Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Win32.Sector.23

Added to the Dr.Web virus database: 2010-11-12

Virus description added:

Technical Information

To ensure autorun and distribution
Creates or modifies the following files
  • %WINDIR%\system.ini
Creates the following services
  • [<HKLM>\System\CurrentControlSet\Services\amsint32] 'ImagePath' = '<DRIVERS>\hnlifn.sys'
Infects the following executable files
  • <Drive name for removable media>:\notepad.exe
  • <Drive name for removable media>:\jre-7u75-windows-i586-iftw.exe
  • <Drive name for removable media>:\chromesetup.exe
  • <Drive name for removable media>:\calc.exe
  • <Drive name for removable media>:\tcm851ax32.exe
  • %ALLUSERSPROFILE%\application data\adobe\setup\{ac76ba86-7ad7-1033-7b44-aa1000000001}\setup.exe
  • %ProgramFiles%\microsoft office\office12\excel.exe
  • %ProgramFiles%\microsoft office\office12\winword.exe
  • %ProgramFiles%\microsoft office\office12\powerpnt.exe
  • %ProgramFiles%\microsoft office\office12\infopath.exe
  • %ProgramFiles%\opera\launcher.exe
  • %ProgramFiles%\adobe\reader 10.0\reader\acrord32.exe
  • %ProgramFiles%\microsoft office\office12\msohtmed.exe
  • %ProgramFiles%\Microsoft Office\Office12\OIS.EXE
  • %ProgramFiles%\winrar\winrar.exe
Creates the following files on removable media
  • <Drive name for removable media>:\autorun.inf
  • <Drive name for removable media>:\toqms.exe
Malicious functions
To bypass firewall, removes or modifies the following registry keys
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to file>' = '<Full path to file>:*:Enabled:ipsec'
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Explorer.EXE' = '%WINDIR%\Explorer.EXE:*:Enabled:ipsec'
To complicate detection of its presence in the operating system,
forces the system hide from view:
  • hidden files
blocks execution of the following system utilities:
  • Windows Security Center
blocks the following features:
  • User Account Control (UAC)
  • Windows Security Center
Injects code into
the following system processes:
  • <SYSTEM32>\ctfmon.exe
the following user processes:
  • firefox.exe
Modifies file system
Creates the following files
  • %TEMP%\windsaiot.exe
  • %TEMP%\winbrbloe.exe
  • <DRIVERS>\hnlifn.sys
  • %TEMP%\winehhomd.exe
  • amsint32
  • %TEMP%\ugrrvw.exe
  • C:\autorun.inf
  • C:\cubhx.exe
  • D:\autorun.inf
  • D:\kqkps.exe
Sets the 'hidden' attribute to the following files
  • C:\autorun.inf
  • C:\cubhx.exe
  • D:\autorun.inf
  • D:\kqkps.exe
  • <Drive name for removable media>:\autorun.inf
  • <Drive name for removable media>:\toqms.exe
Deletes the following files
  • %TEMP%\windsaiot.exe
  • %TEMP%\winbrbloe.exe
  • <DRIVERS>\hnlifn.sys
  • %TEMP%\winehhomd.exe
  • %TEMP%\ugrrvw.exe