Technical Details
This Trojan downloads other malware via the Internet and launches it for execution without the user's knowledge or consent. It is a Visual Basic Script. It is 2967 bytes in size.
Payload
After launching, the Trojan creates the following directory:
<my_doc<\<rnd1>
where: <rnd1> is a random sequence of letters, for example "QKQLSXOOIBPAGNENGI" or "XRBWSZVVPIWHNULUNPCW"
<my_doc< is the path to the current user's "My Documents" directory, which the Trojan obtains from the following system registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal]
Next, the Trojan downloads a file from the following URL:http://kak***reat.info/PCDefenderSilentSetup.msi
At the time of writing, this link was inactive.
It saves the downloaded file in the directory created under the name:
<my_doc<\<rnd1>\<rnd2>
where <rnd2> is a random sequence of letters, for example "MWUFQDGEKLTDEJOLAI" or "ONKTSDOADBHJQBCGLJXF"
Next, the Trojan checks the following registry key to see whether UAC is enabled:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA]
If it is enabled, the Trojan installs the downloaded file in quiet mode, without user involvement; otherwise, it attempts to launch the file for execution with enhanced privileges.Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following file:
<my_doc>\<rnd1>\<rnd2> - Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
Žádné komentáře:
Okomentovat