Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLW.Autoruner2.19777

Added to the Dr.Web virus database: 2015-03-22

Virus description added:

Technical Information

To ensure autorun and distribution
Modifies the following registry keys
  • [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe regsvr.exe'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Msn Messsenger' = '<SYSTEM32>\regsvr.exe'
Creates or modifies the following files
  • %WINDIR%\tasks\at1.job
  • <SYSTEM32>\tasks\at1
Creates the following files on removable media
  • <Drive name for removable media>:\new folder .exe
  • <Drive name for removable media>:\regsvr.exe
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
  • Registry Editor (RegEdit)
modifies the following system settings:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NofolderOptions' = '00000000'
Executes the following
  • '%WINDIR%\syswow64\at.exe' /delete /yes
  • '%WINDIR%\syswow64\at.exe' 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\svchost .exe
Modifies file system
Creates the following files
  • %APPDATA%\wplugin.dll
  • %APPDATA%\microsoft\windows\cookies\low\index.dat
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\i9y0gyn5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\pjla4wqz\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\j1t4jnj0\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\p8e0c3df\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
  • %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
  • %WINDIR%\syswow64\svchost .exe
  • %WINDIR%\ws2help.dll
  • %WINDIR%\regsvr.exe
  • %WINDIR%\syswow64\regsvr.exe
  • %WINDIR%\syswow64\28463\svchost.001
  • %TEMP%\autb77.tmp
  • %TEMP%\autabb.tmp
  • %WINDIR%\explorer.exe.local
  • %WINDIR%\wplugin.dll
  • %WINDIR%\syswow64\setup.ini
  • %WINDIR%\syswow64\setting.ini
Sets the 'hidden' attribute to the following files
  • %WINDIR%\syswow64\regsvr.exe
  • %WINDIR%\syswow64\svchost .exe
  • %WINDIR%\syswow64\setup.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\p8e0c3df\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\j1t4jnj0\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\pjla4wqz\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\i9y0gyn5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
  • %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
  • %WINDIR%\syswow64\setting.ini
Deletes the following files
  • %TEMP%\autabb.tmp
  • %TEMP%\autb77.tmp
Network activity
TCP
HTTP GET requests
  • http://ya##o.com/setting.doc
  • http://ya##o.com/setting.xls
  • http://www.ya##o.com/setting.doc
  • 'ya##o.com':443
  • UDP
    • DNS ASK ya##o.com
    Miscellaneous
    Creates and executes the following
    • '%WINDIR%\syswow64\cmd.exe' /C AT /delete /yes' (with hidden window)
    • '%WINDIR%\syswow64\cmd.exe' /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\svchost .exe' (with hidden window)
    Executes the following
    • '%WINDIR%\syswow64\cmd.exe' /C AT /delete /yes
    • '%WINDIR%\syswow64\cmd.exe' /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\svchost .exe
    • '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\Wininet.dll",DispatchAPICall 1

    The Russian developer of Dr.Web anti-viruses

    Doctor Web has been developing anti-virus software since 1992

    Dr.Web is trusted by users around the world in 200+ countries

    The company has delivered an anti-virus as a service since 2007

    24/7 tech support

    © Doctor Web
    2003 — 2020

    Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

    2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040