Technical Details
This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a compiled AutoIt script. It is 617 473 bytes in size. It is packed using ASPack. The unpacked file is approximately 678 KB in size.
Installation
Once launched, the Trojan copies its body to the following files:
%System%\regsvr.exe (the file is created with the "hidden" attribute)
%System%\svchost.exe (the file is created with the "hidden" attribute)
%WinDir%\regsvr.exe
In order to ensure that it is launched automatically each time the system is rebooted, the Trojan add links to its copies to the following system registry keys:[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Msn Messsenger" = "%System%\regsvr.exe"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "... regsvr.exe"
This way the original Trojan file will be launched by the process "winlogon.exe" even if Windows boots up in safe mode.Payload
Once launched, the Trojan performs the following actions:
- It attempts to connect to the following HTTP servers:
87.***.14 69.***.224 - It creates the directory:
%System%\<rnd>where <rnd> is a random five-digit decimal number. - It extracts a file from its body and saves it in the system as:
%System%\<rnd>\svchost.exe(525 312 bytes; detected by Kaspersky Anti-Virus as "not-a-virus:Monitor.Win32.Ardamax.ae") - It launches the extracted file for execution.
- It modifies the values of the following system registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NofolderOptions" = 0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr" = 0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools" = 1The modification of the last key disables the registry editor. - It creates the file:
%System%\setup.ini (96 bytes)with the following content:[Autorun] Open=regsvr.exe Shellexecute=regsvr.exe Shell\Open\command=regsvr.exe Shell=Open - It launches the system command interpreter "cmd.exe" with the following parameters:
/C AT /delete /yesThis cancels all scheduled tasks in Windows Task Scheduler./C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %System%\svchost.exe
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following system registry key (see What is a system registry and how do I use it?):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Msn Messsenger" = "%System%\regsvr.exe" - Delete the following file:
%System%\setup.ini - Restore the original system registry key values (see What is a system registry and how do I use it?):
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "... regsvr.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NofolderOptions" = 0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr" = 0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools" = 1 - Launch the system command interpreter "cmd.exe" with the following parameters:
/C AT /delete /yes - Reboot the computer.
- Delete the following files:
%System%\regsvr.exe %System%\svchost.exe %WinDir%\regsvr.exe %System%\<rnd>\svchost.exe - Delete the folder created by the Trojan:
%System%\<rnd>
Žádné komentáře:
Okomentovat