Internet threat level: 1
Home→Descriptions→Trojan.Win32.Scar.dgje
Trojan.Win32.Scar.dgje
| Detected | Dec 04 2010 12:24 GMT |
| Released | Dec 04 2010 23:09 GMT |
| Published | Sep 09 2011 09:54 GMT |
Payload
Removal instructions
Technical Details
A trojan program. It is a Windows application (PE-EXE file). 742912 bytes. Packed by an unknown packer. Unpacked size – around 788 kB. Written in Delphi.
Installation
When launching, the trojan copies its executable file under the following name:
%AppData%\msuwarn\<Original_Filename>Where <Original_Filename> is the original name of the trojan file.
So that it may be automatically launched each time the system is started, the trojan adds a link to its executable file in the system registry startup key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "msuwarn"="%AppData%\msuwarn\<Original_Filename>"The trojan also periodically checks for this registry key and restores it if it has been deleted.
Payload
The trojan deletes the following registry branch and all of the keys within it. This means that the OS cannot be loaded in "Safe mode":
[HKLM\System\ControlSet001\Control\SafeBoot]The trojan retrieves two files from its body and saves these under the following names before launching them:
%AppData%\msuwarn\sdata.dllThis file is 69632 bytes and is detected by Kaspersky Antivirus as Trojan.Win32.Agent2.cosd.
%Temp%\msuwarn.exeThis file is 69632 bytes and is detected by Kaspersky Antivirus as Trojan.Win32.Pasmu.gv. When launched, this trojan program steals the logins, passwords, and other access data to various services from the following programs:
WS FTP CuteFTP Total Commander FileZilla FTP Commander Mozilla Thunderbird The Bat! Pidgin ICQ QIP MirandaThis trojan program also steals data from the following files:
%WinDir%\VD3User.dat %WinDir%\Vd3main.dat %WinDir%\win.ini %UserProfile%\My Documents\*.rdpThe trojan may transfer the collected data to the attacker through HTTP-requests to the following resource:
v***erm.freehostia.comThe trojan carries out network communication with the following hosts:
p***ergi.dk k***sse.ru s-***isa.ru e***a.ru 0***5d30.freehostia.com a***2ec.110mb.com 8***808.x10hosting.com c***0abb.awardspace.com b***5413.exofire.net b***e135.hostei.com 0***c269.orgfree.com d***f5ac1.h18.ru 7***d80e.eu.pnThe trojan may also download files from the following links:
http://83.***.208.173/data/setx.txt http://89.***.66.31/setx.txt http://216.***.199.76/setx.txt http://208.***.240.35/setx.txt http://69.***.6.102/setx.txt http://69.***.6.102/setx.txt http://31.***.160.249/setx.txtThese links did not work when creating the description.
Removal instructions
If your computer has not been protected by antivirus software and is infected by a trojan program, you need to use Kaspersky Antivirus to delete it: run a full scan of the computer with Kaspersky Antivirus with updated antivirus databases (download trial version).
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.