PER UTENTI

La mia libreria

+ Aggiungi alla libreria

Ricerca

Supporto 24/7 | Regole per contattare

Scrivi

Una richiesta attraverso il modulo

Chiama

+7 (495) 789-45-86

Forum

Richieste

Tutte: -
Non chiuse: -
Ultima: -

Crea nuova richiesta

Chiama

+7 (495) 789-45-86

IT

RU CN DE EN ES FR IT JP KZ UZ PL BY

Dr.Web vxCube

Versione di prova

Entra nell'analizzatore

Perizia di incidenti informatici legati ai virus

Libreria dei virus

Base di conoscenza

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Falsi miti sugli antivirus

Win32.HLLM.Reset.479

Aggiunto al database dei virus Dr.Web: 2015-09-14

La descrizione è stata aggiunta: 2016-10-09

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,,<LS_APPDATA>\jwaroevi\rarexsdb.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'RarExsdb' = '<LS_APPDATA>\jwaroevi\rarexsdb.exe'

Creates or modifies the following files:

%HOMEPATH%\Start Menu\Programs\Startup\rarexsdb.exe

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Update
Windows Security Center

blocks the following features:

User Account Control (UAC)
Windows Security Center

Creates and executes the following:

'%TEMP%\byjjjqlf.exe'

Executes the following:

'<SYSTEM32>\svchost.exe'
'%TEMP%\byjjjqlf.exe'

Injects code into

the following system processes:

<SYSTEM32>\svchost.exe

Modifies file system:

Creates the following files:

%TEMP%\nst5.tmp
%TEMP%\nsl6.tmp\System.dll
%TEMP%\nsj3.tmp\System.dll
%TEMP%\byjjjqlf.exe
%ALLUSERSPROFILE%\Application Data\ybfcuwpc.log
<LS_APPDATA>\lawhwilb.log
%TEMP%\ifqydaby.exe
<LS_APPDATA>\jwaroevi\rarexsdb.exe
%TEMP%\UYsBy2yd.FMNp
%TEMP%\xalan-c
%TEMP%\ie6hacks.css
%TEMP%\nsh2.tmp
%TEMP%\embed1419049949.json
%TEMP%\content_5356147.htm891597031.html
%TEMP%\HnJEzYhDZZtfQF6V.m5
%TEMP%\method-servers.jpg
%TEMP%\common.js1903970752.javascript

Sets the 'hidden' attribute to the following files:

%HOMEPATH%\Start Menu\Programs\Startup\rarexsdb.exe

Network activity:

Connects to:

'de####sasaui.com':443
'vl###lsilgr.com':443
've#####lerqplclarbp.com':443
'vr####txftvpfo.com':443
'gq#####pwgrhxolkhl.com':443
'yl#####kvglamfre.com':443
'nw#####shbwbgdfal.com':443
'ce########ionforinfinitylifeexp.com':443
'74.##5.232.51':80
'hx#####hmnxipiqvi.com':443
'hg####hhebpmkm.com':443
'pl###yms.com':443

UDP:

DNS ASK vr####txftvpfo.com
DNS ASK nb####aairlbtvd.com
DNS ASK yl#####kvglamfre.com
DNS ASK gq#####pwgrhxolkhl.com
DNS ASK xo#####iyerfklhbd.com
DNS ASK yu###wanvky.com
DNS ASK nk####tvubwvp.com
DNS ASK xc#####ywbildnhpg.com
DNS ASK de####sasaui.com
DNS ASK nw#####shbwbgdfal.com
DNS ASK pl###yms.com
DNS ASK google.com
DNS ASK ce########ionforinfinitylifeexp.com
DNS ASK ve#####lerqplclarbp.com
DNS ASK vl###lsilgr.com
DNS ASK hg####hhebpmkm.com
DNS ASK hx#####hmnxipiqvi.com