FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Win32.HLLW.Autoruner1.29350

Added to the Dr.Web virus database: 2012-11-03

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'RecyBin' = '%WINDIR%\RecyBin.exe'
Infects the following executable system files:
  • <SYSTEM32>\rundll32.exe
Substitutes the following executable system files:
  • <SYSTEM32>\dllcache\rundll32.exe with <SYSTEM32>\dllcache\rundll32.exe.new
  • <SYSTEM32>\rundll32.exe with <SYSTEM32>\rundll32.exe.new
Malicious functions:
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
  • Windows Task Manager (Taskmgr)
  • Registry Editor (RegEdit)
Executes the following:
  • <SYSTEM32>\attrib.exe -h -s h:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s i:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s j:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s g:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s <Drive name for removable media>:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s e:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s f:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s k:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s p:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s q:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s r:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s o:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s l:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s m:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s n:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s c:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s p:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s q:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s r:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s o:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s l:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s m:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s n:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s s:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s y:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s z:\autorun.inf
  • <SYSTEM32>\attrib.exe -h -s b:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s x:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s t:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s u:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s w:\autorun.inf
  • <SYSTEM32>\attrib.exe -h -s o:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s p:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s q:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s n:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s k:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s l:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s m:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s r:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s x:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s y:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s z:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s w:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s s:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s t:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s u:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s j:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s x:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s y:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s z:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s w:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s s:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s t:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s u:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s b:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s g:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s h:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s i:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s f:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s c:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s <Drive name for removable media>:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe -h -s e:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s q:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s r:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s s:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s p:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s m:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s n:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s o:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s t:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s z:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s b:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s c:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s y:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s u:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s w:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s x:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s l:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
  • <SYSTEM32>\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
  • <SYSTEM32>\attrib.exe +h +s b:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system /v disabletaskmgr /t REG_DWORD /d 1 /f
  • <SYSTEM32>\cmd.exe /c ""%TEMP%\1.tmp\batavbs.bat" <Current directory>\"
  • <SYSTEM32>\reg.exe ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v RecyBin /t REG_SZ /d %WINDIR%\RecyBin.exe /f
  • <SYSTEM32>\reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system /v disabletaskmgr /t REG_DWORD /d 1 /f
  • <SYSTEM32>\attrib.exe +h +s c:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s i:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s j:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s k:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s h:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s <Drive name for removable media>:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s f:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s g:\RECYCLER\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s z:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s b:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s c:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s y:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s u:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s w:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s x:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s <Drive name for removable media>:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s i:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s j:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s k:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s h:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s e:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s f:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s g:\autorun.inf
  • <SYSTEM32>\attrib.exe +h +s t:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s i:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s j:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s k:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s h:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s <Drive name for removable media>:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s f:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s g:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s l:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s q:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s r:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s s:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s p:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s m:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s n:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
  • <SYSTEM32>\attrib.exe +h +s o:\$Recycle.Bin\S-1-5-21-025355055-1509082252-785663309-1850\RecyBin.exe
Modifies file system :
Creates the following files:
  • %WINDIR%\systemdll32.dll
  • %WINDIR%\systemdll.dll
  • %TEMP%\1.tmp\batavbs.bat
  • <SYSTEM32>\RecyBin.exe
Miscellaneous:
Searches for the following windows:
  • ClassName: 'Indicator' WindowName: ''