FÜR NUTZER

Schließen

Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Suche
Suche

Support
Support 24/7 | Regeln zur Anfragenübermittlung

Schreiben Sie uns

Online-Formular

Telefon

+49 (0) 170 488 40 28

Forum

Ihre Anfragen

Neue Anfrage

Rufen Sie uns an

+7 (495) 789-45-86

Profil

DE

RU CN DE EN ES FR IT JP KZ UZ PL BY ID
Schließen
Services
Scanner
Dr.Web vxCube
Testversion
Analyse von virenabhängigen Vorfällen
Virenbibliothek
Wissensdatenbank

Technologies

Begriffe

Schulung und Training

Mythen

News

Trojan.MulDrop11.36694

Added to the Dr.Web virus database: 2020-02-01

Virus description added:

Technical Information

To ensure autorun and distribution
Creates the following services
  • [<HKLM>\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\UxSms] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\Themes] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\SysMain] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\sppsvc] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\Spooler] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\ShellHWDetection] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\SamSs] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\ProfSvc] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\Power] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\PlugPlay] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\nsi] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\NlaSvc] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\MpsSvc] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\MMCSS] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\lmhosts] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\LanmanWorkstation] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\LanmanServer] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\EventSystem] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\eventlog] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\Dnscache] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\Dhcp] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\CryptSvc] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\BFE] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\AudioSrv] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\AudioEndpointBuilder] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\Winmgmt] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\Wlansvc] 'Start' = '00000002'
Malicious functions
To bypass firewall, removes or modifies the following registry keys
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Modifies file system
Creates the following files
  • %TEMP%\autca47.tmp
  • %WINDIR%\syswow64\deskrun.bat
Deletes the following files
  • %TEMP%\autca47.tmp
Miscellaneous
Creates and executes the following
  • '<SYSTEM32>\cmd.exe' /c %WINDIR%\SysWOW64\deskrun.bat' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /C del /q /s %windir%\SysWOW64\opter.exe' (with hidden window)
Executes the following
  • '<SYSTEM32>\cmd.exe' /c %WINDIR%\SysWOW64\deskrun.bat
  • '%WINDIR%\syswow64\sc.exe' config SCPolicySvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config SDRSVC start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config seclogon start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config SENS start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config SensrSvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config SessionEnv start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config SharedAccess start= DISABLED
  • '%WINDIR%\syswow64\sc.exe' config ShellHWDetection start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config SNMPTRAP start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Spooler start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config sppsvc start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config sppuinotify start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config SSDPSRV start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config SstpSvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config stisvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Schedule start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config swprv start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config SCardSvr start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config RpcSs start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config pla start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config PlugPlay start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config PNRPAutoReg start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config PNRPsvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config PolicyAgent start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Power start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config ProfSvc start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config ProtectedStorage start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config QWAVE start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config RasAuto start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config RasMan start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config RemoteAccess start= DISABLED
  • '%WINDIR%\syswow64\sc.exe' config RemoteRegistry start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config RpcEptMapper start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config RpcLocator start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config SamSs start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config SysMain start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config TabletInputService start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config TapiSrv start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Wecsvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config wercplsupport start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config WerSvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config WinHttpAutoProxySvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Winmgmt start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config WinRM start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config wudfsvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Wlansvc start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config WMPNetworkSvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config WPCSvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config WPDBusEnum start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config wscsvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config WSearch start= DISABLED
  • '%WINDIR%\syswow64\sc.exe' config wuauserv start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config WdiSystemHost start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config WebClient start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config WdiServiceHost start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config WcsPlugInService start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config wcncsvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config TermService start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Themes start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config THREADORDER start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config TrkWks start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config TrustedInstaller start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config UI0Detect start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config PerfHost start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config upnphost start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config UmRdpService start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config VaultSvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config vds start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config VSS start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config W32Time start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config wbengine start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config WbioSrvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config TBS start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config UxSms start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config wmiApSrv start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config PeerDistSvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Netlogon start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Browser start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config bthserv start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config CertPropSvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config clr_optimization_v2.0.50727_32 start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config clr_optimization_v2.0.50727_64 start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config COMSysApp start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config CryptSvc start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config CscService start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config DcomLaunch start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config defragsvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Dhcp start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config Dnscache start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config dot3svc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config DPS start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config EapHost start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config BITS start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config EFS start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config BFE start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config AxInstSV start= DEMAND
  • '<SYSTEM32>\cmd.exe' /C del /q /s %windir%\SysWOW64\opter.exe
  • '%WINDIR%\syswow64\powercfg.exe' -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 238c9fa8-0aad-41ed-83f4-97be242c8f20 29f6c1db-86da-48c5-9fdb-f2b67b1f44da 0
  • '%WINDIR%\syswow64\netsh.exe' advfirewall set allprofiles state off
  • '%WINDIR%\syswow64\powercfg.exe' -h off
  • '%WINDIR%\syswow64\reg.exe' DELETE HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\0762812C5FEEC1B428F26679F2DFAE7C /f
  • '%WINDIR%\syswow64\reg.exe' DELETE HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\0762812C5FEEC1B428F26679F2DFAE7C /f
  • '%WINDIR%\syswow64\reg.exe' DELETE HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\157F0F9510151564A87B08EF0A9EBBE9 /f
  • '%WINDIR%\syswow64\reg.exe' DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\157F0F9510151564A87B08EF0A9EBBE9 /f
  • '%WINDIR%\syswow64\sc.exe' config AeLookupSvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config ALG start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config AppIDSvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Appinfo start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config AppMgmt start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config AudioEndpointBuilder start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config AudioSrv start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config BDESVC start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config ehRecvr start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config ehSched start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config eventlog start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config Mcx2Svc start= DISABLED
  • '%WINDIR%\syswow64\sc.exe' config MMCSS start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config MpsSvc start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config MSDTC start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config MSiSCSI start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config msiserver start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config p2psvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config napagent start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Netman start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config netprofm start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config NetTcpPortSharing start= DISABLED
  • '%WINDIR%\syswow64\sc.exe' config NlaSvc start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config nsi start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config p2pimsvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config lltdsvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config lmhosts start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config LanmanWorkstation start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config LanmanServer start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config KtmRm start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config Fax start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config fdPHost start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config FDResPub start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config FontCache start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config FontCache3.0.0.0 start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config gpsvc start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config PcaSvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config hkmsvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config hidserv start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config HomeGroupProvider start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config idsvc start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config IKEEXT start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config IPBusEnum start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config iphlpsvc start= DISABLED
  • '%WINDIR%\syswow64\sc.exe' config KeyIso start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config EventSystem start= AUTO
  • '%WINDIR%\syswow64\sc.exe' config HomeGroupListener start= DEMAND
  • '%WINDIR%\syswow64\sc.exe' config WwanSvc start= DEMAND

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play