|Detected||Aug 15 2010 02:18 GMT|
|Released||Aug 15 2010 10:16 GMT|
|Published||Mar 16 2011 10:05 GMT|
This Trojan downloads files from the Internet and launches them without the user's knowledge. It is a Windows application (PE EXE file) and is 85 504 bytes in size. It is written in Delphi.
Once launched, the Trojan carries out the following actions:
http://www.i***s.gov/pub/irs-pdf/f941.pdfAt the time of writing, a PDF document of 204 558 bytes in size was downloaded from this link.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "TaskbarNoNotification" = "1" [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Advanced] "EnableBalloonTips" = "0" [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ System] "EnableLUA" = "0"This results in the disabling of pop-up notifications in the notification area, screen tips, and User Account Control (UAC).
http://www.ps***rzedborz.pl/1.jpg http://www.ps***rzedborz.pl/2.jpg http://www.ps***rzedborz.pl/ChilkatCert_NT4.dll http://www.ps***rzedborz.pl/extract_cert.exeThe downloaded files are correspondingly saved in the system as:
%System%\AcroIEHelper.dll %System%\ChilkatCert_NT4.dll %System%\extract_cert.exeAt the time of writing, these links were inactive.
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
%System%\AcroIEHelper.dll %System%\ChilkatCert_NT4.dll %System%\extract_cert.exe
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer] "TaskbarNoNotification" [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Advanced] "EnableBalloonTips" [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ System] "EnableLUA"
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.