Win32.HLLW.Autoruner1.36820

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WMPLAYER.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTI-TROJAN.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER3.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninstall.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unins000.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UPDATE.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UNINST.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRZSTATE2K.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEAN.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANPC.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UPDATER.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dfrg.msc] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'csrss' = '<SYSTEM32>\csrss.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Winlogon' = '<SYSTEM32>\winlogon.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'isass' = '<SYSTEM32>\isass.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'isass' = '<SYSTEM32>\isass.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'smss' = '<SYSTEM32>\smss.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'services' = '<SYSTEM32>\services.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'smss' = '<SYSTEM32>\smss.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINRAR.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WAV.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ShowKillProcess.exe] 'Debugger' = 'hh.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'services' = '<SYSTEM32>\services.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'csrss' = '<SYSTEM32>\csrss.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WinLogon' = '<SYSTEM32>\winlogon.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DF5SERV.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav-beta-setup.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansavd.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEdiror.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegEdt32.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AGENTSVR.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCHED.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONTROL.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAMBOOSTER.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIVIRUS.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PROCEXP.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordpad.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCENTER.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winampa.exe] 'Debugger' = 'hh.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winamp.exe] 'Debugger' = 'hh.exe'

Creates or modifies the following files:

%ALLUSERSPROFILE%\Start Menu\Programs\Startup\Isass.exe

Creates the following files on removable media:

<Drive name for removable media>:\Koleksi Gambar Bokep\Rahma Azhari.jpg.exe
<Drive name for removable media>:\Koleksi Gambar Bokep\Ayu Azhari.jpg.exe
<Drive name for removable media>:\Koleksi Gambar Bokep\Sarah Azhari.jpg.exe
<Drive name for removable media>:\Agnes Monica.jpg.exe
<Drive name for removable media>:\Gadis Bandung.jpg.exe
<Drive name for removable media>:\Koleksi Gambar Bokep\Donna Harun.jpg.exe
<Drive name for removable media>:\Koleksi Gambar Bokep\Agnes Monica.jpg.exe
<Drive name for removable media>:\Koleksi Gambar Bokep\Duo Maia.jpg.exe
<Drive name for removable media>:\Koleksi Gambar Bokep\Gadis Cantik.jpg.exe
<Drive name for removable media>:\Koleksi Gambar Bokep\Riyani Djangkaru.jpg.exe
<Drive name for removable media>:\Sarah Azhari.jpg.exe
<Drive name for removable media>:\Rahma Azhari.jpg.exe
<Drive name for removable media>:\Isass.exe
<Drive name for removable media>:\AUTORUN.INF
<Drive name for removable media>:\.jpg.exe
<Drive name for removable media>:\Duo Maia.jpg.exe
<Drive name for removable media>:\Donna Harun.jpg.exe
<Drive name for removable media>:\Riyani Djangkaru.jpg.exe
<Drive name for removable media>:\Ayu Azhari.jpg.exe
<Drive name for removable media>:\Gadis Cantik.jpg.exe

Malicious functions:

Modifies settings of Windows Explorer:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoViewContextMenu' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoShellSearchButton' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFind' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000001'

Modifies file system :

Creates the following files:

%PROGRAM_FILES%\Agnes Monica.jpg.exe
%WINDIR%\Sarah Azhari.jpg.exe
%WINDIR%\Rahma Azhari.jpg.exe
%PROGRAM_FILES%\Donna Harun.jpg.exe
%PROGRAM_FILES%\Gadis Cantik.jpg.exe
%PROGRAM_FILES%\Riyani Djangkaru.jpg.exe
%PROGRAM_FILES%\Duo Maia.jpg.exe
%WINDIR%\Donna Harun.jpg.exe
%WINDIR%\Agnes Monica.jpg.exe
<SYSTEM32>\isass.exe
%WINDIR%\Duo Maia.jpg.exe
%WINDIR%\Ayu Azhari.jpg.exe
%WINDIR%\Gadis Cantik.jpg.exe
%WINDIR%\Riyani Djangkaru.jpg.exe
C:\Koleksi Gambar Bokep\Rahma Azhari.jpg.exe
C:\Koleksi Gambar Bokep\Ayu Azhari.jpg.exe
C:\Koleksi Gambar Bokep\Gadis Cantik.jpg.exe
C:\Koleksi Gambar Bokep\Sarah Azhari.jpg.exe
C:\.jpg.exe
C:\Koleksi Gambar Bokep\Gadis Sampul.jpg.exe
%PROGRAM_FILES%\Sarah Azhari.jpg.exe
%PROGRAM_FILES%\Rahma Azhari.jpg.exe
%PROGRAM_FILES%\Ayu Azhari.jpg.exe
C:\Koleksi Gambar Bokep\Agnes Monica.jpg.exe
C:\Koleksi Gambar Bokep\Riyani Djangkaru.jpg.exe
C:\Koleksi Gambar Bokep\Duo Maia.jpg.exe
C:\Koleksi Gambar Bokep\Donna Harun.jpg.exe

Sets the 'hidden' attribute to the following files:

<Drive name for removable media>:\AUTORUN.INF
<Drive name for removable media>:\Isass.exe
<SYSTEM32>\isass.exe

Miscellaneous:

Searches for the following windows:

ClassName: 'Indicator' WindowName: ''

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information