JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner1.54187
Added to the Dr.Web virus database:
2013-08-19
Virus description added:
2013-08-25
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccRegVfy.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchUI.EXE] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPlus.EXE] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vshwin32.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.EXE] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.EXE] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KULANSyn.EXE] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPopMon.EXE] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSvc.EXE] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.EXE] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfw.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTIMER.EXE] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavPFW.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DSMain.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe] 'Debugger' = 'ntsd -d'
Creates or modifies the following files:
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\.lnk
Creates the following services:
[<HKLM>\SYSTEM\ControlSet001\Services\aec] 'ImagePath' = '<DRIVERS>\BGS.sys'
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
Creates and executes the following:
Modifies file system :
Creates the following files:
<SYSTEM32>\.dll
%HOMEPATH%\Desktop\Internet Explorer.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
%PROGRAM_FILES%\mos.exe
C:\sss1.sys
<DRIVERS>\BGS.sys
<SYSTEM32>\wuauolt.exe
Sets the 'hidden' attribute to the following files:
<SYSTEM32>\wuauolt.exe
<SYSTEM32>\.dll
%PROGRAM_FILES%\mos.exe
Deletes the following files:
<DRIVERS>\etc\hosts
<DRIVERS>\BGS.sys
C:\sss1.sys
Substitutes the HOSTS file.
Network activity:
Connects to:
'74.##5.232.51':80
'12#.#25.114.144':80
UDP:
DNS ASK www.google.com
DNS ASK www.ba##u.com
Miscellaneous:
Searches for the following windows:
ClassName: 'SysListView32' WindowName: '(null)'
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK