Per il corretto funzionamento del sito, è necessario attivare il supporto di JavaScript nel browser.
Win32.HLLW.Autoruner2.53432
Aggiunto al database dei virus Dr.Web:
2019-07-26
La descrizione è stata aggiunta:
2019-07-29
Technical Information
To ensure autorun and distribution
Modifies the following registry keys
[<HKCU>\Control Panel\Desktop] 'SCRNSAVE.EXE' = 'ssmarque.scr'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\Software\Classes\VBSFile\Shell\Open\Command] '' = 'calc.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = 'userinit.exe,drivers\system32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe, drivers\csrss.exe'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'SystemRun' = 'drivers\csrss.exe'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] '644r4' = '23-7-2019.exe'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'FreeAV' = 'Fonts\user 23 - 7 - 2019\Gaara.exe'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'DesertSand' = 'Fonts\user 23 - 7 - 2019\smss.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe] 'Debugger' = 'drivers\Kazekage.exe'
Changes the following executable system files
Creates the following files on removable media
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\user games\hokage-sampit (nothing).exe
<Drive name for removable media>:\gaara.exe
<Drive name for removable media>:\user games\readme.txt
<Drive name for removable media>:\user games\gaara games - naruto.exe
<Drive name for removable media>:\user games\naruto games.exe
<Drive name for removable media>:\user games\anbu team sampit (nothing).exe
<Drive name for removable media>:\user games\kazekage.exe
<Drive name for removable media>:\user games\kazekage vs hokage.exe
<Drive name for removable media>:\user games\gaara go to kazekage.exe
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
hidden files
file extensions
blocks execution of the following system utilities:
Registry Editor (RegEdit)
blocks the following features:
System Restore (SR)
User Account Control (UAC)
modifies the following system settings:
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFind' = '00000001'
Searches for windows to
detect analytical utilities:
ClassName: 'PROCEXPL', WindowName: ''
Modifies settings of Windows Internet Explorer
[<HKCU>\Software\Microsoft\Internet Explorer\Main] 'Window Title' = '!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!'
Modifies file system
Creates the following files
%WINDIR%\fonts\the kazekage.jpg
C:\user games\kazekage vs hokage.exe
C:\user games\gaara go to kazekage.exe
D:\user games\kazekage.exe
C:\user games\kazekage.exe
D:\user games\anbu team sampit (nothing).exe
C:\user games\anbu team sampit (nothing).exe
D:\user games\naruto games.exe
C:\user games\naruto games.exe
D:\user games\gaara games - naruto.exe
C:\user games\gaara games - naruto.exe
%WINDIR%\mscomctl.ocx
D:\user games\readme.txt
D:\gaara.exe
D:\user games\hokage-sampit (nothing).exe
D:\autorun.inf
C:\user games\readme.txt
C:\gaara.exe
C:\user games\hokage-sampit (nothing).exe
C:\autorun.inf
<Current directory>\gaara the kazekage.exe
%WINDIR%\system\msvbvm60.dll
%WINDIR%\msvbvm60.dll
%WINDIR%\fonts\user 23 - 7 - 2019\msvbvm60.dll
<DRIVERS>\system32.exe
<DRIVERS>\kazekage.exe
<SYSTEM32>\23-7-2019.exe
%WINDIR%\fonts\user 23 - 7 - 2019\csrss.exe
%WINDIR%\fonts\user 23 - 7 - 2019\gaara.exe
%WINDIR%\fonts\user 23 - 7 - 2019\smss.exe
D:\user games\kazekage vs hokage.exe
D:\user games\gaara go to kazekage.exe
Sets the 'hidden' attribute to the following files
C:\autorun.inf
C:\gaara.exe
D:\autorun.inf
D:\gaara.exe
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\gaara.exe
%WINDIR%\msvbvm60.dll
Network activity
UDP
DNS ASK 22#.###.0.0.in-addr.arpa
Miscellaneous
Searches for the following windows
ClassName: 'THUNDERRT6FORMDC' WindowName: ''
ClassName: 'SYMINTEGRATORWND' WindowName: ''
ClassName: 'CENTRALFRAME' WindowName: ''
ClassName: 'TMCAFEEVIRUSSCANCENTRAL' WindowName: ''
ClassName: 'NAI_VS_STAT' WindowName: ''
ClassName: 'VIRUSSCANCONSULEWINDOWSCLASS' WindowName: ''
ClassName: 'TMESSAGEFORM' WindowName: ''
ClassName: 'TFROM1' WindowName: ''
ClassName: 'TPANEL' WindowName: ''
ClassName: 'NAVAPWNDCLASS' WindowName: ''
ClassName: 'TAPPLICATION' WindowName: ''
ClassName: 'TXPTITLE' WindowName: ''
ClassName: 'TMAINFORM' WindowName: ''
ClassName: 'CONSOLEWINDOWCLASS' WindowName: ''
ClassName: 'ANSAV#2194' WindowName: ''
ClassName: 'HONEYKISSME' WindowName: ''
ClassName: 'THUNDERRT6USERCONTROL' WindowName: ''
ClassName: 'THUNDERRT6USERCONTROLDC' WindowName: ''
ClassName: 'THUNDERRT6FRAME' WindowName: ''
ClassName: 'TTFXPFORM' WindowName: ''
ClassName: 'SYM_CCWEBWINDOWS_CLASS' WindowName: ''
Creates and executes the following
'%WINDIR%\fonts\user 23 - 7 - 2019\smss.exe'
'%WINDIR%\fonts\user 23 - 7 - 2019\gaara.exe'
'%WINDIR%\fonts\user 23 - 7 - 2019\csrss.exe'
'<DRIVERS>\kazekage.exe'
'<DRIVERS>\system32.exe'
'%WINDIR%\fonts\user 23 - 7 - 2019\smss.exe' ' (with hidden window)
'%WINDIR%\fonts\user 23 - 7 - 2019\gaara.exe' ' (with hidden window)
'%WINDIR%\fonts\user 23 - 7 - 2019\csrss.exe' ' (with hidden window)
'<DRIVERS>\kazekage.exe' ' (with hidden window)
'<DRIVERS>\system32.exe' ' (with hidden window)
'<SYSTEM32>\ping.exe' -a -l www.ra####yang.com.my 65500' (with hidden window)
'<SYSTEM32>\ping.exe' -a -l www.du###sex.com 65500' (with hidden window)
Executes the following
'<SYSTEM32>\winmine.exe'
'<SYSTEM32>\ping.exe' -a -l www.ra####yang.com.my 65500
'<SYSTEM32>\ping.exe' -a -l www.du###sex.com 65500
Scaricate Dr.Web per Android
Gratis per 3 mesi
Tutti i componenti di protezione
Rinnovo versione di prova tramite AppGallery/Google Pay
Continuando a utilizzare questo sito, l'utente acconsente al nostro utilizzo di file Cookie e di altre tecnologie per la raccolta di informazioni statistiche sui visitatori. Per maggiori informazioni
OK