JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner.13304
Added to the Dr.Web virus database:
2010-01-22
Virus description added:
2014-07-19
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qutmserv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfCtlCom.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UfSeAgnt.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\РЮёґ№¤ѕЯ.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcods.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcagent.exe] 'Debugger' = 'ntsd -d'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe] 'Debugger' = 'ntsd -d'
Creates the following services:
[<HKLM>\SYSTEM\ControlSet001\Services\AppMgmt] 'Start' = '00000002'
Changes the following executable system files:
Infects the following executable files:
%PROGRAM_FILES%\FireFox\xpcshell.exe
%PROGRAM_FILES%\FireFox\updater.exe
%PROGRAM_FILES%\FireFox\uninstall\helper.exe
%PROGRAM_FILES%\FireFox\xpidl.exe
<Auxiliary element>
%PROGRAM_FILES%\FireFox\xpt_link.exe
%PROGRAM_FILES%\FireFox\xpt_dump.exe
%PROGRAM_FILES%\FireFox\shlibsign.exe
%PROGRAM_FILES%\FireFox\firefox.exe
%PROGRAM_FILES%\FireFox\crashreporter.exe
C:\Far2\Far.exe
%PROGRAM_FILES%\FireFox\js.exe
%PROGRAM_FILES%\FireFox\plugin-container.exe
%PROGRAM_FILES%\FireFox\nsinstall.exe
%PROGRAM_FILES%\FireFox\mangle.exe
Malicious functions:
Executes the following:
'%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE' http://tj.###1001.net:7777/tj/mac.html
Modifies file system :
Creates the following files:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89UNC1QB\desktop.ini
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E502XZIO\desktop.ini
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KLMJ4LEN\desktop.ini
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0ZO0MFVT\desktop.ini
<SYSTEM32>\c_30110.nls
%WINDIR%\Temp\wowsub.sys
C:\DelInfo.bin
C:\Documents and Settings\NetworkService\Favorites\Desktop.ini
<SYSTEM32>\cryptcom.dll
Sets the 'hidden' attribute to the following files:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0ZO0MFVT\desktop.ini
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KLMJ4LEN\desktop.ini
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89UNC1QB\desktop.ini
C:\Documents and Settings\NetworkService\Favorites\Desktop.ini
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\E502XZIO\desktop.ini
Deletes the following files:
%WINDIR%\Temp\wowsub.sys
C:\DelInfo.bin
Modifies the HOSTS file.
Deletes itself.
Network activity:
Connects to:
UDP:
DNS ASK ro####.bitcomet.com
DNS ASK d.###1001.com
DNS ASK up.##a1001.com
DNS ASK ro####.utorrent.com
DNS ASK c.###1001.com
DNS ASK b.###1001.com
DNS ASK www.ba##u.com
DNS ASK ro####.bitcomet.net
DNS ASK www.06######-7DFF-45c9-828.com
DNS ASK a.###1001.com
'89.##3.188.11':8957
'85.#1.66.73':38338
'65.#.163.4':50144
'23#.#55.255.250':1900
'90.##.108.231':58856
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK