%System%\drivers\runtime.sys
In order to ensure that the Trojan is launched each time the system is started, it creates a system service called "Runtime" which launches the Trojan executable file each time Windows is booted. The following registry key will be created:
[HKLM\System\CurrentControlSet\Services\runtime]
Once installed, the Trojan deletes its original file.
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 20480 bytes in size.
The Trojan contains a rootkit driver which masks the presence of Trojan files on the hard disk, and also the presence of the files listed below:
%System%\ntoskrnl.exe
%System%\ntkrnlpa.exe
%System%\ntkrnlmp.exe
%System%\ntkrpamp.exe
It also masks the presence of processes related to these files.
The Trojan also launches a hidden process called "iexplore.exe". It injects its code into this process, which will then download files from the following addresses:
208.66.194.***
66.246.252.***
208.66.195.***
74.53.42.***
74.53.42.***
Downloaded files will be saved as:
%TEMP%\
with
Once downloaded, the files will be launched for execution.
Removal Guide
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
1. Use Task Manager to terminate the malicious program’s process.
2. Delete the following system registry key:
[HKLM\System\CurrentControlSet\Services\runtime]
3. Delete the following file:
%System%\drivers\runtime.sys
4. Delete the contents of %Temp%
Tips about How to Choose Computer
Check Out
http://choosingcomputer.blogspot.com
No comments:
Post a Comment