English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Jorik.Carberp.ar

Detected Jul 06 2011 11:08 GMT
Released Jul 06 2011 13:08 GMT
Published Sep 20 2011 12:23 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan that provides the attacker with remote access to the infected computer. It is a Windows application (PE-EXE file). 176640 bytes. UPX packed. Unpacked size – around 245 kB. Written in C++.

Installation

After launching, the trojan copies its body to the current user's Startup directory, providing it with the option to automatically launch every time the system is started. A copy is created under a random name:

%USERPROFILE%\Start Menu\Programs\Startup\<rnd>.exe
where <rnd> is a random sequence of digits and Latin letters, for example: "v6o3pl8nhq".

The trojan then launches the copy of the "EXPLORER.EXE" system process and enters the executable code in the address space, implementing all of its destructive functions.


Payload

The code loaded during the "EXPLORER.EXE" process runs a copy of the "SVCHOST.EXE" system process and enters the code in the address space, implementing a backdoor function and carrying out the following actions:

  • deleting the original trojan file;
  • hiding the previously created copy in the Startup directory;
  • establishing a connection with the attacker's servers to receive commands. Depending on the commands received, the backdoor may carry out the following actions:
  • update its original file, loading an update from the attacker's server;
  • load other files onto the infected computer;
  • track network system traffic in order to steal confidential user information;
  • collect information about the infected system;
  • track the user's keyboard entries;
  • send the collected information to the attacker's server.
When running, the backdoor connects to the following servers:
me***i38.com
a***gh.in
When creating the description, the trojan had downloaded an update of its executable file. A file of 106496 bytes was downloaded; MD5: 27DDD62D3F3C7DFA3498C9A077F3D93A, SHA1: D9E958FED91C1A78A82C26F8B1728CA532BEECD1; detected by Kaspersky Antivirus as "Trojan.Win32.Diple.vvd".


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Restart the computer in "safe mode" (when starting up, press F8, then select "Safe Mode" from the Windows start menu).
  2. Delete the following file:
    %USERPROFILE%\Start Menu\Programs\Startup\<rnd>.exe
  3. Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?).
  4. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: BCB0C595A3CB7244FE00388963129476
SHA1: 9F0FCBE303BE4B8020E731DB55DA5AAB84A08AF6


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.