Для корректной работы нашего сайта необходимо включить поддержку JavaScript в вашем браузере.
Win32.HLLW.Autoruner1.53225
Добавлен в вирусную базу Dr.Web:
2013-08-08
Описание добавлено:
2013-08-08
Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoply.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fooool.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MDM.EXE] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kazme__gheyz.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashAvast.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegCool.EXE] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccApp.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAVRID.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdlite.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdswitch.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdoesrv.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RMSubs.dll] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StartUpManager.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = 'RunDll32.exe powrprof.dll,SetSuspendState'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BIEInterface.dll] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Classes\inffile\shell\open\command] '' = 'RunDll32.exe powrprof.dll,SetSuspendState'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VVSN.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe] 'Debugger' = 'RunDll32.exe powrprof.dll,SetSuspendState'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UdaterUI.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.EXE] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegMech.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'com\New Folder.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DiskExplorer.exe] 'Debugger' = 'RunDll32.exe powrprof.dll,SetSuspendState'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] 'Debugger' = 'RunDll32.exe powrprof.dll,SetSuspendState'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessManager.exe] 'Debugger' = 'RunDll32.exe powrprof.dll,SetSuspendState'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe] 'Debugger' = 'RunDll32.exe powrprof.dll,SetSuspendState'
Создает следующие файлы на съемном носителе:
<Имя диска съемного носителя>:\autorun.inf
<Имя диска съемного носителя>:\New Folder.exe
Вредоносные функции:
Для затруднения выявления своего присутствия в системе
блокирует отображение:
скрытых файлов
расширений файлов
Ищет следующие окна с целью
обнаружения утилит для анализа:
ClassName: '(null)' WindowName: 'process monitor - sysinternals: www.sysinternals.com'
ClassName: '(null)' WindowName: 'registry monitor - sysinternals: www.sysinternals.com'
ClassName: '(null)' WindowName: 'file monitor - sysinternals: www.sysinternals.com'
Без разрешения пользователя устанавливает новую стартовую страницу для Windows Internet Explorer.
Изменения в файловой системе:
Создает следующие файлы:
%PROGRAM_FILES%\Sexi .exe
<SYSTEM32>\Com\New Folder.exe
C:\autorun.inf
C:\New Folder.exe
<DRIVERS>\autorun.dll
<DRIVERS>\lsass
<DRIVERS>\lsass.dll
Присваивает атрибут 'скрытый' для следующих файлов:
C:\New Folder.exe
<Имя диска съемного носителя>:\New Folder.exe
<DRIVERS>\lsass
<DRIVERS>\autorun.dll
<DRIVERS>\lsass.dll
Другое:
Ищет следующие окна:
ClassName: '(null)' WindowName: 'avast! quick scanner'
ClassName: '(null)' WindowName: 'Registry toolkit'
ClassName: '(null)' WindowName: 'TuneUp StartUp Manager'
ClassName: '(null)' WindowName: 'AVG 7.1 Professional - Control Center'
ClassName: '(null)' WindowName: 'Shell Extension Test'
ClassName: '(null)' WindowName: 'avast! simple user interface'
ClassName: '(null)' WindowName: 'TuneUp Registry Editor'
ClassName: '(null)' WindowName: 'System Configuration'
ClassName: '(null)' WindowName: 'Windows Task Manager'
ClassName: '(null)' WindowName: 'Registry Editor'
ClassName: '(null)' WindowName: 'TuneUp Process Manager'
ClassName: '(null)' WindowName: 'Tuneup Disk Space Explorer'
ClassName: '(null)' WindowName: 'system32'
ClassName: '(null)' WindowName: 'BitDefender 9 Professional Plus'
ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] '
ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] '
ClassName: '(null)' WindowName: 'Player'
ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... '
ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] '
ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] '
ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] '
ClassName: '(null)' WindowName: 'Symantec AntiVirus'
ClassName: '(null)' WindowName: 'Kaspersky Anti-Virus Personal Pro Setup'
ClassName: '(null)' WindowName: 'eTrust EZ AntiVirus'
ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] '
ClassName: '(null)' WindowName: 'RegCool 3.1.0.5'
ClassName: '(null)' WindowName: 'regmon'
ClassName: '(null)' WindowName: 'Running Applications'
ClassName: '(null)' WindowName: 'Notification Area'
ClassName: '(null)' WindowName: 'Start'
ClassName: '(null)' WindowName: 'CicMarshalWndAIG'
ClassName: '(null)' WindowName: 'FolderView'
ClassName: '(null)' WindowName: 'Program Manager'
ClassName: '(null)' WindowName: 'OLEChannelWnd'
ClassName: '(null)' WindowName: 'TF_FloatingLangBar_WndTitle'
ClassName: '(null)' WindowName: ''
ClassName: 'CabinetWClass' WindowName: '(null)'
ClassName: '(null)' WindowName: 'OleMainThreadWndName'
ClassName: '(null)' WindowName: 'CiceroUIWndFrame'
ClassName: '(null)' WindowName: 'CicMarshalWndMDG'
ClassName: '(null)' WindowName: 'services'
ClassName: '(null)' WindowName: '<WINDOWS_KILLER>'
ClassName: '(null)' WindowName: '<Служебное имя>'
ClassName: '(null)' WindowName: 'Tiny H-Pot v1.7'
ClassName: '(null)' WindowName: 'CicMarshalWndALK'
ClassName: '(null)' WindowName: '<Служебное имя> - build Mar 22 2011'
ClassName: '(null)' WindowName: '<SYSTEM32>\cscript.exe'
ClassName: '(null)' WindowName: 'Connections Tray'
ClassName: '(null)' WindowName: 'Power Meter'
ClassName: '(null)' WindowName: 'MS_WebcheckMonitor'
<Служебный элемент>
ClassName: '(null)' WindowName: 'Show details for each &battery.'
ClassName: '(null)' WindowName: '&Always show icon on the taskbar.'
ClassName: '(null)' WindowName: 'Power status'
Поздравляем!
Обменяйте их на скидку до 50% на покупку Dr.Web.
Получить скидку
Скачайте Dr.Web для Android
Бесплатно на 3 месяца
Все компоненты защиты
Продление демо через AppGallery/Google Pay
Если Вы продолжите использование данного сайта, это означает, что Вы даете согласие на использование нами Cookie-файлов и иных технологий по сбору статистических сведений о посетителях. Подробнее
OK