Technical Details
This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 23 198 bytes in size. It is packed using UPack. The unpacked file is approximately 143 KB in size. It is written in Delphi.
Payload
Once launched, the Trojan performs the following actions:
- It extracts files from its body and saves them in the system as:
%System%\xaiasp.dll(19 456 bytes; detected by Kaspersky Anti-Virus as "Trojan.Win32.Delf.inf")%WinDir%\Fonts\system(1544 bytes; detected by Kaspersky Anti-Virus as "Trojan.Win32.StartPage.dhu")%WinDir%\Fonts\alg.exe(5308 bytes; detected by Kaspersky Anti-Virus as "Trojan-GameThief.Win32.OnLineGames.upwe") - It then launches the extracted "system" and "alg.exe" files for execution.
- It launches an instance of the "svchost.exe" process and injects the executable code from the previously extracted "xaiasp.dll" library into its address space.
- To delete its original file after completing its tasks, it creates the following command interpreter script:
c:\DEL.batwith the following content::lo del "<complete path to original Trojan file>" if exist "<complete path to original Trojan file>" goto lo del %0 - It launches the created script. The file "c:\DEL.bat" is also deleted. The Trojan then ceases running.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Reboot the computer.
- Delete the following files:
%System%\xaiasp.dll %WinDir%\Fonts\system %WinDir%\Fonts\alg.exe
Žádné komentáře:
Okomentovat