La mia libreria
La mia libreria

+ Aggiungi alla libreria

Supporto
Supporto 24/7 | Regole per contattare

Richieste

Profile

Win32.HLLM.Reset.195

Aggiunto al database dei virus Dr.Web: 2011-12-19

La descrizione è stata aggiunta:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'MhrHcrji' = '<LS_APPDATA>\ebaurodr\mhrhcrji.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,,<LS_APPDATA>\ebaurodr\mhrhcrji.exe'
Creates or modifies the following files:
  • %HOMEPATH%\Start Menu\Programs\Startup\mhrhcrji.exe
Malicious functions:
Creates and executes the following:
  • %TEMP%\empchqloliakgweu.exe 
Executes the following:
  • <SYSTEM32>\svchost.exe
Hooks the following functions in System Service Descriptor Table (SSDT):
  • NtOpenKey, handler: tssofofu.sys
  • NtCreateKey, handler: tssofofu.sys
Modifies file system :
Creates the following files:
  • %TEMP%\tssofofu.sys
  • %WINDIR%\Temp\6decd52f
  • %WINDIR%\Temp\7fffffb1
  • %TEMP%\empchqloliakgweu.exe
  • <LS_APPDATA>\niuydqre.log
  • <LS_APPDATA>\ebaurodr\mhrhcrji.exe
Sets the 'hidden' attribute to the following files:
  • %HOMEPATH%\Start Menu\Programs\Startup\mhrhcrji.exe
Deletes the following files:
  • %TEMP%\tssofofu.sys
Network activity:
Connects to:
  • 'dm####gohwwatl.com':443
  • 'qg###bnqcf.com':443
  • 'ft####refryk.com':443
  • '74.##5.232.51':80
  • 'sa###rbog.com':443
UDP:
  • DNS ASK xv#####qsvcewsucufs.com
  • DNS ASK wl####ojtlqel.com
  • DNS ASK iv#####bphorlmxte.com
  • DNS ASK ok###xbrlvk.com
  • DNS ASK xm###dyv.com
  • DNS ASK kc#####tokjlwfem.com
  • DNS ASK ar###clm.com
  • DNS ASK mh#####gntxllkxy.com
  • DNS ASK yc####buxcskmm.com
  • DNS ASK ug###offlqt.com
  • DNS ASK ka#####tgbuucwgf.com
  • DNS ASK gu#####eerlwcgcum.com
  • DNS ASK lm#####vpshugyuqya.com
  • DNS ASK rc###tpqwxx.com
  • DNS ASK em#####gcdnmktadl.com
  • DNS ASK yy#####tpknfghmm.com
  • DNS ASK oq###qesdbg.com
  • DNS ASK sa###rbog.com
  • DNS ASK fa###iqcblu.com
  • DNS ASK um#####gnygoutfv.com
  • DNS ASK hq#####jpjeerrmqrd.com
  • DNS ASK ft####refryk.com
  • DNS ASK dm####gohwwatl.com
  • DNS ASK qg###bnqcf.com
  • DNS ASK ke###gbek.com
  • DNS ASK mq#####ckkbwgihlbwm.com
  • DNS ASK jk####jmaucfbd.com
  • DNS ASK google.com
  • DNS ASK pv###kio.com
  • DNS ASK re####idmcrxbnd.com
  • DNS ASK wu#####rsrnhmtrv.com
  • '<Private IP address>':1041
  • '<Private IP address>':1035
  • '<Private IP address>':1040
  • '<Private IP address>':1043
  • '<Private IP address>':1039
Miscellaneous:
Searches for the following windows:
  • ClassName: 'Indicator' WindowName: ''