This Trojan provides a remote malicious user with administration rights tothe victim machine. It is a Windows PE EXE file. It is 16,896 bytes in size.It is not packed in any way. It is written in Visual C++. InstallationWhen launched, the backdoor copies itself to the Windows system directory(%System%) as "Kernl32.exe". In order to ensure that the Trojan is launched automatically when the systemis rebooted, the Trojan registers its executable file in the system registry: [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"KRNL" = "Kernl32.exe" The Trojan gets the name of the victim machine and information about the amountof free disk space. This information will be sent to the following addressesusing the appropriate user name and password. The information will be encryptedand called <sistemnoe_vremya> (this is Russian for "system_time"). - www.chat.ru
- ftp.geocities.com
- upload.digiweb.com
The Trojan will attempt to connect to these resources every minute. The Trojan also opens a random TCP port and listens for commands from theremote malicious user. The backdoor enables the remote malicious user to: - Get system information;
- Get passwords and active connections of the user;
- Download/ delete files;
- Launch programs for execution;
- Create/ delete directories.
If your computer does not have an up-to-date antivirus, or does not have anantivirus solution at all, follow the instructions below to delete the maliciousprogram: - Use Task Manager to terminate the Trojan process (it may be calledKernl32.exe).
- Delete the following file:
%System%\Kernl32.exe - Delete the following registry key value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"KRNL" = "Kernl32.exe" - Update your antivirus databases and perform a full scan of thecomputer (download a trial version of Kaspersky Anti-Virus).
Printed From:http://www.viruslist.com/en/viruses/encyclopedia?virusid=47767
Similar Virus/Threat >>
|
