Um eine korrekte Funktionsweise unserer Website zu gewährleisten, müssen Sie die Unterstützung für JavaScript in Ihrem Browser aktivieren.
Win32.HLLW.Autoruner2.53432
Added to the Dr.Web virus database:
2019-07-26
Virus description added:
2019-07-29
Technical Information
To ensure autorun and distribution
Modifies the following registry keys
[<HKCU>\Control Panel\Desktop] 'SCRNSAVE.EXE' = 'ssmarque.scr'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe] 'Debugger' = 'drivers\Kazekage.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\Software\Classes\VBSFile\Shell\Open\Command] '' = 'calc.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = 'userinit.exe,drivers\system32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe, drivers\csrss.exe'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'SystemRun' = 'drivers\csrss.exe'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] '644r4' = '23-7-2019.exe'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'FreeAV' = 'Fonts\user 23 - 7 - 2019\Gaara.exe'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'DesertSand' = 'Fonts\user 23 - 7 - 2019\smss.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe] 'Debugger' = 'cmd.exe /c del'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe] 'Debugger' = 'drivers\Kazekage.exe'
Changes the following executable system files
Creates the following files on removable media
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\user games\hokage-sampit (nothing).exe
<Drive name for removable media>:\gaara.exe
<Drive name for removable media>:\user games\readme.txt
<Drive name for removable media>:\user games\gaara games - naruto.exe
<Drive name for removable media>:\user games\naruto games.exe
<Drive name for removable media>:\user games\anbu team sampit (nothing).exe
<Drive name for removable media>:\user games\kazekage.exe
<Drive name for removable media>:\user games\kazekage vs hokage.exe
<Drive name for removable media>:\user games\gaara go to kazekage.exe
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
hidden files
file extensions
blocks execution of the following system utilities:
Registry Editor (RegEdit)
blocks the following features:
System Restore (SR)
User Account Control (UAC)
modifies the following system settings:
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFind' = '00000001'
Searches for windows to
detect analytical utilities:
ClassName: 'PROCEXPL', WindowName: ''
Modifies settings of Windows Internet Explorer
[<HKCU>\Software\Microsoft\Internet Explorer\Main] 'Window Title' = '!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!'
Modifies file system
Creates the following files
%WINDIR%\fonts\the kazekage.jpg
C:\user games\kazekage vs hokage.exe
C:\user games\gaara go to kazekage.exe
D:\user games\kazekage.exe
C:\user games\kazekage.exe
D:\user games\anbu team sampit (nothing).exe
C:\user games\anbu team sampit (nothing).exe
D:\user games\naruto games.exe
C:\user games\naruto games.exe
D:\user games\gaara games - naruto.exe
C:\user games\gaara games - naruto.exe
%WINDIR%\mscomctl.ocx
D:\user games\readme.txt
D:\gaara.exe
D:\user games\hokage-sampit (nothing).exe
D:\autorun.inf
C:\user games\readme.txt
C:\gaara.exe
C:\user games\hokage-sampit (nothing).exe
C:\autorun.inf
<Current directory>\gaara the kazekage.exe
%WINDIR%\system\msvbvm60.dll
%WINDIR%\msvbvm60.dll
%WINDIR%\fonts\user 23 - 7 - 2019\msvbvm60.dll
<DRIVERS>\system32.exe
<DRIVERS>\kazekage.exe
<SYSTEM32>\23-7-2019.exe
%WINDIR%\fonts\user 23 - 7 - 2019\csrss.exe
%WINDIR%\fonts\user 23 - 7 - 2019\gaara.exe
%WINDIR%\fonts\user 23 - 7 - 2019\smss.exe
D:\user games\kazekage vs hokage.exe
D:\user games\gaara go to kazekage.exe
Sets the 'hidden' attribute to the following files
C:\autorun.inf
C:\gaara.exe
D:\autorun.inf
D:\gaara.exe
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\gaara.exe
%WINDIR%\msvbvm60.dll
Network activity
UDP
DNS ASK 22#.###.0.0.in-addr.arpa
Miscellaneous
Searches for the following windows
ClassName: 'THUNDERRT6FORMDC' WindowName: ''
ClassName: 'SYMINTEGRATORWND' WindowName: ''
ClassName: 'CENTRALFRAME' WindowName: ''
ClassName: 'TMCAFEEVIRUSSCANCENTRAL' WindowName: ''
ClassName: 'NAI_VS_STAT' WindowName: ''
ClassName: 'VIRUSSCANCONSULEWINDOWSCLASS' WindowName: ''
ClassName: 'TMESSAGEFORM' WindowName: ''
ClassName: 'TFROM1' WindowName: ''
ClassName: 'TPANEL' WindowName: ''
ClassName: 'NAVAPWNDCLASS' WindowName: ''
ClassName: 'TAPPLICATION' WindowName: ''
ClassName: 'TXPTITLE' WindowName: ''
ClassName: 'TMAINFORM' WindowName: ''
ClassName: 'CONSOLEWINDOWCLASS' WindowName: ''
ClassName: 'ANSAV#2194' WindowName: ''
ClassName: 'HONEYKISSME' WindowName: ''
ClassName: 'THUNDERRT6USERCONTROL' WindowName: ''
ClassName: 'THUNDERRT6USERCONTROLDC' WindowName: ''
ClassName: 'THUNDERRT6FRAME' WindowName: ''
ClassName: 'TTFXPFORM' WindowName: ''
ClassName: 'SYM_CCWEBWINDOWS_CLASS' WindowName: ''
Creates and executes the following
'%WINDIR%\fonts\user 23 - 7 - 2019\smss.exe'
'%WINDIR%\fonts\user 23 - 7 - 2019\gaara.exe'
'%WINDIR%\fonts\user 23 - 7 - 2019\csrss.exe'
'<DRIVERS>\kazekage.exe'
'<DRIVERS>\system32.exe'
'%WINDIR%\fonts\user 23 - 7 - 2019\smss.exe' ' (with hidden window)
'%WINDIR%\fonts\user 23 - 7 - 2019\gaara.exe' ' (with hidden window)
'%WINDIR%\fonts\user 23 - 7 - 2019\csrss.exe' ' (with hidden window)
'<DRIVERS>\kazekage.exe' ' (with hidden window)
'<DRIVERS>\system32.exe' ' (with hidden window)
'<SYSTEM32>\ping.exe' -a -l www.ra####yang.com.my 65500' (with hidden window)
'<SYSTEM32>\ping.exe' -a -l www.du###sex.com 65500' (with hidden window)
Executes the following
'<SYSTEM32>\winmine.exe'
'<SYSTEM32>\ping.exe' -a -l www.ra####yang.com.my 65500
'<SYSTEM32>\ping.exe' -a -l www.du###sex.com 65500
Laden Sie Dr.Web für Android herunter
Kostenlos für 3 Monate
Alle Schutzkomponenten
Verlängerung der Testversion über AppGallery/Google Pay
Wenn Sie diese Webseite weiter benutzen, bedeutet dies, dass Sie mit der Verarbeitung von Cookies sowie dem Einsatz anderer Technologien zur Sammlung von statistischen Nutzerdaten einverstanden sind. Mehr dazu
OK