Win32.HLLW.Autoruner1.45519

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Classes\.scr] '' = '<SYSTEM32>'
[<HKLM>\SOFTWARE\Classes\.scr\shell\open\command] '' = '<SYSTEM32>'
[<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = '<SYSTEM32>\Win32Run.exe %1'
[<HKLM>\SOFTWARE\Classes\.scr] '' = '<SYSTEM32>\Win32Run.exe %1'
[<HKLM>\SOFTWARE\Classes\.scr\shell\open\command] '' = '<SYSTEM32>\Win32Run.exe %1'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '6331905' = '<SYSTEM32>'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '6331905' = '<SYSTEM32>\Win32Run.exe'
[<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = 'c:\1.exe %1'
[<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = '<SYSTEM32>'
[<HKLM>\SOFTWARE\Classes\txtfile\shell\open\command] '' = 'C:\1.exe'

Создает следующие файлы на съемном носителе:

<Имя диска съемного носителя>:\Autorun.inf
<Имя диска съемного носителя>:\Win32Run.exe

Вредоносные функции:

Для затруднения выявления своего присутствия в системе

блокирует запуск следующих системных утилит:

Редактора реестра (RegEdit)

Создает и запускает на исполнение:

'<SYSTEM32>\Win32Run.exe' <SYSTEM32>\ichelper.exe
'<SYSTEM32>\Win32Run.exe' <Текущая директория>\ichelper.exe

Запускает на исполнение:

'<SYSTEM32>\ntvdm.exe' -f -i16
'<SYSTEM32>\ntvdm.exe' -f -i15
'<SYSTEM32>\ntvdm.exe' -f -i18
'<SYSTEM32>\ntvdm.exe' -f -i17
'<SYSTEM32>\ntvdm.exe' -f -i12
'<SYSTEM32>\ntvdm.exe' -f -i11
'<SYSTEM32>\ntvdm.exe' -f -i14
'<SYSTEM32>\ntvdm.exe' -f -i13
'<SYSTEM32>\ntvdm.exe' -f -i1e
'<SYSTEM32>\ntvdm.exe' -f -i1d
'<SYSTEM32>\ntvdm.exe' -f -i20
'<SYSTEM32>\ntvdm.exe' -f -i1f
'<SYSTEM32>\ntvdm.exe' -f -i1a
'<SYSTEM32>\ntvdm.exe' -f -i19
'<SYSTEM32>\ntvdm.exe' -f -i1c
'<SYSTEM32>\ntvdm.exe' -f -i1b
'<SYSTEM32>\ntvdm.exe' -f -i10
'<SYSTEM32>\ntvdm.exe' -f -i5
'<SYSTEM32>\ntvdm.exe' -f -i4
'<SYSTEM32>\ntvdm.exe' -f -i7
'<SYSTEM32>\ntvdm.exe' -f -i6
'<SYSTEM32>\ntvdm.exe' -f -i1
'%WINDIR%\explorer.exe'
'<SYSTEM32>\ntvdm.exe' -f -i3
'<SYSTEM32>\ntvdm.exe' -f -i2
'<SYSTEM32>\ntvdm.exe' -f -id
'<SYSTEM32>\ntvdm.exe' -f -ic
'<SYSTEM32>\ntvdm.exe' -f -if
'<SYSTEM32>\ntvdm.exe' -f -ie
'<SYSTEM32>\ntvdm.exe' -f -i9
'<SYSTEM32>\ntvdm.exe' -f -i8
'<SYSTEM32>\ntvdm.exe' -f -ib
'<SYSTEM32>\ntvdm.exe' -f -ia

Внедряет код в

следующие пользовательские процессы:

NAVAPW32.EXE

Завершает или пытается завершить

следующие системные процессы:

%WINDIR%\Explorer.EXE

следующие пользовательские процессы:

bdss.exe
360tray.exe
NAVAPW32.EXE

Без разрешения пользователя устанавливает новую стартовую страницу для Windows Internet Explorer.

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\Temp\scs22.tmp
%WINDIR%\Temp\scs23.tmp
%WINDIR%\Temp\scs20.tmp
%WINDIR%\Temp\scs21.tmp
%WINDIR%\Temp\scs26.tmp
%WINDIR%\Temp\scs27.tmp
%WINDIR%\Temp\scs24.tmp
%WINDIR%\Temp\scs25.tmp
%WINDIR%\Temp\scs1F.tmp
%WINDIR%\Temp\scs19.tmp
%WINDIR%\Temp\scs1A.tmp
%WINDIR%\Temp\scs17.tmp
%WINDIR%\Temp\scs18.tmp
%WINDIR%\Temp\scs1D.tmp
%WINDIR%\Temp\scs1E.tmp
%WINDIR%\Temp\scs1B.tmp
%WINDIR%\Temp\scs1C.tmp
%WINDIR%\Temp\scs33.tmp
%WINDIR%\Temp\scs34.tmp
%WINDIR%\Temp\scs31.tmp
%WINDIR%\Temp\scs32.tmp
%WINDIR%\Temp\scs37.tmp
%WINDIR%\Temp\scs38.tmp
%WINDIR%\Temp\scs35.tmp
%WINDIR%\Temp\scs36.tmp
%WINDIR%\Temp\scs30.tmp
%WINDIR%\Temp\scs2A.tmp
%WINDIR%\Temp\scs2B.tmp
%WINDIR%\Temp\scs28.tmp
%WINDIR%\Temp\scs29.tmp
%WINDIR%\Temp\scs2E.tmp
%WINDIR%\Temp\scs2F.tmp
%WINDIR%\Temp\scs2C.tmp
%WINDIR%\Temp\scs2D.tmp
<SYSTEM32>\Autorun.inf
%WINDIR%\Temp\scs2.tmp
C:\Autorun.inf
<SYSTEM32>\ichelper.exe
%WINDIR%\Temp\scs4.tmp
%WINDIR%\Temp\scs5.tmp
%WINDIR%\Temp\scs1.tmp
%WINDIR%\Temp\scs3.tmp
C:\Win32Run.exe
<Текущая директория>\Autorun.inf
<Текущая директория>\hook.dll
<Текущая директория>\ichelper.exe
<SYSTEM32>\hook.dll
<SYSTEM32>\COMCT232.OCX
<Текущая директория>\COMCT232.OCX
<SYSTEM32>\Win32Run.exe
%WINDIR%\Temp\scs11.tmp
%WINDIR%\Temp\scs12.tmp
%WINDIR%\Temp\scs10.tmp
%WINDIR%\Temp\scsF.tmp
%WINDIR%\Temp\scs15.tmp
%WINDIR%\Temp\scs16.tmp
%WINDIR%\Temp\scs14.tmp
%WINDIR%\Temp\scs13.tmp
%WINDIR%\Temp\scsE.tmp
%WINDIR%\Temp\scs8.tmp
%WINDIR%\Temp\scs9.tmp
%WINDIR%\Temp\scs6.tmp
%WINDIR%\Temp\scs7.tmp
%WINDIR%\Temp\scsC.tmp
%WINDIR%\Temp\scsD.tmp
%WINDIR%\Temp\scsA.tmp
%WINDIR%\Temp\scsB.tmp

Удаляет следующие файлы:

%WINDIR%\Temp\scs23.tmp
%WINDIR%\Temp\scs1F.tmp
%WINDIR%\Temp\scs24.tmp
%WINDIR%\Temp\scs26.tmp
%WINDIR%\Temp\scs29.tmp
%WINDIR%\Temp\scs25.tmp
%WINDIR%\Temp\scs20.tmp
%WINDIR%\Temp\scs1D.tmp
%WINDIR%\Temp\scs1C.tmp
%WINDIR%\Temp\scs19.tmp
%WINDIR%\Temp\scs22.tmp
%WINDIR%\Temp\scs1E.tmp
%WINDIR%\Temp\scs21.tmp
%WINDIR%\Temp\scs32.tmp
%WINDIR%\Temp\scs2F.tmp
%WINDIR%\Temp\scs2D.tmp
%WINDIR%\Temp\scs33.tmp
%WINDIR%\Temp\scs31.tmp
%WINDIR%\Temp\scs34.tmp
%WINDIR%\Temp\scs30.tmp
%WINDIR%\Temp\scs2B.tmp
%WINDIR%\Temp\scs27.tmp
%WINDIR%\Temp\scs2A.tmp
%WINDIR%\Temp\scs2E.tmp
%WINDIR%\Temp\scs2C.tmp
%WINDIR%\Temp\scs28.tmp
%WINDIR%\Temp\scsB.tmp
%WINDIR%\Temp\scsA.tmp
%WINDIR%\Temp\scs7.tmp
%WINDIR%\Temp\scsE.tmp
%WINDIR%\Temp\scsC.tmp
%WINDIR%\Temp\scs9.tmp
%WINDIR%\Temp\scs5.tmp
%WINDIR%\Temp\scs1.tmp
%WINDIR%\Temp\scs3.tmp
%WINDIR%\Temp\scs2.tmp
%WINDIR%\Temp\scs8.tmp
%WINDIR%\Temp\scs6.tmp
%WINDIR%\Temp\scs4.tmp
%WINDIR%\Temp\scs15.tmp
%WINDIR%\Temp\scs17.tmp
%WINDIR%\Temp\scs16.tmp
%WINDIR%\Temp\scs1B.tmp
%WINDIR%\Temp\scs1A.tmp
%WINDIR%\Temp\scs18.tmp
%WINDIR%\Temp\scs13.tmp
%WINDIR%\Temp\scs10.tmp
%WINDIR%\Temp\scsD.tmp
%WINDIR%\Temp\scsF.tmp
%WINDIR%\Temp\scs12.tmp
%WINDIR%\Temp\scs14.tmp
%WINDIR%\Temp\scs11.tmp

Другое:

Ищет следующие окна:

ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d88.c60.4a0017'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c84.c88.490016'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c64.cec.4c0019'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d44.df0.4b0018'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b04.ae8.480015'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-638.594.450012'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-70c.700.440011'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-a14.bb8.470014'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-72c.b98.460013'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c18.c28.4d001a'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1064.1074.540021'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1060.1070.530020'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-10a0.10a4.560023'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1080.1084.550022'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1054.105c.52001f'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ec0.d68.4f001c'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bbc.e1c.4e001b'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1030.1034.51001e'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1028.102c.50001d'
ClassName: 'CSCHiddenWindow' WindowName: '(null)'
ClassName: 'SystemTray_Main' WindowName: '(null)'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-98c.964.390002'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-980.968.380001'
ClassName: 'OleMainThreadWndClass' WindowName: '(null)'
ClassName: 'Proxy Desktop' WindowName: '(null)'
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
ClassName: 'SysListView32' WindowName: '(null)'
ClassName: 'BaseBar' WindowName: 'ChanApp'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-568.9d0.3a0007'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ac8.adc.41000e'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ab8.acc.40000d'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-690.a54.430010'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-6bc.6b8.42000f'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-a84.a80.3f000c'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-5ec.a34.3c0009'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-9e0.9e4.3b0008'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-a6c.a68.3e000b'
ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-a38.a3c.3d000a'

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация