My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2015-12-17

Virus description added:

Technical Information

Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Executes the following:
  • '<SYSTEM32>\net1.exe' stop security center
  • '<SYSTEM32>\net1.exe' stop WinDefend
  • '<SYSTEM32>\net.exe' stop WinDefend
  • '<SYSTEM32>\netsh.exe' firewall set opmode disable
  • '<SYSTEM32>\net.exe' stop security center
Searches for windows to
detect analytical utilities:
  • ClassName: 'RegMonClass' WindowName: ''
  • ClassName: 'FileMonClass' WindowName: ''
Modifies file system :
Creates the following files:
  • %TEMP%\~DF7211.tmp
Searches for the following windows:
  • ClassName: 'Shell_TrayWnd' WindowName: ''
The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124