Per il corretto funzionamento del sito, è necessario attivare il supporto di JavaScript nel browser.
Win32.HLLW.Autoruner1.24072
Aggiunto al database dei virus Dr.Web:
2012-07-30
La descrizione è stata aggiunta:
2012-08-20
Technical Information
To ensure autorun and distribution:
Creates the following files on removable media:
<Drive name for removable media>:\qbje.pif
<Drive name for removable media>:\autorun.inf
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\Ramadhan Crypter V1.2c.exe' = '%TEMP%\Ramadhan Crypter V1.2c.exe:*:Enabled:ipsec'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
blocks the following features:
User Account Control (UAC)
Windows Security Center
Creates and executes the following:
%TEMP%\Ramadhan Crypter V1.2c.exe
Injects code into
the following system processes:
a large number of user processes.
Modifies file system :
Creates the following files:
%TEMP%\winqaypbg.exe
%TEMP%\fluur.exe
%TEMP%\pdjw.exe
%TEMP%\winfschca.exe
%TEMP%\dtiwjp.exe
%TEMP%\hohto.exe
C:\ffywm.exe
<DRIVERS>\hfjnj.sys
%TEMP%\Ramadhan Crypter V1.2c.exe
%TEMP%\Ramadhan Crypter V1.2c.exe.nb5.tmp
C:\autorun.inf
%TEMP%\winyqwqdo.exe
%TEMP%\winpusxkc.exe
Sets the 'hidden' attribute to the following files:
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\qbje.pif
C:\autorun.inf
C:\ffywm.exe
Deletes the following files:
%TEMP%\winqaypbg.exe
%TEMP%\fluur.exe
%TEMP%\hohto.exe
%TEMP%\winfschca.exe
%TEMP%\dtiwjp.exe
%TEMP%\pdjw.exe
%TEMP%\Ramadhan Crypter V1.2c.exe
%TEMP%\Ramadhan Crypter V1.2c.exe.nb5.tmp
<DRIVERS>\hfjnj.sys
%TEMP%\winyqwqdo.exe
%TEMP%\winpusxkc.exe
Network activity:
Connects to:
'www.sk######.#andomierz.opoka.org.pl':80
'si###ukil.com':80
'si####nholland.nl':80
'65.##0.68.134':80
'www.sn#.ac.th':80
'sm####ciates.org.in':80
TCP:
HTTP GET requests:
www.sk######.#andomierz.opoka.org.pl/images/logo.gif?52###########
si###ukil.com/images/logo.gif?52##########
si####nholland.nl/logos/logo.gif?52###########
65.##0.68.134/imgs/logo.gif?51##########
www.sn#.ac.th/img/logo.jpeg?51###########
sm####ciates.org.in/img/logo.gif?51###########
UDP:
DNS ASK si###ukil.com
DNS ASK si####nholland.nl
DNS ASK www.sk######.#andomierz.opoka.org.pl
DNS ASK www.sn#.ac.th
DNS ASK sm####ciates.org.in
Miscellaneous:
Searches for the following windows:
ClassName: 'Shell_TrayWnd' WindowName: ''
Scaricate Dr.Web per Android
Gratis per 3 mesi
Tutti i componenti di protezione
Rinnovo versione di prova tramite AppGallery/Google Pay
Continuando a utilizzare questo sito, l'utente acconsente al nostro utilizzo di file Cookie e di altre tecnologie per la raccolta di informazioni statistiche sui visitatori. Per maggiori informazioni
OK