Поддержка
Круглосуточная поддержка

Позвоните

Бесплатно по России:
8-800-333-79-32

ЧаВо | Форум

Ваши запросы

  • Все: -
  • Незакрытые: -
  • Последний: -

Позвоните

Бесплатно по России:
8-800-333-79-32

Свяжитесь с нами Незакрытые запросы: 

Профиль

Профиль

Win32.HLLW.Autoruner1.53225

Добавлен в вирусную базу Dr.Web: 2013-08-08

Описание добавлено:

Техническая информация

Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoply.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fooool.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MDM.EXE] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kazme__gheyz.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashAvast.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegCool.EXE] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccApp.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAVRID.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdlite.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdswitch.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdoesrv.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RMSubs.dll] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StartUpManager.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = 'RunDll32.exe powrprof.dll,SetSuspendState'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BIEInterface.dll] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Classes\inffile\shell\open\command] '' = 'RunDll32.exe powrprof.dll,SetSuspendState'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VVSN.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe] 'Debugger' = 'RunDll32.exe powrprof.dll,SetSuspendState'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UdaterUI.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.EXE] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegMech.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'com\New Folder.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DiskExplorer.exe] 'Debugger' = 'RunDll32.exe powrprof.dll,SetSuspendState'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] 'Debugger' = 'RunDll32.exe powrprof.dll,SetSuspendState'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessManager.exe] 'Debugger' = 'RunDll32.exe powrprof.dll,SetSuspendState'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe] 'Debugger' = 'RunDll32.exe powrprof.dll,SetSuspendState'
Создает следующие файлы на съемном носителе:
  • <Имя диска съемного носителя>:\autorun.inf
  • <Имя диска съемного носителя>:\New Folder.exe
Вредоносные функции:
Для затруднения выявления своего присутствия в системе
блокирует отображение:
  • скрытых файлов
  • расширений файлов
Ищет следующие окна с целью
обнаружения утилит для анализа:
  • ClassName: '(null)' WindowName: 'process monitor - sysinternals: www.sysinternals.com'
  • ClassName: '(null)' WindowName: 'registry monitor - sysinternals: www.sysinternals.com'
  • ClassName: '(null)' WindowName: 'file monitor - sysinternals: www.sysinternals.com'
Без разрешения пользователя устанавливает новую стартовую страницу для Windows Internet Explorer.
Изменения в файловой системе:
Создает следующие файлы:
  • %PROGRAM_FILES%\Sexi .exe
  • <SYSTEM32>\Com\New Folder.exe
  • C:\autorun.inf
  • C:\New Folder.exe
  • <DRIVERS>\autorun.dll
  • <DRIVERS>\lsass
  • <DRIVERS>\lsass.dll
Присваивает атрибут 'скрытый' для следующих файлов:
  • C:\New Folder.exe
  • <Имя диска съемного носителя>:\New Folder.exe
  • <DRIVERS>\lsass
  • <DRIVERS>\autorun.dll
  • <DRIVERS>\lsass.dll
Другое:
Ищет следующие окна:
  • ClassName: '(null)' WindowName: 'avast! quick scanner'
  • ClassName: '(null)' WindowName: 'Registry toolkit'
  • ClassName: '(null)' WindowName: 'TuneUp StartUp Manager'
  • ClassName: '(null)' WindowName: 'AVG 7.1 Professional - Control Center'
  • ClassName: '(null)' WindowName: 'Shell Extension Test'
  • ClassName: '(null)' WindowName: 'avast! simple user interface'
  • ClassName: '(null)' WindowName: 'TuneUp Registry Editor'
  • ClassName: '(null)' WindowName: 'System Configuration'
  • ClassName: '(null)' WindowName: 'Windows Task Manager'
  • ClassName: '(null)' WindowName: 'Registry Editor'
  • ClassName: '(null)' WindowName: 'TuneUp Process Manager'
  • ClassName: '(null)' WindowName: 'Tuneup Disk Space Explorer'
  • ClassName: '(null)' WindowName: 'system32'
  • ClassName: '(null)' WindowName: 'BitDefender 9 Professional Plus'
  • ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] '
  • ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] '
  • ClassName: '(null)' WindowName: 'Player'
  • ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... '
  • ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] '
  • ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] '
  • ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] '
  • ClassName: '(null)' WindowName: 'Symantec AntiVirus'
  • ClassName: '(null)' WindowName: 'Kaspersky Anti-Virus Personal Pro Setup'
  • ClassName: '(null)' WindowName: 'eTrust EZ AntiVirus'
  • ClassName: '(null)' WindowName: 'Program Manager [ System Shoma Be Zodi... Mitonid Pishgiri Konid WwW.KaleKhar.BlogFa.Com ] '
  • ClassName: '(null)' WindowName: 'RegCool 3.1.0.5'
  • ClassName: '(null)' WindowName: 'regmon'
  • ClassName: '(null)' WindowName: 'Running Applications'
  • ClassName: '(null)' WindowName: 'Notification Area'
  • ClassName: '(null)' WindowName: 'Start'
  • ClassName: '(null)' WindowName: 'CicMarshalWndAIG'
  • ClassName: '(null)' WindowName: 'FolderView'
  • ClassName: '(null)' WindowName: 'Program Manager'
  • ClassName: '(null)' WindowName: 'OLEChannelWnd'
  • ClassName: '(null)' WindowName: 'TF_FloatingLangBar_WndTitle'
  • ClassName: '(null)' WindowName: ''
  • ClassName: 'CabinetWClass' WindowName: '(null)'
  • ClassName: '(null)' WindowName: 'OleMainThreadWndName'
  • ClassName: '(null)' WindowName: 'CiceroUIWndFrame'
  • ClassName: '(null)' WindowName: 'CicMarshalWndMDG'
  • ClassName: '(null)' WindowName: 'services'
  • ClassName: '(null)' WindowName: '<WINDOWS_KILLER>'
  • ClassName: '(null)' WindowName: '<Служебное имя>'
  • ClassName: '(null)' WindowName: 'Tiny H-Pot v1.7'
  • ClassName: '(null)' WindowName: 'CicMarshalWndALK'
  • ClassName: '(null)' WindowName: '<Служебное имя> - build Mar 22 2011'
  • ClassName: '(null)' WindowName: '<SYSTEM32>\cscript.exe'
  • ClassName: '(null)' WindowName: 'Connections Tray'
  • ClassName: '(null)' WindowName: 'Power Meter'
  • ClassName: '(null)' WindowName: 'MS_WebcheckMonitor'
  • <Служебный элемент>
  • ClassName: '(null)' WindowName: 'Show details for each &battery.'
  • ClassName: '(null)' WindowName: '&Always show icon on the taskbar.'
  • ClassName: '(null)' WindowName: 'Power status'