
Malicious functions:
Executes the following:
  • %PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE http://www.po###rone.com/ad2_03/images/pc0132hb072.jpg
Modifies file system :
Creates the following files:
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\pc0132hb072[1].jpg
  • %WINDIR%\Fonts\yupqh.exe
  • %WINDIR%\pchealth\helpctr\binaries\msconfig.exe.new
  • <SYSTEM32>\dllcache\msconfig.exe.new
  • C:\Far2\Far..exe
  • <SYSTEM32>\yupqh.exe
  • %WINDIR%\system\systray.exe
  • %WINDIR%\system\msconfig.exe
  • %WINDIR%\wupdmgr.exe
  • %WINDIR%\system\yupqh.exe
  • %WINDIR%\command.com
Network activity:
Connects to:
  • 'ca#####.nas.tiscali.de':53
  • '62.##.16.130':53
  • 'ma###.#ed.retevision.es':53
  • 'ra#####.red.retevision.es':53
  • 'www.po###rone.com':80
  • 'localhost':1035
  • 'ns####.uninet.net.mx':53
  • 'ma######2.red.retevision.es':53
TCP:
HTTP GET requests:
  • www.po###rone.com/ad2_03/images/pc0132hb072.jpg
UDP:
  • DNS ASK ca#####.nas.tiscali.de
  • DNS ASK ra#####.red.retevision.es
  • DNS ASK ma###.#ed.retevision.es
  • DNS ASK www.po###rone.com
  • DNS ASK ma######2.red.retevision.es
  • DNS ASK ns####.uninet.net.mx
Miscellaneous:
Searches for the following windows:
  • ClassName: 'MS_AutodialMonitor' WindowName: ''
  • ClassName: 'MS_WebcheckMonitor' WindowName: ''
  • ClassName: 'Shell_TrayWnd' WindowName: ''
  • ClassName: '' WindowName: ''
  • ClassName: 'Indicator' WindowName: ''

Dr.Web © Doctor Web
2003 — 2022

Doctor Web is a Russian cybersecurity company focused on threat detection, prevention and response technologies.