|Detected||Jul 06 2011 11:08 GMT|
|Released||Jul 06 2011 13:08 GMT|
|Published||Sep 20 2011 12:23 GMT|
A trojan that provides the attacker with remote access to the infected computer. It is a Windows application (PE-EXE file). 176640 bytes. UPX packed. Unpacked size – around 245 kB. Written in C++.
After launching, the trojan copies its body to the current user's Startup directory, providing it with the option to automatically launch every time the system is started. A copy is created under a random name:
%USERPROFILE%\Start Menu\Programs\Startup\<rnd>.exewhere <rnd> is a random sequence of digits and Latin letters, for example: "v6o3pl8nhq".
The trojan then launches the copy of the "EXPLORER.EXE" system process and enters the executable code in the address space, implementing all of its destructive functions.
The code loaded during the "EXPLORER.EXE" process runs a copy of the "SVCHOST.EXE" system process and enters the code in the address space, implementing a backdoor function and carrying out the following actions:
me***i38.com a***gh.inWhen creating the description, the trojan had downloaded an update of its executable file. A file of 106496 bytes was downloaded; MD5: 27DDD62D3F3C7DFA3498C9A077F3D93A, SHA1: D9E958FED91C1A78A82C26F8B1728CA532BEECD1; detected by Kaspersky Antivirus as "Trojan.Win32.Diple.vvd".
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.