JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner1.34629
Added to the Dr.Web virus database:
2013-03-29
Virus description added:
2013-04-09
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Locator Workstation Human Socket Support' = '<SYSTEM32>\dnfssubozwyv.exe'
Creates or modifies the following files:
%HOMEPATH%\Start Menu\Programs\Startup\dnfssubozwyv.exe
Creates the following services:
[<HKLM>\SYSTEM\ControlSet001\Services\Mapper Event Visual Socket] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
Creates and executes the following:
<SYSTEM32>\qhajemcetf.exe "<SYSTEM32>\dnfssubozwyv.exe"
%WINDIR%\Temp\fpwotd2uhork.exe -r 32677 tcp
%TEMP%\fpwotd2sjsrb2gu59u.exe
<SYSTEM32>\dnfssubozwyv.exe
Modifies file system :
Creates the following files:
<SYSTEM32>\qaxgzkw\run
<SYSTEM32>\qaxgzkw\rng
<SYSTEM32>\qaxgzkw\cfg
<SYSTEM32>\qaxgzkw\por
%WINDIR%\Temp\fpwotd2uhork.exe
%TEMP%\fpwotd2sjsrb2gu59u.exe
<SYSTEM32>\qaxgzkw\tst
<SYSTEM32>\qaxgzkw\etc
<SYSTEM32>\qhajemcetf.exe
<SYSTEM32>\dnfssubozwyv.exe
Sets the 'hidden' attribute to the following files:
<SYSTEM32>\qhajemcetf.exe
<SYSTEM32>\dnfssubozwyv.exe
Deletes the following files:
%WINDIR%\Temp\fpwotd2uhork.exe
%TEMP%\fpwotd2sjsrb2gu59u.exe
<DRIVERS>\etc\hosts
Substitutes the HOSTS file.
Network activity:
Connects to:
'ji####herenow.net':80
'el#####arimagine.net':80
'sp###aguga.net':80
'ja###uter.net':80
'go#####everytime.net':80
'en#####paintshop.net':80
'ji####herenow.com':80
'el#####arimagine.com':80
'sp###aguga.com':80
'ja###uter.com':80
'go#####everytime.com':80
'en#####paintshop.com':80
TCP:
HTTP GET requests:
ji####herenow.net/forum/search.php?me########################################
el#####arimagine.net/forum/search.php?me########################################
sp###aguga.net/forum/search.php?me########################################
ja###uter.net/forum/search.php?me########################################
go#####everytime.net/forum/search.php?me########################################
en#####paintshop.net/forum/search.php?me########################################
ji####herenow.com/forum/search.php?me########################################
el#####arimagine.com/forum/search.php?me########################################
sp###aguga.com/forum/search.php?me########################################
ja###uter.com/forum/search.php?me########################################
go#####everytime.com/forum/search.php?me########################################
en#####paintshop.com/forum/search.php?me########################################
UDP:
DNS ASK ji####herenow.net
DNS ASK el#####arimagine.net
DNS ASK sp###aguga.net
DNS ASK ja###uter.net
DNS ASK go#####everytime.net
DNS ASK en#####paintshop.net
DNS ASK ja###uter.com
DNS ASK el#####arimagine.com
DNS ASK sp###aguga.com
DNS ASK ji####herenow.com
DNS ASK go#####everytime.com
DNS ASK en#####paintshop.com
'23#.#55.255.250':1900
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK