Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

New worm infects RAR archives

May 15, 2012

The Russian IT security company Doctor Web is informing users about the worm Win32.HLLW.Autoruner.64548, which can infect RAR archives. It can download executables files from a remote server to perform malicious tasks in the compromised system.

Win32.HLLW.Autoruner.64548 spreads as many other worms do: it creates its copy on a disk and places the file autorun.inf into the root directory to launch the worm as soon as the device is connected to the computer. When launched on the infected computer, Win32.HLLW.Autoruner.64548 searches disks for RAR archives and places itself into them under one of the following names: secret.exe, AVIRA_License.exe, Warcraft_money.exe, CS16.exe, Update.exe, private.exe, Autoruns.exe, Tutorial.exe, Autorun.exe, Readme.exe, Real.exe, readme.exe, Keygen.exe, or Avast_keygen.exe. In some cases, such a modification damages archives.

In addition, the worm has a payload module. Its body also contains an executable file that Win32.HLLW.Autoruner.64548 saves into the Windows folder as mssys.dll. The malicious program registers the library file in the registry. The worm injects the payload code into a copy of its own process. Then the malware connects to a remote server and waits for malicious commands to download and run executable files.

Win32.HLLW.Autoruner.64548 represents a rare category of malicious programs that can infect RAR archives. When unpacking RAR archives, pay attention if suspicious executable files appear in the archive: their accidental launch may harm your computer. The worm's signature has been added to the Dr.Web virus databases.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040