Um eine korrekte Funktionsweise unserer Website zu gewährleisten, müssen Sie die Unterstützung für JavaScript in Ihrem Browser aktivieren.
Win32.HLLW.Autoruner1.61553
Added to the Dr.Web virus database:
2013-11-23
Virus description added:
2013-11-24
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Classes\.cmd] '' = '.txt'
[<HKLM>\SOFTWARE\Classes\.exe] '' = '.txt'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = '<Full path to virus>'
Substitutes the following executable system files:
<SYSTEM32>\dllcache\taskmgr.exe with <SYSTEM32>\dllcache\taskmgr.exe.new
<SYSTEM32>\dllcache\notepad.exe with <SYSTEM32>\dllcache\notepad.exe.new
<SYSTEM32>\taskmgr.exe with <SYSTEM32>\taskmgr.exe.new
<SYSTEM32>\notepad.exe with <SYSTEM32>\notepad.exe.new
Infects the following executable files:
<SYSTEM32>\dllcache\notepad.exe.new
<SYSTEM32>\dllcache\taskmgr.exe.new
Malicious functions:
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
Registry Editor (RegEdit)
Executes the following:
'<SYSTEM32>\taskkill.exe' /im /f chrome.exe
'<SYSTEM32>\taskkill.exe' /im /f ie.exe
'<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0xFF /f
'<SYSTEM32>\taskkill.exe' /im /f firefox.exe
'<SYSTEM32>\taskkill.exe' /f /im explorer.exe
'<SYSTEM32>\taskkill.exe' /f /im skype.exe
'<SYSTEM32>\taskkill.exe' /im /f opera.exe
'<SYSTEM32>\taskkill.exe' /im /f safari.exe
'<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Polices\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 2 /f
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\System.bat" "
'<SYSTEM32>\taskkill.exe' /im /f explorer.exe
'<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerRestrictRun /v 1 /t REG_DWORD /d %WINDIR%\explorer.exe /f
'<SYSTEM32>\reg.exe' Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.* /q
'<SYSTEM32>\reg.exe' Delete HKLM\System\CurrentControlSet\Control\SafeBoot /q
Terminates or attempts to terminate
the following system processes:
the following user processes:
Modifies settings of Windows Explorer:
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoDesktop' = '00000001'
Forces autoplay for removable media.
Modifies file system :
Creates the following files:
Deletes the following files:
%WINDIR%\Media\Windows XP Startup.wav
%WINDIR%\Media\Windows XP Start.wav
%WINDIR%\Media\Windows XP Shutdown.wav
%WINDIR%\Web\Wallpaper\Ascent.jpg
%WINDIR%\Web\Wallpaper\Bliss.bmp
%WINDIR%\Web\Wallpaper\Azul.jpg
%WINDIR%\Web\Wallpaper\Autumn.jpg
%WINDIR%\Media\Windows XP Ringout.wav
%WINDIR%\Media\Windows XP Pop-up Blocked.wav
%WINDIR%\Media\Windows XP Notify.wav
%WINDIR%\Media\Windows XP Minimize.wav
%WINDIR%\Media\Windows XP Print complete.wav
%WINDIR%\Media\Windows XP Ringin.wav
%WINDIR%\Media\Windows XP Restore.wav
%WINDIR%\Media\Windows XP Recycle.wav
%WINDIR%\Web\Wallpaper\Crystal.jpg
%WINDIR%\Web\Wallpaper\Stonehenge.jpg
%WINDIR%\Web\Wallpaper\Ripple.jpg
%WINDIR%\Web\Wallpaper\Red moon desert.jpg
%WINDIR%\Web\Wallpaper\Tulips.jpg
%WINDIR%\Web\Wallpaper\Windows XP.jpg
%WINDIR%\Web\Wallpaper\Wind.jpg
%WINDIR%\Web\Wallpaper\Vortec space.jpg
%WINDIR%\Web\Wallpaper\Radiance.jpg
%WINDIR%\Web\Wallpaper\Home.jpg
%WINDIR%\Web\Wallpaper\Friend.jpg
%WINDIR%\Web\Wallpaper\Follow.jpg
%WINDIR%\Web\Wallpaper\Moon flower.jpg
%WINDIR%\Web\Wallpaper\Purple flower.jpg
%WINDIR%\Web\Wallpaper\Power.jpg
%WINDIR%\Web\Wallpaper\Peace.jpg
%WINDIR%\Media\recycle.wav
%WINDIR%\Media\onestop.mid
%WINDIR%\Media\notify.wav
%WINDIR%\Media\ringin.wav
%WINDIR%\Media\tada.wav
%WINDIR%\Media\start.wav
%WINDIR%\Media\ringout.wav
%WINDIR%\Media\flourish.mid
<SYSTEM32>\notepad.exe
<SYSTEM32>\taskmgr.exe
<SYSTEM32>\hal.dll
%WINDIR%\Driver Cache\i386\driver.cab
%WINDIR%\Media\ding.wav
%WINDIR%\Media\chord.wav
%WINDIR%\Media\chimes.wav
%WINDIR%\Media\town.mid
%WINDIR%\Media\Windows XP Hardware Remove.wav
%WINDIR%\Media\Windows XP Hardware Insert.wav
%WINDIR%\Media\Windows XP Hardware Fail.wav
%WINDIR%\Media\Windows XP Information Bar.wav
%WINDIR%\Media\Windows XP Menu Command.wav
%WINDIR%\Media\Windows XP Logon Sound.wav
%WINDIR%\Media\Windows XP Logoff Sound.wav
%WINDIR%\Media\Windows XP Exclamation.wav
%WINDIR%\Media\Windows XP Battery Low.wav
%WINDIR%\Media\Windows XP Battery Critical.wav
%WINDIR%\Media\Windows XP Balloon.wav
%WINDIR%\Media\Windows XP Critical Stop.wav
%WINDIR%\Media\Windows XP Error.wav
%WINDIR%\Media\Windows XP Ding.wav
%WINDIR%\Media\Windows XP Default.wav
Moves the following files:
from <SYSTEM32>\dllcache\notepad.exe.new to <SYSTEM32>\dllcache\notepad.exe
from <SYSTEM32>\dllcache\taskmgr.exe.new to <SYSTEM32>\dllcache\taskmgr.exe
Miscellaneous:
Searches for the following windows:
ClassName: '(null)' WindowName: '(null)'
Laden Sie Dr.Web für Android herunter
Kostenlos für 3 Monate
Alle Schutzkomponenten
Verlängerung der Testversion über AppGallery/Google Pay
Wenn Sie diese Webseite weiter benutzen, bedeutet dies, dass Sie mit der Verarbeitung von Cookies sowie dem Einsatz anderer Technologien zur Sammlung von statistischen Nutzerdaten einverstanden sind. Mehr dazu
OK