FOR CUSTOMERS

My library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY

Support services

Dr.Web vxCube

Sign in to Dr.Web vxCube

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

Win32.HLLW.Facebook.168

Added to the Dr.Web virus database: 2009-07-26

Virus description added: 2020-07-21

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sysldtray' = '%WINDIR%\ld12.exe'

Modifies file system

Creates the following files

%WINDIR%\prxid93ps.dat
<Current directory>\x2.dat
%WINDIR%\ld12.exe
%WINDIR%\34rdft.bat

Deletes the following files

<Current directory>\x2.dat

Deletes itself.

Network activity

TCP

HTTP GET requests

http://www.google.com/

HTTP POST requests

http://u1##ul.com/achcheck.php
http://um###ummer.com/achcheck.php

UDP

DNS ASK google.com
DNS ASK up##306.com
DNS ASK rj###three.com
DNS ASK ut###ejuly.com
DNS ASK u1##ul.com
DNS ASK um###ummer.com

Miscellaneous

Creates and executes the following

'%WINDIR%\ld12.exe'
'%WINDIR%\ld12.exe' ' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %WINDIR%\34rdft.bat' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c %WINDIR%\34rdft.bat