JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner1.51122
Added to the Dr.Web virus database:
2013-07-06
Virus description added:
2013-07-21
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ctfmon' = 'c:\53027861.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = 'userinit.exe,53027861.exe'
Creates the following files on removable media:
<Drive name for removable media>:\autorun.inf
Malicious functions:
Executes the following:
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe o:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe n:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe m:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe p:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe s:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe r:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe q:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe l:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe g:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe f:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe e:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe h:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe k:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe j:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe i:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe t:\
'<SYSTEM32>\attrib.exe' +h +s +a %WINDIR%\system\autorun.inf
'<SYSTEM32>\attrib.exe' +h +s +a %WINDIR%\system\53027861.exe
'<SYSTEM32>\attrib.exe' +h +s +a z:\autorun.inf
'%WINDIR%\regedit.exe' /s .\hjw.reg
'<SYSTEM32>\net1.exe' user %USERNAME% "qq149116149"
'%WINDIR%\regedit.exe' /s .\hjw2.reg
'%WINDIR%\regedit.exe' /s .\hjw1.reg
'<SYSTEM32>\attrib.exe' +h +s +a e:\autorun.inf
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe w:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe v:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe u:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe x:\
'<SYSTEM32>\attrib.exe' +h +s +a c:\autorun.inf
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe z:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe y:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe <Drive name for removable media>:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf g:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf f:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf e:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf h:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf k:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf j:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf i:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf <Drive name for removable media>:\
'%WINDIR%\explorer.exe' \
'<SYSTEM32>\cmd.exe' /c ""<Current directory>\autorun.BAT" "
'<SYSTEM32>\wscript.exe' "<Current directory>\shell.vbs"
'<SYSTEM32>\xcopy.exe' /h /y /r /k .\53027861.exe %WINDIR%\system\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf c:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k %WINDIR%\system\53027861.exe .\
'<SYSTEM32>\xcopy.exe' /h /y /r /k .\autorun.inf %WINDIR%\system\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf l:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf w:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf v:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf u:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf x:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k 53027861.exe c:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf z:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf y:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf t:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf o:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf n:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf m:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf p:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf s:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf r:\
'<SYSTEM32>\xcopy.exe' /h /y /r /k autorun.inf q:\
Forces autoplay for removable media.
Modifies file system :
Creates the following files:
<Current directory>\hjw.reg
C:\autorun.inf
<Current directory>\hjw2.reg
<Current directory>\hjw1.reg
<Current directory>\autorun.inf
<Current directory>\autorun.bat
%WINDIR%\system\autorun.inf
<Current directory>\shell.vbs
Sets the 'hidden' attribute to the following files:
C:\autorun.inf
<Drive name for removable media>:\autorun.inf
%WINDIR%\system\autorun.inf
<Current directory>\autorun.bat
<Current directory>\autorun.inf
<Current directory>\shell.vbs
Deletes the following files:
<Current directory>\hjw2.reg
<Current directory>\shell.vbs
<Current directory>\hjw.reg
<Current directory>\hjw1.reg
Miscellaneous:
Searches for the following windows:
ClassName: '' WindowName: '(null)'
ClassName: 'RegEdit_RegEdit' WindowName: '(null)'
ClassName: 'EDIT' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK