Technical Details
This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 5308 bytes in size. It is packed using PE_Patch or UPack. The unpacked file is approximately 66 KB in size. It is written in C++.
Payload
After launching, the Trojan extracts a file from its body and saves it in the system under the following name:
%WinDir%\Downloaded Program Files\spoolv.exe
(3740 bytes; detected by Kaspersky Anti-Virus as "Exploit.Win32.IMG-WMF.fk")
The extracted exploit file can download a file from the Internet through a link sent as a parameter. To do so, the exploit uses the vulnerability "MS08-067"
(http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx).
(http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx).
The extracted file is then launched for execution with the following parameter:
http://m.w***c8.com/mm.exe
At the time of writing, an HTML page of 1142 bytes in size was downloaded from this link.
The Trojan then ceases running.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following file:
%WinDir%\Downloaded Program Files\spoolv.exe
Žádné komentáře:
Okomentovat