|Detected||Aug 27 2010 08:43 GMT|
|Released||Aug 27 2010 17:30 GMT|
|Published||Mar 25 2011 08:08 GMT|
This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 49 162 bytes in size. It is written in Delphi.
Once launched, the Trojan moves its body into the file:
%APPDATA%\download2\svcnost.exeTo ensure that this file is launched automatically each time the system is rebooted, the following system registry key is created:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "download" = "%APPDATA%\download2\svcnost.exe"In addition, the file created is added to the list of applications trusted by Windows Firewall by creating the following system registry key:
[HKLM\System\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%APPDATA%\download2\svcnost.exe" = "%APPDATA%\download2\svcnost.exe:*:Enabled:ldrsoft"
Once launched, the Trojan establishes a connection with the malicious user's server:
The following values may be sent:
Depending on the processes found, the following values may be sent:
After this, the Trojan downloads files from the above-mentioned server in an unending cycle. The downloaded files are saved in the directory:
Once downloaded, the files are launched for execution. At the time of writing, the server was inactive.
Also, as part of its operations, the Trojan creates the system registry key:
[HKCU\Software\Microsoft] "idln2" = "<rnd>"where <rnd> is a random sequence of characters (for example, "msdgynwcq1vrubzyvdx13iyvs3vgcke").
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "download" = "%APPDATA%\download2\svcnost.exe" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%APPDATA%\download2\svcnost.exe" = "%APPDATA%\download2\svcnost.exe:*:Enabled:ldrsoft" [HKCU\Software\Microsoft] "idln2" = "<rnd>"
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.