Threat Information for "Win32.HLLM.Oder"

Removal Top

StopSign will automatically remove this infection with a paid membership.

Summary Top
  • Name: Win32.HLLM.Oder
  • Aliases:
  • Date Discovered: 2007-01-25
  • Protection Added: 2007-01-26
Description Top 
-- Ease of Removal

1: File names randomly generated from a hard-coded list
2: Consistent file contents
3: Runs as a BHO or shell extension
4: Runs as a service
5: Injects DLLs into running processes
6: Uses running processes
7: Creates new registry entries randomly from a hard-coded list

-- Privacy Risks/Security Changes

1: Transmits personal data to remote computers
2: Mimics legitimate file names

-- Damage/Intrusion/Annoyance

1: Modifies non-critical registry entries
2: Displays targeted popup advertisements
3: Significantly slows down the computer
4: Displays deceptive error messages
5: Creates new files
6: Downloads other threats

-- Propagation/Saturation

1: Infects from an email attachment
2: Spreads to other computers on the same network
3: Infects through a blind IP address attack
4: Spreads through Peer-2-Peer software
Technical Details Top
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\ipv6monl.dll
  • Added Directory/File:
    FilePath: %ROOTDRIVE%*._eac_qt_ FileSize: 85936
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\*.* MD5: deeb66c56f6f5bdd17459e5289fd8dbb
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\*.* MD5: d18d23d7769c77f3c77ad10d32df909c
  • Added Directory/File:
    FilePath: %ROOTDRIVE%*._eac_qt_ FileSize: 83456
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\netupdate.exe
  • Added Registry Key:
    Key: HKLM\%CURRENTVERSIONREG%\ShellBotR
  • Added Registry Key:
    Key: HKU\S-*\Software\unker
  • Added Registry Key:
    Key: HKLM\SOFTWARE\WinUpdate
  • Added Registry Key:
    Key: HKLM\%CURRENTVERSIONREG%\Run
  • Added Registry Key:
    Key: HKLM\%CURRENTVERSIONREG%\Run
  • Added Registry Key:
    Key: HKLM\%BHOREG%\{73364D99-1240-4dff-B11A-67E448373048}
  • Added Registry Key:
    Key: HKLM\SOFTWARE\WinUpload
  • Added Registry Key:
    Key: HKLM\%CURRENTVERSIONREG%\ShellBot
  • Added Registry Key:
    Key: HKCU\Software\unker
  • Added Registry Key:
    Key: HKLM\%CURRENTVERSIONREG%\Run
  • Added Registry Key:
    Key: HKLM\%CURRENTVERSIONREG%\Run
  • Added Registry Value:
    Key: HKCU\%CURRENTVERSIONREG%\Run Value: svchctrl
  • Added Registry Value:
    Key: HKU\S-*\%CURRENTVERSIONREG%\Run Value: windows_startup
  • Added Registry Value:
    Key: HKU\S-*\%CURRENTVERSIONREG% Value: wmf.1.2
  • Added Registry Value:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Value: EnableFirewall
  • Added Registry Value:
    Key: HKLM\%CURRENTVERSIONREG% Value: wmf.1.1
  • Added Registry Value:
    Key: HKCU\%CURRENTVERSIONREG%\Run Value: windows_startup
  • Added Registry Value:
    Key: HKU\S-*\%CURRENTVERSIONREG%\Run Value: svchctrl
  • Added Registry Value:
    Key: HKU\S-*\%CURRENTVERSIONREG% Value: wmf.1.1
  • Added Registry Value:
    Key: HKLM\%CURRENTVERSIONREG% Value: wmf.1.2
  • Added Registry Data:
    Key: HKCR\CLSID\*\InprocServer32 Value: [RANDOM VALUE] Data: ipv6monl.dll delKeyLevel=1 delKey=TRUE
  • Added Registry Data:
    Key: HKLM\SOFTWARE\Classes\CLSID\*\InprocServer32 Value: [RANDOM VALUE] Data: ipv6monl.dll delKeyLevel=1 delKey=TRUE