Virus: Trojan.Winlock.7372
Added to the virus database Dr.Web: 2012-11-14
Inserted 11/14/2012
Technical information
To ensure autorun and distribution:
Modifies the following registry keys:
[<HKLM> \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run] ‘Microsoft Updater’ = ‘”<full path to the virus>”‘
Malicious functions:
To bypass the firewall removes or modifies the following registry keys:
[<HKLM> \ SYSTEM \ ControlSet001 \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ StandardProfile] ‘EnableFirewall’ = ‘00000000 ‘
Terminates or attempts to complete
The following user processes:
firefox.exe
opera.exe
iexplore.exe
chrome.exe
Changes in the file system:
Creates the following files:
% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ U98D4X8H \ getunlock [1]. Php
% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ KHMHGZ4F \ picture [1]. Php
Delete the following files:
% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ U98D4X8H \ getunlock [1]. Php
Network activity:
Connects to:
‘5. # # # .24.156 ‘: 80
‘localhost’: 1036
TCP:
Requests HTTP GET:
5. # # # .24.156/adm5/getunlock.php
5. # # # .24.156/ad