Technical Details
This Trojan has a malicious payload. It is a Windows application (PE EXE file). It is 24 576 bytes in size. It is packed using an unknown packer. The unpacked file is approximately 48 KB in size. It is written in Delphi.
Payload
Once launched, the Trojan creates the following file:
%System%\drivers\etc\hosts2
It writes the following content to this file:85.***.10 www.vkontakte.ru
85.***.10 vkontakte.ru
85.***.10 www.odnoklassniki.ru
85.***.10 odnoklassniki.ru
The Trojan then moves the created file, replacing the original "hosts" file:%System%\drivers\etc\hosts
whereby the above-mentioned URL addresses are redirected to the specified IP address.Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Restore the original content of the file:
%System%\drivers\etc\hostswhich has the following structure:# (C) Microsoft Corporation, 1993-1999 # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. # Each entry should be on a separate line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one space. # # Additionally, strings can include comments # (such as these) following the host name separated # by a "#" symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost - Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
Žádné komentáře:
Okomentovat