PER UTENTI

Chiudi

La mia libreria
La mia libreria

+ Aggiungi alla libreria

Ricerca
Ricerca

Supporto
Supporto 24/7 | Regole per contattare

Scrivi

Una richiesta attraverso il modulo

Chiama

+7 (495) 789-45-86

Forum

Richieste

Crea nuova richiesta

Chiama

+7 (495) 789-45-86

Profile

IT

RU CN DE EN ES FR IT JP KZ UZ PL BY
Chiudi
Servizi
Scanner
Dr.Web vxCube
Versione di prova
Perizia di incidenti informatici legati ai virus
Libreria dei virus
Base di conoscenza

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Notizie

Win32.HLLP.Zakk

(Win32/Delf.AM, Backdoor.Win32.Delf.qw, Backdoor.Delf.NL, BackDoor.Generic.SIF, W32/HLLP.Zakk.b, BDS/Delf.NL.2, Trojan:Win32/Sisron, W32.Zakk, BDS/Delf.HQ, Backdoor.Win32.Delf.hq, W32/Backdoor.EZT, Virus.Win32.Zakk.a, BKDR_DELF.NP, Parser error, Virus.Win32.HLLP.Zakk.a, PE_Generic, Backdoor.Generic.32723, BDS/Delf.anw.1, TR/Dldr.Delphi.Gen2, Backdoor:Win32/Delf, BehavesLike:Trojan.RegistryDisabler, Win32/MySoft.B, BackDoor.Delf.15.J, Win32/Delf.BL, Win32/Zakk.A)

Aggiunto al database dei virus Dr.Web: 2004-12-09

La descrizione è stata aggiunta:

Virus Type: Virus-parasite

Affected OS: Win95/98/Me/NT/2000/XP

Size: 758 784 byte

Packed by: No

Technical Information

  • Virus parasitizing on executable files with .exe extension.

  • Creates its own copy with svshost.exe filename in system folder (C:\%WinDir%\SYSTEM32 for Windows NT/2000/XP, C:\%WinDir%\SYSTEM for Windows 9x/Me).

  • To provide its own run after rebooting Windows, virus registers itself on the following registry path::
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Microsoft = "C:\WINDOWS\System32\svshost.exe"

    • HKEY_CLASSES_ROOT\exefile\shell\open\command
    @= "C:\WINDOWS\System32\svshost.exe "%1" %*"

  • Deletes keys from registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    SKYNET Personal FireWall iDuba Personal FireWall
    iamapp
    popproxy
    RavMon
    RavTimer
    KVFW

  • During starting, virus creates latent cured copy of the infected file and launches it. For hiding this latent cured copy of the infected file in Explorer, virus modifies values in registry paths:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

  • Locks running of such applications:

    pfw.exe
    kvfw.exe
    KAVPFW.EXE
    iamapp.exe
    nmain.exe
    rfw.exe
    freepp.EXE
    freekav.EXE
    freesys.EXE
    Iparmor.exe
    trojan_hunter.exe

  • In case if application has been already started, virus stops it and deletes from disk both application and files, which are in its folder.

  • Virus contain backdoor and keylogger.

    • System Recovery References.

    a. In Safe Mode scan system with Dr.Web CureIt! antivirus utility from write-protected disk. Apply action "Cure" to all infected files.

    b.
    1. Recover HKEY_CLASSES_ROOT\exefile\shell\open\command key value on standard "%1" %*. 2. Export registry file which was received.
    3. Reboot the computer in Normal Mode.
    4. Import registry file.
    5. Reboot the computer in Normal Mode.