This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 48128 bytes in size. It is packed using PECompact. The unpacked file is approximately 131KB in size. It is written in Delphi.
Simpton
Once launched, the Trojan downloads files from the following URL:
http://paginas.terra.com.br/*****/down2/code.jpg
http://paginas.terra.com.br/*****/down1/lzma.jpg
http://paginas.terra.com.br/*****/down1/branch.jpg
http://paginas.terra.com.br/*****/down1/7z2.jpg
http://paginas.terra.com.br/*****/down1/7z.jpg
These files will be saved to the Windows root directory as follows:
%WinDir%\krn.7z
%WinDir%\7z\Codecs\lzma.dll
%WinDir%\7z\Codecs\branch.dll
%WinDir%\7z\Formats\7z.dll
%WinDir%\7z\7z.exe
The saved files are then launched for execution
Removal instructions
1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following files:
%WinDir%\krn.7z
%WinDir%\7z\Codecs\lzma.dll
%WinDir%\7z\Codecs\branch.dll
%WinDir%\7z\Formats\7z.dll
%WinDir%\7z\7z.exe
4. Delete all files from %Temporary Internet Files%
No comments:
Post a Comment