JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner2.19777
Added to the Dr.Web virus database:
2015-03-22
Virus description added:
2020-06-20
Technical Information
To ensure autorun and distribution
Modifies the following registry keys
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe regsvr.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Msn Messsenger' = '<SYSTEM32>\regsvr.exe'
Creates or modifies the following files
%WINDIR%\tasks\at1.job
<SYSTEM32>\tasks\at1
Creates the following files on removable media
<Drive name for removable media>:\new folder .exe
<Drive name for removable media>:\regsvr.exe
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
Registry Editor (RegEdit)
modifies the following system settings:
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NofolderOptions' = '00000000'
Executes the following
'%WINDIR%\syswow64\at.exe' /delete /yes
'%WINDIR%\syswow64\at.exe' 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\svchost .exe
Modifies file system
Creates the following files
%APPDATA%\wplugin.dll
%APPDATA%\microsoft\windows\cookies\low\index.dat
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\i9y0gyn5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\pjla4wqz\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\j1t4jnj0\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\p8e0c3df\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%WINDIR%\syswow64\svchost .exe
%WINDIR%\ws2help.dll
%WINDIR%\regsvr.exe
%WINDIR%\syswow64\regsvr.exe
%WINDIR%\syswow64\28463\svchost.001
%TEMP%\autb77.tmp
%TEMP%\autabb.tmp
%WINDIR%\explorer.exe.local
%WINDIR%\wplugin.dll
%WINDIR%\syswow64\setup.ini
%WINDIR%\syswow64\setting.ini
Sets the 'hidden' attribute to the following files
%WINDIR%\syswow64\regsvr.exe
%WINDIR%\syswow64\svchost .exe
%WINDIR%\syswow64\setup.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\p8e0c3df\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\j1t4jnj0\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\pjla4wqz\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\i9y0gyn5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%WINDIR%\syswow64\setting.ini
Deletes the following files
%TEMP%\autabb.tmp
%TEMP%\autb77.tmp
Network activity
TCP
HTTP GET requests
http://ya##o.com/setting.doc
http://ya##o.com/setting.xls
http://www.ya##o.com/setting.doc
'ya##o.com':443
UDP
Miscellaneous
Creates and executes the following
'%WINDIR%\syswow64\cmd.exe' /C AT /delete /yes' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\svchost .exe' (with hidden window)
Executes the following
'%WINDIR%\syswow64\cmd.exe' /C AT /delete /yes
'%WINDIR%\syswow64\cmd.exe' /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\svchost .exe
'%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\Wininet.dll",DispatchAPICall 1
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK