|Detected||Feb 22 2011 01:39 GMT|
|Released||Feb 22 2011 08:34 GMT|
|Published||Sep 09 2011 15:22 GMT|
A trojan program that downloads other software to the computer without the user's knowledge and launches this software for execution. It is a Windows application (PE-EXE file). 52224 bytes. Written in C++.
After launching, in order to control the uniqueness of its process within the system, the trojan creates a unique identifier called "SeBebugPrivilege". The trojan then copies the system library named:
%System%\wininet.dlland saves this in the temporary file directory under a random name:
%Temp%\<tmp>.tmpwhere tmp is the name of the temporary file. The trojan then imports the functions which the trojan needs to download other malware from the saved copy of the library. The trojan then tries to download the file located at the following link:
http://e05.cxe95.com:8080/re05/sc.png. and saves this in the temporary file directory under the following name:
%Temp%\<tmp>.tmpThe file is then launched for execution. The file is then copied to the system directory under the following name:
%System%\system.exeSo that it may be automatically launched each time the OS is started, the trojan creates a link to the malicious file in the system registry startup key in a separate string:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "System"="%System%\system.exe"The trojan also determines the physical address of the computer (MAC-address) and transfers this to the attacker's server in a HTTP request from the following link: http://e05.cxe95.com:8080/?a=<rnd>&b=<rnd>&c=<rnd>&d=XX-XX-XX-XX-XX-XX where
XX-XX-XX-XX-XX-XX – MAC-address;rnd is a random sequence of digits.
These links did not work when creating the description.
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.