Technical Details
This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 33 400 bytes in size. It is packed using UPX. The unpacked file is approximately 73 KB in size. It is written in Delphi.
Payload
Once launched, the Trojan performs the following actions:
- It deletes the following file:
%Program Files%\Internet Explorer\JavaNe64.Bet - It copies its body to a file:
%Program Files%\Internet Explorer\JavaNe64.BetThe first 2 bytes of the file are replaced with4B 4F - It extracts a file from its body and saves it under the following name:
%Program Files%\Internet Explorer\BoboChen.jsp(50 296 bytes; detected by Kaspersky Anti-Virus as "Worm.Win32.AutoRun.aazu") The file is created with the "hidden" and "system" attributes.The extracted library contains functionality that enables the malicious user to hijack accounts of the Chinese Tencent QQ instant messaging service. - It launches its original file with the "Z" parameter. In addition to the above-mentioned actions, it creates in the system a window called "Jsxtxut" (window class: "Button"). Messages sent to the created window are processed using the "MgHookOp" and "MgHookCs" functions from the previously extracted library.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following files:
%Program Files%\Internet Explorer\JavaNe64.Bet %Program Files%\Internet Explorer\BoboChen.jsp
Žádné komentáře:
Okomentovat