マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Win32.HLLW.Autoruner1.58794

Added to the Dr.Web virus database: 2013-10-18

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /i'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /W'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /s'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /p'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /E'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /N'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /y'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /b'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /D'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /H'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /r'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /M'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /q'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /x'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /U'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /F'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /g'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /V'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /k'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /c'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /O'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /A'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /Z'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /j'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /L'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /t'
Creates or modifies the following files:
  • %HOMEPATH%\Start Menu\Programs\Startup\svchost.exe
Creates the following files on removable media:
  • <Drive name for removable media>:\RCX9.tmp
  • <Drive name for removable media>:\Passwords_backup.exe
  • <Drive name for removable media>:\RCX6.tmp
  • <Drive name for removable media>:\Bloc-notes.exe
  • <Drive name for removable media>:\RCXA.tmp
  • <Drive name for removable media>:\Porn_backup.exe
  • <Drive name for removable media>:\RCX11.tmp
  • <Drive name for removable media>:\RCXB.tmp
  • <Drive name for removable media>:\RCXE.tmp
  • <Drive name for removable media>:\Secret.exe
  • <Drive name for removable media>:\Sexy.exe
  • <Drive name for removable media>:\autorun.inf
  • <Drive name for removable media>:\xoeva.exe
  • <Drive name for removable media>:\RCX3.tmp
  • <Drive name for removable media>:\RCX5.tmp
  • <Drive name for removable media>:\Passwords.exe
  • <Drive name for removable media>:\Porn.exe
  • <Drive name for removable media>:\RCX4.tmp
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\teuveaw.exe' = '%TEMP%\teuveaw.exe:*:Enabled:ipsec'
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
  • hidden files
blocks the following features:
  • User Account Control (UAC)
  • Windows Security Center
Creates and executes the following:
  • '%HOMEPATH%\xoeva.exe'
  • '%TEMP%\svchost.exe'
  • '%TEMP%\teuveaw.exe'
Executes the following:
  • '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\ia5ctluw.cmdline"
  • '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD.tmp" "%TEMP%\vbcC.tmp"
  • '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\c2e9mmhe.cmdline"
  • '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES10.tmp" "%TEMP%\vbcF.tmp"
  • '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\upfnp-oh.cmdline"
  • '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\vbc1.tmp"
  • '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\6-mzrker.cmdline"
  • '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8.tmp" "%TEMP%\vbc7.tmp"
  • '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\lsl8nvas.cmdline"
Injects code into
the following system processes:
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
a large number of user processes.
Modifies file system :
Creates the following files:
  • %TEMP%\jvnfu.exe
  • %TEMP%\RESD.tmp
  • %TEMP%\vbcC.tmp
  • %TEMP%\E.resources
  • %TEMP%\WgM.resources
  • %TEMP%\ymrum.exe
  • %TEMP%\upfnp-oh.0.vb
  • <DRIVERS>\fmmmg.sys
  • %TEMP%\lW.resources
  • %TEMP%\winqjcup.exe
  • %TEMP%\upfnp-oh.out
  • %TEMP%\upfnp-oh.cmdline
  • %TEMP%\LiK.resources
  • %TEMP%\kgRGtL.resources
  • %TEMP%\winmjwb.exe
  • %TEMP%\c2e9mmhe.out
  • %TEMP%\c2e9mmhe.cmdline
  • %TEMP%\c2e9mmhe.0.vb
  • %TEMP%\ia5ctluw.out
  • %TEMP%\ia5ctluw.cmdline
  • %TEMP%\ia5ctluw.0.vb
  • %TEMP%\RES10.tmp
  • %TEMP%\vbcF.tmp
  • %TEMP%\winsrdlu.exe
  • %TEMP%\CshEtX.resources
  • %TEMP%\6-mzrker.out
  • %TEMP%\6-mzrker.cmdline
  • %TEMP%\6-mzrker.0.vb
  • %TEMP%\6-mzrker.exe
  • %TEMP%\RES2.tmp
  • %TEMP%\vbc1.tmp
  • %TEMP%\teuveaw.exe
  • %TEMP%\svchost.exe
  • %TEMP%\uRd.resources
  • %TEMP%\MSNPSharp.dll
  • %TEMP%\8b42uA3ND.resources
  • %HOMEPATH%\xoeva.exe
  • %TEMP%\lsl8nvas.out
  • %TEMP%\lsl8nvas.cmdline
  • %TEMP%\lsl8nvas.0.vb
  • %TEMP%\windowsupdate.ico
  • %TEMP%\RES8.tmp
  • %TEMP%\vbc7.tmp
  • C:\oonthd.exe
  • C:\autorun.inf
  • %TEMP%\mmbblq.exe
  • %TEMP%\whatdafock.txt
  • %TEMP%\cuSTbpJ.resources
  • %TEMP%\FcSLyS.resources
Sets the 'hidden' attribute to the following files:
  • C:\oonthd.exe
  • <Drive name for removable media>:\xoeva.exe
  • C:\autorun.inf
  • %HOMEPATH%\xoeva.exe
  • <Drive name for removable media>:\autorun.inf
Deletes the following files:
  • %TEMP%\upfnp-oh.out
  • %TEMP%\upfnp-oh.cmdline
  • %TEMP%\CshEtX.resources
  • %TEMP%\jvnfu.exe
  • %TEMP%\lW.resources
  • %TEMP%\winqjcup.exe
  • <DRIVERS>\fmmmg.sys
  • %TEMP%\RESD.tmp
  • %TEMP%\upfnp-oh.0.vb
  • %TEMP%\vbcC.tmp
  • %TEMP%\ymrum.exe
  • %TEMP%\WgM.resources
  • %TEMP%\ia5ctluw.0.vb
  • %TEMP%\E.resources
  • <Drive name for removable media>:\Porn_backup.exe
  • %TEMP%\winmjwb.exe
  • %TEMP%\RES10.tmp
  • %TEMP%\winsrdlu.exe
  • %TEMP%\vbcF.tmp
  • %TEMP%\ia5ctluw.out
  • %TEMP%\ia5ctluw.cmdline
  • %TEMP%\6-mzrker.exe
  • %TEMP%\6-mzrker.0.vb
  • %TEMP%\6-mzrker.out
  • <Drive name for removable media>:\Sexy.exe
  • %TEMP%\mmbblq.exe
  • %TEMP%\teuveaw.exe
  • %TEMP%\svchost.exe
  • %TEMP%\RES2.tmp
  • %TEMP%\6-mzrker.cmdline
  • %TEMP%\vbc1.tmp
  • <Drive name for removable media>:\Porn.exe
  • %TEMP%\FcSLyS.resources
  • %TEMP%\lsl8nvas.0.vb
  • %TEMP%\cuSTbpJ.resources
  • %TEMP%\windowsupdate.ico
  • <Drive name for removable media>:\Passwords_backup.exe
  • %TEMP%\RES8.tmp
  • <Drive name for removable media>:\Passwords.exe
  • %TEMP%\vbc7.tmp
  • %TEMP%\lsl8nvas.out
  • %TEMP%\lsl8nvas.cmdline
Network activity:
Connects to:
  • 'www.ca###rdesk.org':80
  • 'ar####.niria.biz':80
  • 'am##mex.com':80
  • '17#.#3.169.14':80
  • 'ns#.###nsearcher.net':8000
  • 'al###wry.org':80
TCP:
HTTP GET requests:
  • ar####.niria.biz/xs.jpg?4d###########
  • am##mex.com/xs.jpg?4f###########
  • al###wry.org/images/xs.jpg?4b###########
  • www.ca###rdesk.org/images/xs.jpg?4c###########
UDP:
  • DNS ASK ar####.niria.biz
  • DNS ASK am##mex.com
  • DNS ASK ap###-pie.in
  • DNS ASK ns#.###nsearcher.net
  • DNS ASK al###wry.org
  • DNS ASK www.ca###rdesk.org
Miscellaneous:
Searches for the following windows:
  • ClassName: 'Indicator' WindowName: '(null)'