Internet threat level: 1
Home→Descriptions→Trojan.Win32.Jorik.Carberp.ar
Trojan.Win32.Jorik.Carberp.ar
| Detected | Jul 06 2011 11:08 GMT |
| Released | Jul 06 2011 13:08 GMT |
| Published | Sep 20 2011 12:23 GMT |
Payload
Removal instructions
Technical Details
A trojan that provides the attacker with remote access to the infected computer. It is a Windows application (PE-EXE file). 176640 bytes. UPX packed. Unpacked size – around 245 kB. Written in C++.
Installation
After launching, the trojan copies its body to the current user's Startup directory, providing it with the option to automatically launch every time the system is started. A copy is created under a random name:
%USERPROFILE%\Start Menu\Programs\Startup\<rnd>.exewhere <rnd> is a random sequence of digits and Latin letters, for example: "v6o3pl8nhq".
The trojan then launches the copy of the "EXPLORER.EXE" system process and enters the executable code in the address space, implementing all of its destructive functions.
Payload
The code loaded during the "EXPLORER.EXE" process runs a copy of the "SVCHOST.EXE" system process and enters the code in the address space, implementing a backdoor function and carrying out the following actions:
- deleting the original trojan file;
- hiding the previously created copy in the Startup directory;
- establishing a connection with the attacker's servers to receive commands. Depending on the commands received, the backdoor may carry out the following actions:
- update its original file, loading an update from the attacker's server;
- load other files onto the infected computer;
- track network system traffic in order to steal confidential user information;
- collect information about the infected system;
- track the user's keyboard entries;
- send the collected information to the attacker's server.
me***i38.com a***gh.inWhen creating the description, the trojan had downloaded an update of its executable file. A file of 106496 bytes was downloaded; MD5: 27DDD62D3F3C7DFA3498C9A077F3D93A, SHA1: D9E958FED91C1A78A82C26F8B1728CA532BEECD1; detected by Kaspersky Antivirus as "Trojan.Win32.Diple.vvd".
Removal instructions
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
- Restart the computer in "safe mode" (when starting up, press F8, then select "Safe Mode" from the Windows start menu).
- Delete the following file:
%USERPROFILE%\Start Menu\Programs\Startup\<rnd>.exe
- Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?).
- Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).
MD5: BCB0C595A3CB7244FE00388963129476
SHA1: 9F0FCBE303BE4B8020E731DB55DA5AAB84A08AF6
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.