|Detected||Sep 01 2010 10:58 GMT|
|Released||Sep 02 2010 11:10 GMT|
|Published||Oct 20 2010 12:26 GMT|
This Trojan is designed to install and launch other programs on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. It is 38400 bytes in size. It is written in C++.
Once activated, the Trojan copies its body and saves it to the Windows system directory as "fvfj.sxo":
%System%\fvfj.sxoIn order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds the following link to the system registry autorun key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="Explorer.exe rundll32.exe fvfj.sxo trsnl"
Once launched, the Trojan decrypts and extracts from its body the following file to the current user's temporary directory:
This file is 20480 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.Agent2.lom.
After this the Trojan uploads the extracted file to its address space and launches its malware code which performs the following destructive actions:
[HKCU\Software\Microsoft\Office\11.0\Word\Security] "Level" = "1" "AccessVBOM" = "1"And performs the macros, which it uses to run the original body of the Trojan.
http://****m5.ru/bmw/bb.phpAnd receives a configuration file to carry out further actions.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
%Temp%\<rnd1>.tmp %System%\fvfj.sxoWhere <rnd1> stands for a random set of digits and Latin letters.
%Temporary Internet Files%
[HKCU\Software\Microsoft\Office\11.0\Word\Security] "Level" "AccessVBOM"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "Explorer.exe"
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to: