Technical Details
This Trojan downloads files from the Internet and launches them on the victim machine without the user's knowledge or consent. It is a Windows application (PE EXE file). It is 14 848 bytes in size. It is packed using an unknown packer. The unpacked file is approximately 20 KB in size. It is written in C++.
Payload
After launch, the Trojan downloads files from the Internet at the following links:
http://188.***.161/mrmun_sgjlgdsjrthrtwg.exe
http://188.***.165/mrmun_sgjlgdsjrthrtwg.exe
http://188.***.165/bat.exe
http://188.***.161/bat.exe
The downloaded files may be saved in the system under the following names:%WinDir%\Temp\_ex-68.exe
%WinDir%\Temp\_ex-08.exe
%WinDir%\Temp\_ex-89.exe
Once downloaded, the files are launched for execution. At the time of writing, a file 1 134 592 bytes in size was downloaded from the second link. It is detected by Kaspersky Anti-Virus as "Trojan.Win32.FakeAV.eya".
Next, the Trojan ceases running.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following files:
%WinDir%\Temp\_ex-68.exe %WinDir%\Temp\_ex-08.exe %WinDir%\Temp\_ex-89.exe
Žádné komentáře:
Okomentovat