This Trojan downloads other programs via the Internet without the knowledgeor consent of the user and launches them on the victim machine. The programitself is a Windows PE EXE file. It is 36,352 bytes in size. It is writtenin Borland Delphi.Once launched, the Trojan downloads a file from the following URL: http://counter.****s.com/2/dk.exe (At the moment of writing, this link was not working.) If the file is successfully downloaded, it will be saved to the C: root directoryas alpha.exe: C:\alpha.exe The file will then be launched for execution. The Trojan also adds the following buttons to Internet Explorer: by creating the following registry keys and parameters: [HKLM\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B1}]
"ButtonText"="SEARCH"
"HotIcon"="shell32.dll,5"
"Icon"="shell32.dll,4"
"Exec"="http://www.google.com.super-fast-search.apsua.com/find.htm"
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Default Visible"="Yes" [HKLM\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B2}]
"ButtonText"="ENTERTAINMENT"
"HotIcon"="shell32.dll,12"
"Icon"="shell32.dll,13"
"Exec"="http://www.google.com.super-fast-search.apsua.com/av.htm"
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Default Visible"="Yes" [HKLM\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B3}]
"ButtonText"="PILLS"
"HotIcon"="shell32.dll,181"
"Icon"="shell32.dll,180"
"Exec"="http://www.google.com.super-fast-search.apsua.com/med.htm"
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Default Visible"="Yes" [HKLM\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B4}]
"ButtonText"="SECURITY"
"HotIcon"="shell32.dll,194"
"Icon"="shell32.dll,45"
"Exec"="http://www.google.com.super-fast-search.apsua.com/check.htm"
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Default Visible"="Yes" [HKLM\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B5}]
"ButtonText"="SEARCH"
"HotIcon"="shell32.dll,157"
"Icon"="shell32.dll,155"
"Exec"="http://www.google.com.super-fast-search.apsua.com"
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Default Visible"="Yes" The Trojan also creates the following registry keys which will act as redirectswhen Internet Explorer is used: [HKLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
"(default)"=http://www.google.com.super-fast-search.apsua.com/c/c.pl?url= [HKLM\Software\Microsoft\Internet Explorer\Search]
"CustomizeSearch"="http://www.google.com.super-fast-search.apsua.com/search.htm"
"SearchAssistant"=http://www.google.com.super-fast-search.apsua.com/search.htm [HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.google.com.super-fast-search.apsua.com/fast-find.htm [HKCU\Software\Microsoft\Internet Explorer\SearchUrl]
"provider"="" If your computer does not have an up-to-date antivirus, or does not have anantivirus solution at all, follow the instructions below to delete the maliciousprogram: - Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (the location will depend onhow the program originally penetrated the victim machine).
- Delete the file called alpha.exe from the C: root directory:
C:\alpha.exe - Delete the following registry keys:
[HKLM\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B1}] [HKLM\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B2}] [HKLM\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B3}] [HKLM\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B4}] [HKLM\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B5}] - Delete the following system registry key parameters:
[HKLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
"(default)" [HKLM\Software\Microsoft\Internet Explorer\Search]
"CustomizeSearch"
"SearchAssistant" [HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" [HKCU\Software\Microsoft\Internet Explorer\SearchUrl]
"provider" - Update your antivirus databases and perform a full scan of thecomputer (download a trial version of Kaspersky Anti-Virus).
Printed From:http://www.viruslist.com/en/viruses/encyclopedia?virusid=50399
Similar Virus/Threat >>
Trojan-Downloader.Win32.QDown.b
This Trojan downloads other malicious programs from the Internet and launchesthem on the victim machine. The program itself is a Windows PE EXE file. Itis 43008 bytes in size. It is not packed in...
Trojan-Downloader.Win32.Nurech.at
This Trojan downloads files via the Internet without the knowledge or consentof the user. It is a Windows PE EXE file. The file is approximately 28KB insize. It is packed using UPX. The unpacked...
Trojan-Downloader.Win32.IstBar.ah
This Trojan downloads files from the Internet to the victim machine and launchesthem for execution. The Trojan itself is a Windows PE EXE file. It is 16 896bytes in size, and packed using UPX. The...
Trojan-Downloader.Win32.Small.ddp
This Trojan downloads other malicious programs. It is a Windows PE EXE file.It is written in Microsoft Visual C++. It is not packed in any way. The sizeof infected files may vary from 20KB to...
Trojan-Downloader.Win32.IstBar.bo
This Trojan downloads other programs via the Internet and launches them on thevictim machine without the user’s knowledge or consent. The program itselfis a Windows PE EXE file. It is 8,704...
Trojan-Downloader.Win32.Small.eqn
This Trojan downloads other programs via the Internet and launches them onthe victim machine without the user’s knowledge or consent. It is a WindowsPE EXE file. The file is 10,326 bytes in...
Trojan-Downloader.Win32.Bagle.cu
The Trojan terminates the following...
Trojan-Downloader.Win32.Braidupdate.c
This Trojan downloads another program via the Internet and launches it onthe victim machine without the user’s knowledge or consent. It is a WindowsPE EXE file. It is 79360 bytes in size....
Trojan-Downloader.Win32.Delf.cgx
|
