FOR CUSTOMERS

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY

Support services

Dr.Web vxCube

Sign in to Dr.Web vxCube

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

Win32.HLLW.Autoruner.10646

Added to the Dr.Web virus database: 2009-12-02

Virus description added: 2024-10-12

Technical Information

Malicious functions

Injects code into

the following system processes:

%WINDIR%\explorer.exe

Modifies file system

Creates the following files

%TEMP%\sfx.ini
C:\extracted\server.exe
C:\extracted\sex.avi
%APPDATA%\addon.dat

Deletes the following files

%TEMP%\sfx.ini

Network activity

Connects to

'redir.metaservices.microsoft.com':80
'onlinestores.metaservices.microsoft.com':80

TCP

HTTP GET requests

http://redir.metaservices.microsoft.com/redir/allservices/?sv################################################################################
http://onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv################################################################################
http://onlinestores.metaservices.microsoft.com/bing/bing.xml

UDP

DNS ASK redir.metaservices.microsoft.com
DNS ASK onlinestores.metaservices.microsoft.com

Miscellaneous

Searches for the following windows

ClassName: 'JFWUI2' WindowName: ''
ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebcheckMonitor' WindowName: ''

Creates and executes the following

'C:\extracted\server.exe'

Executes the following

'%ProgramFiles(x86)%\windows media player\wmplayer.exe' /Play -Embedding
'C:\extracted\server.exe' ' (with hidden window)