Tuesday, September 2, 2008

Trojan-Downloader.Win32.Banload.dcd Virus

This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 113152 bytes in size. It is not packed in any way. This Trojan is written in Visual Basic.

INSTALLATION

Once launched, the Trojan copies its body to the Windows program files directory as "lsass.exe":

%Program Files%\Microsoft Studio Files\lsass.exe

In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan registers its executable file in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

"lsass" = "%Program Files%\Microsoft Studio Files\lsass.exe"

The Trojan then creates a command interpreter file called "vcdg.bat" in the same directory:

%Program Files%\Microsoft Studio Files\vcdg.bat

It writes the following strings to this file:
netsh.exe firewall add allowedprogram PROGRAM="%Program Files%\Microsoft Studio
Files\lsass.exe" NAME="Session Win32" MODE=ENABLE PROFILE=ALL

In doing so, the Trojan modifies the configuration of the Windows XP firewall, permitting any network activity created by the malicious process.

"%Program Files%\Microsoft Studio Files\vcdg.bat" is then launched for execution.

PAYLOAD

Once installed, the Trojan downloads files from the following URLs:

http://www.club-vw.cl/*****/modules/subsmanager/api_apache.tar
http://www.*****-consult.net/rcss.res
http://www.photo-*****.ru/images/exhibition_moll2005_file0031.jpg

At the time of writing, these links were not active.

http://www.cemm*****ac.at/img/nav/plus19a_RO.jpg

This file is 2603325 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Banbra.bak.

Files which are downloaded are saved to the Trojan's installation directory under random names and launched for execution.

REMOVAL GUIDE

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process.

2. Delete the following system registry key parameter:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"lsass" = "%Program Files%\Microsoft Studio Files\lsass.exe"

3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).

4. Delete the following directory and its contents:
%Program Files%\Microsoft Studio Files

5. Delete all files from %Temporary Internet Files%.



Ingin Mengetahui Meningkatkan Traffik bagi perniagaan internet anda???



Ingin Mengetahui Cara untuk Menjadi 'Pria Terhebat' ??????



Ingin Mengetahui Rahsia Membuat Duit Tanpa Modal Dengan Google Adsense???



Ingin Mengetahui bagaimana caranya individu menjana pendapatan lumayan melalui Internet???

No comments: