FÜR NUTZER

Schließen

Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Suche
Suche

Support
Support 24/7 | Regeln zur Anfragenübermittlung

Schreiben Sie uns

Online-Formular

Telefon

+49 (0) 170 488 40 28

Forum

Ihre Anfragen

Neue Anfrage

Rufen Sie uns an

+7 (495) 789-45-86

Profil

DE

RU CN DE EN ES FR IT JP KZ UZ PL BY
Schließen
Services
Scanner
Dr.Web vxCube
Testversion
Analyse von virenabhängigen Vorfällen
Virenbibliothek
Wissensdatenbank

Technologies

Begriffe

Schulung und Training

Mythen

News

Win32.HLLW.Autohit.13952

Added to the Dr.Web virus database: 2013-11-26

Virus description added:

Technical Information

Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
  • [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' = '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:*:Enabled:Windows Messanger'
  • [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%APPDATA%\Roaming\cryptish.exe' = '%APPDATA%\Roaming\cryptish.exe:*:Enabled:Windows Messanger'
  • [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
Executes the following:
  • '<SYSTEM32>\reg.exe' -u -p 516 -s 4
  • '<SYSTEM32>\reg.exe'
  • '<SYSTEM32>\conhost.exe'
  • '<SYSTEM32>\conhost.exe' /pid=3016
  • '<SYSTEM32>\reg.exe' /pid=1932
  • '<SYSTEM32>\reg.exe' ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  • '%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
  • '<SYSTEM32>\reg.exe' ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /t REG_SZ /d "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:*:Enabled:Windows Messanger" /f
  • '<SYSTEM32>\reg.exe' /pid=2980
  • '<SYSTEM32>\reg.exe' ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "%APPDATA%\Roaming\cryptish.exe" /t REG_SZ /d "%APPDATA%\Roaming\cryptish.exe:*:Enabled:Windows Messanger" /f
Injects code into
the following system processes:
  • %WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Modifies file system :
Creates the following files:
  • %APPDATA%\Roaming\cryptish.exe
  • %APPDATA%\Roaming\123
  • %HOMEPATH%\Y55M18.EI9
  • %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<Virus name>.exe
  • %TEMP%\aut58AA.tmp
Sets the 'hidden' attribute to the following files:
  • %HOMEPATH%\Y55M18.EI9
Deletes the following files:
  • %TEMP%\aut58AA.tmp
Network activity:
Connects to:
  • 'un#####r1337.zapto.org':3333
UDP:
  • DNS ASK 6u#####ar1337.zapto.org
  • DNS ASK 5u#####ar1337.zapto.org
  • DNS ASK 7u#####ar1337.zapto.org
  • DNS ASK 9u#####ar1337.zapto.org
  • DNS ASK 8u#####ar1337.zapto.org
  • DNS ASK 4u#####ar1337.zapto.org
  • DNS ASK dn#.##ftncsi.com
  • DNS ASK un#####r1337.zapto.org
  • DNS ASK 1u#####ar1337.zapto.org
  • DNS ASK 3u#####ar1337.zapto.org
  • DNS ASK 2u#####ar1337.zapto.org
Miscellaneous:
Searches for the following windows:
  • ClassName: 'Shell_TrayWnd' WindowName: '(null)'