|Detected||May 18 2011 09:17 GMT|
|Released||May 18 2011 18:13 GMT|
|Published||Sep 20 2011 15:19 GMT|
A trojan program that carries out destructive actions on the user's computer. It is a Windows application (PE-EXE file). 272896 bytes. Written in Ñ++.
After launching, the trojan creates the following system registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] "svchost"="%Temp%\csrss.exe" [HKCU\Software\Microsoft\jdm] "ID"="jdm0.2_43"It retrieves the following files from its body in the current user's temporary directory:
%Temp%\letter.docThis file is 30208 bytes.
%Temp%\get.exeThis file is 84480 bytes.
%Temp%\csrss.exeThis file is 93696 bytes and is detected by Kaspersky Antivirus as Backdoor.Win32.Shell.bc.
The trojan then opens the file "letter.doc" using the associated application and launches the file "csrss.exe".
The launched "csrss.exe" file provides the attacker with remote access to the infected computer, for which a connection to the 80th port of the following IP address is created:
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
%Temp%\letter.doc %Temp%\get.exe %Temp%\csrss.exe
MD5: B7EB9571E800BF72E4FA2792AFFCE72D SHA1: 0996B0A2CB236D4D89291A924E9C83319F36DB10
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.