Win32.HLLW.Autoruner1.13418

Added to the Dr.Web virus database: 2012-03-14

Virus description added: 2012-04-02

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'MSWUpdate' = '"%APPDATA%\svchost.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'MSWUpdate' = '"%APPDATA%\svchost.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'rundll32' = '%TEMP%\rundll32 .exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe "%APPDATA%\svchost.exe"'

Creates the following files on removable media:

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%APPDATA%\svchost.exe' = '%APPDATA%\svchost.exe:*:Enabled:CityScape'

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Creates and executes the following:

Executes the following:

<SYSTEM32>\netsh.exe firewall add allowedprogram "%APPDATA%\svchost.exe" CityScape Enable
<SYSTEM32>\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Modifies file system :

Creates the following files:

%APPDATA%\cUyNVWQP
%APPDATA%\svchost.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\locate_my_ip[1]
%TEMP%\rundll32 .exe
%WINDIR%\Temp\svchost.exe
%TEMP%\%tmp%.exe

Sets the 'hidden' attribute to the following files:

Deletes the following files:

Network activity:

Connects to:

TCP:

HTTP GET requests:

UDP:

Miscellaneous:

Searches for the following windows: