JavaScript support is required for our site to be fully operational in your browser.
Win32.HLLW.Autoruner.61264
Added to the Dr.Web virus database:
2011-10-02
Virus description added:
2011-10-02
Technical Information
Malicious functions:
Creates and executes the following:
%WINDIR%\disk4.exe (downloaded from the Internet)
%WINDIR%\disk5.exe (downloaded from the Internet)
%WINDIR%\disk3.exe (downloaded from the Internet)
%WINDIR%\disk1.exe (downloaded from the Internet)
%WINDIR%\disk2.exe (downloaded from the Internet)
Modifies file system :
Creates the following files:
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\kwmusic_msnassistant[1].exe
%WINDIR%\disk3.exe
%WINDIR%\disk4.exe
%WINDIR%\disk5.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\wl0419152[1].exe
%WINDIR%\disk1.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\zz623[1].exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\t086[1].wko
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\coopen_setup_100180[1].exe
%WINDIR%\disk2.exe
Network activity:
Connects to:
'do####ad.coopen.cn':80
'do##.kuwo.cn':80
'do##.emoney.cn':80
'localhost':1034
'd.###sanguo.com':80
'www.xu###i100.com':80
TCP:
HTTP GET requests:
do##.kuwo.cn/mbox/kwmusic_msnassistant.exe
do##.emoney.cn/wl0419152.exe
do####ad.coopen.cn/setup/v5/coopen_setup_100180.exe
d.###sanguo.com/623/zz623.exe
www.xu###i100.com/msn/software/partner/dwq0617/t086.wko
UDP:
DNS ASK do####ad.coopen.cn
DNS ASK do##.kuwo.cn
DNS ASK do##.emoney.cn
DNS ASK d.###sanguo.com
DNS ASK www.xu###i100.com
'<Private IP address>':1035
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK