Win32.HLLW.Autoruner1.30479

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Print Spooler Process' = '<SYSTEM32>\spool\drivers\w32x86\3\Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}\spooler.exe'

Creates the following files on removable media:

<Drive name for removable media>:\autorun.inf

Malicious functions:

Executes the following:

<SYSTEM32>\attrib.exe +h N:\autorun.inf
<SYSTEM32>\attrib.exe +h M:\autorun.inf
<SYSTEM32>\attrib.exe +h L:\autorun.inf
<SYSTEM32>\attrib.exe +h Q:\autorun.inf
<SYSTEM32>\attrib.exe +h P:\autorun.inf
<SYSTEM32>\attrib.exe +h O:\autorun.inf
<SYSTEM32>\attrib.exe +h K:\autorun.inf
<SYSTEM32>\attrib.exe +h G:\autorun.inf
<SYSTEM32>\attrib.exe +h F:\autorun.inf
<SYSTEM32>\attrib.exe +h E:\autorun.inf
<SYSTEM32>\attrib.exe +h J:\autorun.inf
<SYSTEM32>\attrib.exe +h I:\autorun.inf
<SYSTEM32>\attrib.exe +h H:\autorun.inf
<SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /f /v "Enabled" /t REG_DWORD /d 00000001
<SYSTEM32>\attrib.exe +h Z:\autorun.inf
<SYSTEM32>\attrib.exe +h Y:\autorun.inf
<SYSTEM32>\cmd.exe /c ""<Current directory>\ftp.bat" "
<SYSTEM32>\wscript.exe "<Current directory>\b.vbs"
<SYSTEM32>\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v "Print Spooler Process" /d <SYSTEM32>\spool\drivers\w32x86\3\Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}\spooler.exe
<SYSTEM32>\attrib.exe +h X:\autorun.inf
<SYSTEM32>\attrib.exe +h T:\autorun.inf
<SYSTEM32>\attrib.exe +h S:\autorun.inf
<SYSTEM32>\attrib.exe +h R:\autorun.inf
<SYSTEM32>\attrib.exe +h W:\autorun.inf
<SYSTEM32>\attrib.exe +h V:\autorun.inf
<SYSTEM32>\attrib.exe +h U:\autorun.inf
<SYSTEM32>\attrib.exe +h <Drive name for removable media>:\autorun.inf
<SYSTEM32>\attrib.exe +h K:\RECYCLER
<SYSTEM32>\attrib.exe +h J:\RECYCLER
<SYSTEM32>\attrib.exe +h I:\RECYCLER
<SYSTEM32>\attrib.exe +h N:\RECYCLER
<SYSTEM32>\attrib.exe +h M:\RECYCLER
<SYSTEM32>\attrib.exe +h L:\RECYCLER
<SYSTEM32>\attrib.exe +h H:\RECYCLER
<SYSTEM32>\attrib.exe +h <Drive name for removable media>:\RECYCLER
<SYSTEM32>\attrib.exe +h C:\RECYCLER
<SYSTEM32>\attrib.exe +h "<SYSTEM32>\spool\drivers\w32x86\3\Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}\spooler.exe"
<SYSTEM32>\attrib.exe +h G:\RECYCLER
<SYSTEM32>\attrib.exe +h F:\RECYCLER
<SYSTEM32>\attrib.exe +h E:\RECYCLER
<SYSTEM32>\attrib.exe +h X:\RECYCLER
<SYSTEM32>\attrib.exe +h W:\RECYCLER
<SYSTEM32>\attrib.exe +h V:\RECYCLER
<SYSTEM32>\attrib.exe +h C:\autorun.inf
<SYSTEM32>\attrib.exe +h Z:\RECYCLER
<SYSTEM32>\attrib.exe +h Y:\RECYCLER
<SYSTEM32>\attrib.exe +h U:\RECYCLER
<SYSTEM32>\attrib.exe +h Q:\RECYCLER
<SYSTEM32>\attrib.exe +h P:\RECYCLER
<SYSTEM32>\attrib.exe +h O:\RECYCLER
<SYSTEM32>\attrib.exe +h T:\RECYCLER
<SYSTEM32>\attrib.exe +h S:\RECYCLER
<SYSTEM32>\attrib.exe +h R:\RECYCLER

Modifies file system :

Creates the following files:

<Current directory>\ftp.bat
<Current directory>\b.vbs
<Current directory>\a.vbs
<Current directory>\tmp
%TEMP%\bt2516.bat
C:\autorun.inf
%TEMP%\reg

Sets the 'hidden' attribute to the following files:

<Drive name for removable media>:\autorun.inf
C:\autorun.inf
%TEMP%\bt2516.bat

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information