Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Win32.HLLW.Autoruner1.17627

Added to the Dr.Web virus database: 2012-06-21

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Client Server Runtime Subsystem Server 7.20' = 'C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\csrss.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Session Manager Subsystem Server 3.91' = 'C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\smss.exe'
Creates or modifies the following files:
  • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Windows update.lnk
  • %HOMEPATH%\Start Menu\Programs\Startup\Windows update.lnk
Creates the following files on removable media:
  • <Drive name for removable media>:\SpoolBin.exe
  • <Drive name for removable media>:\autorun.inf
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
  • hidden files
Creates and executes the following:
  • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\csrss.exe
  • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\smss.exe
Modifies file system :
Creates the following files:
  • C:\SpoolBin.exe
  • C:\autorun.inf
  • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\Default\Misc\Utilities\Settings\05-16-2012-01-48-28-PM.ini
  • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\csrss.exe
  • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\smss.exe
  • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\MSWinUpdate.exe
  • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de.lnk
Sets the 'hidden' attribute to the following files:
  • <Drive name for removable media>:\autorun.inf
  • C:\SpoolBin.exe
  • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\csrss.exe
  • <Drive name for removable media>:\SpoolBin.exe
  • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de.lnk
  • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\smss.exe
  • C:\autorun.inf
  • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\MSWinUpdate.exe
Deletes the following files:
  • %TEMP%\~DFFE16.tmp
  • %TEMP%\~DF125B.tmp
  • %TEMP%\~DFE2C6.tmp
Moves itself:
  • from <Full path to virus> to C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0115-0409-0000-0000000FF1CE}-c\temp\tag\HIVE05161214823PM.exe
Deletes itself.
Miscellaneous:
Searches for the following windows:
  • ClassName: '' WindowName: '0 Sm9ssE2039 E smss.exe 893'
  • ClassName: '' WindowName: '0 Sm9ssE2039 E csrss.exe 893'
  • ClassName: '' WindowName: '0 Sm9ssE2039 E INSTALLER 893'
  • ClassName: '' WindowName: '0 Sm9ssE2039 E SpoolBin.exe 893'