JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLM.Reset.112
Added to the Dr.Web virus database:
2010-10-30
Virus description added:
2014-07-18
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,,%PROGRAM_FILES%\microsoft\desktoplayer.exe'
Infects the following executable files:
C:\Far2\Plugins\WinSCP\WinSCP.dll
C:\Far2\Plugins\FTP\FarFtp.dll
%CommonProgramFiles%\System\Ole DB\MSDAIPP.DLL
%CommonProgramFiles%\Microsoft Shared\VC\msdia80.dll
C:\Far2\FExcept\ExcDump.dll
C:\Far2\FExcept\demangle32.dll
C:\Far2\Plugins\Colorer\bin\colorer.dll
C:\Far2\Plugins\7-Zip\7-ZipFar.dll
Malicious functions:
Creates and executes the following:
'%PROGRAM_FILES%\Microsoft\DesktopLayer.exe'
Executes the following:
Injects code into
the following system processes:
a large number of user processes.
Modifies file system :
Creates the following files:
<SYSTEM32>\dmlconf.dat
%PROGRAM_FILES%\Microsoft\DesktopLayer.exe
Network activity:
Connects to:
'po##wo.com':443
'74.##5.232.51':80
UDP:
DNS ASK po##wo.com
DNS ASK google.com
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK