Per il corretto funzionamento del sito, è necessario attivare il supporto di JavaScript nel browser.
Win32.HLLW.Autoruner2.56830
Aggiunto al database dei virus Dr.Web:
2019-08-12
La descrizione è stata aggiunta:
2019-08-14
Technical Information
To ensure autorun and distribution
Modifies the following registry keys
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE] 'Debugger' = 'D:\RECYCLER\????8.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = 'D:\RECYCLER\????8.exe'
Creates or modifies the following files
%WINDIR%\tasks\at1.job
%WINDIR%\tasks\at2.job
%WINDIR%\tasks\at3.job
%WINDIR%\tasks\at4.job
%WINDIR%\tasks\at5.job
%WINDIR%\tasks\at6.job
Creates the following files on removable media
<Drive name for removable media>:\recyclep\pagefile.exe
<Drive name for removable media>:\autorun.inf
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
hidden files
file extensions
blocks execution of the following system utilities:
modifies the following system settings:
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'DisallowRun' = '00000001'
Executes the following
'<SYSTEM32>\at.exe' 9:23:08 PM %WINDIR%\Help\HelpCat.exe
'<SYSTEM32>\net.exe' stop wscsvc /y
'<SYSTEM32>\net.exe' stop wuauserv /y
'<SYSTEM32>\net.exe' stop sharedaccess /y
'<SYSTEM32>\at.exe' 9:22:10 PM %WINDIR%\Sysinf.bat
'<SYSTEM32>\net.exe' stop srservice /y
'<SYSTEM32>\at.exe' 9:25:10 PM %WINDIR%\Sysinf.bat
'<SYSTEM32>\net.exe' stop 360timeprot /y
'<SYSTEM32>\at.exe' 9:23:18 PM %WINDIR%\Help\HelpCat.exe
'<SYSTEM32>\at.exe' 9:25:20 PM %WINDIR%\Sysinf.bat
'<SYSTEM32>\at.exe' 9:22:20 PM %WINDIR%\Sysinf.bat
Modifies file system
Creates the following files
C:\users\clouds~1\appdata\local\temp\lixbkh.exe
<SYSTEM32>\option.bat
C:\ntldr~6
C:\ntldr~8
%WINDIR%\system\kavupda.exe
%WINDIR%\help\helpcat.exe
%WINDIR%\sysinf.bat
%WINDIR%\regedt32.sys
C:\users\clouds~1\appdata\local\temp\lixbkh~4.exe
D:\recyclep\pagefile.exe
D:\autorun.inf
C:\recyclep\pagefile.exe
C:\autorun.inf
Sets the 'hidden' attribute to the following files
<Drive name for removable media>:\recyclep\pagefile.exe
<Drive name for removable media>:\autorun.inf
C:\users\clouds~1\appdata\local\temp\lixbkh~4.exe
D:\recyclep\pagefile.exe
D:\autorun.inf
C:\recyclep\pagefile.exe
C:\autorun.inf
Deletes the following files
%WINDIR%\regedt32.sys
<Drive name for removable media>:\autorun.inf
D:\autorun.inf
C:\autorun.inf
Substitutes the following files
%WINDIR%\regedt32.sys
<Drive name for removable media>:\autorun.inf
D:\autorun.inf
C:\autorun.inf
Miscellaneous
Searches for the following windows
ClassName: 'EDIT' WindowName: ''
ClassName: 'RegEdit_RegEdit' WindowName: ''
Creates and executes the following
'C:\users\clouds~1\appdata\local\temp\lixbkh.exe'
'C:\users\clouds~1\appdata\local\temp\lixbkh~4.exe'
'%WINDIR%\system\kavupda.exe'
'<SYSTEM32>\cmd.exe' /c rmdir D:\Autorun.inf /s /q' (with hidden window)
'<SYSTEM32>\cmd.exe' /c attrib -s -h -r D:\Autorun.inf\*.* /s /d' (with hidden window)
'<SYSTEM32>\cmd.exe' /c rmdir <Drive name for removable media>:\Autorun.inf /s /q' (with hidden window)
'<SYSTEM32>\cmd.exe' /c attrib -s -h -r <Drive name for removable media>:\Autorun.inf\*.* /s /d' (with hidden window)
'<SYSTEM32>\cmd.exe' /c at 9:25:20 PM %WINDIR%\Sysinf.bat' (with hidden window)
'<SYSTEM32>\at.exe' 9:23:18 PM %WINDIR%\Help\HelpCat.exe' (with hidden window)
'<SYSTEM32>\cmd.exe' /c at 9:22:20 PM %WINDIR%\Sysinf.bat' (with hidden window)
'%WINDIR%\system\kavupda.exe' ' (with hidden window)
'<SYSTEM32>\reg.exe' delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f' (with hidden window)
'<SYSTEM32>\reg.exe' delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f' (with hidden window)
'<SYSTEM32>\cmd.exe' /c rmdir C:\Autorun.inf /s /q' (with hidden window)
'%WINDIR%\regedit.exe' /s %WINDIR%\regedt32.sys' (with hidden window)
'<SYSTEM32>\sc.exe' config wscsvc start= disabled' (with hidden window)
'<SYSTEM32>\sc.exe' config srservice start= disabled' (with hidden window)
'<SYSTEM32>\net.exe' stop 360timeprot /y' (with hidden window)
'<SYSTEM32>\net.exe' stop srservice /y' (with hidden window)
'<SYSTEM32>\net.exe' stop sharedaccess /y' (with hidden window)
'<SYSTEM32>\net.exe' stop wuauserv /y' (with hidden window)
'<SYSTEM32>\net.exe' stop wscsvc /y' (with hidden window)
'<SYSTEM32>\cmd.exe' /c at 9:25:10 PM %WINDIR%\Sysinf.bat' (with hidden window)
'<SYSTEM32>\cmd.exe' /c at 9:22:10 PM %WINDIR%\Sysinf.bat' (with hidden window)
'<SYSTEM32>\at.exe' 9:23:08 PM %WINDIR%\Help\HelpCat.exe' (with hidden window)
'<SYSTEM32>\net.exe' start schedule /y' (with hidden window)
'<SYSTEM32>\cmd.exe' /c <SYSTEM32>\Option.bat' (with hidden window)
'<SYSTEM32>\sc.exe' config SharedAccess start= disabled' (with hidden window)
'<SYSTEM32>\cmd.exe' /c attrib -s -h -r C:\Autorun.inf\*.* /s /d' (with hidden window)
Executes the following
'<SYSTEM32>\cmd.exe' /c <SYSTEM32>\Option.bat
'<SYSTEM32>\cmd.exe' /c rmdir C:\Autorun.inf /s /q
'<SYSTEM32>\attrib.exe' -s -h -r D:\Autorun.inf\*.* /s /d
'<SYSTEM32>\cmd.exe' /c rmdir D:\Autorun.inf /s /q
'<SYSTEM32>\cmd.exe' /c attrib -s -h -r D:\Autorun.inf\*.* /s /d
'<SYSTEM32>\attrib.exe' -s -h -r <Drive name for removable media>:\Autorun.inf\*.* /s /d
'<SYSTEM32>\cmd.exe' /c rmdir <Drive name for removable media>:\Autorun.inf /s /q
'<SYSTEM32>\cmd.exe' /c attrib -s -h -r <Drive name for removable media>:\Autorun.inf\*.* /s /d
'<SYSTEM32>\cmd.exe' /c at 9:25:20 PM %WINDIR%\Sysinf.bat
'<SYSTEM32>\cmd.exe' /c at 9:22:20 PM %WINDIR%\Sysinf.bat
'<SYSTEM32>\reg.exe' delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
'<SYSTEM32>\reg.exe' delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
'<SYSTEM32>\cmd.exe' /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
'%WINDIR%\regedit.exe' /s %WINDIR%\regedt32.sys
'<SYSTEM32>\sc.exe' config SharedAccess start= disabled
'<SYSTEM32>\net1.exe' stop srservice /y
'<SYSTEM32>\sc.exe' config wscsvc start= disabled
'<SYSTEM32>\net1.exe' stop wuauserv /y
'<SYSTEM32>\net1.exe' stop sharedaccess /y
'<SYSTEM32>\sc.exe' config srservice start= disabled
'<SYSTEM32>\net1.exe' stop wscsvc /y
'<SYSTEM32>\cmd.exe' /c at 9:25:10 PM %WINDIR%\Sysinf.bat
'<SYSTEM32>\cmd.exe' /c at 9:22:10 PM %WINDIR%\Sysinf.bat
'<SYSTEM32>\net1.exe' start schedule /y
'<SYSTEM32>\net.exe' start schedule /y
'<SYSTEM32>\net1.exe' stop 360timeprot /y
'<SYSTEM32>\attrib.exe' -s -h -r C:\Autorun.inf\*.* /s /d
Scaricate Dr.Web per Android
Gratis per 3 mesi
Tutti i componenti di protezione
Rinnovo versione di prova tramite AppGallery/Google Pay
Continuando a utilizzare questo sito, l'utente acconsente al nostro utilizzo di file Cookie e di altre tecnologie per la raccolta di informazioni statistiche sui visitatori. Per maggiori informazioni
OK