|
This is a trojan which attempts to connect to a remote site and downloads several files on to the vicitms computer. Additionally it trawls the infected computer for *.ASP and *.HTM files and appends the URL of the remote site to these files using IFRAME code.
This trojan is encypted using NSpack. When it is executed it creates a the following folder: C:\Program Files\Common Files\update It copies itself into the above folder as REAL.EXE. This trojan then connects to a remote website and attempts to download several files. The files that it attempts to download into the same folder as above is as follows: - update0.exe
- update1.exe
- update2.exe
- update3.exe
- update4.exe
- update4.exe
- update5.exe
- update5.exe
- update6.exe
- update7.exe
- update8.exe
- update9.exe
The remote website it downloads the files above is : It creates the following registry key so that it starts up after each reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\RealUpdate = C:\Program Files\Common Files\Update\real.exe The trojan will then search for all *.HTM and *.ASP files and append the URL mentioned above to these files using the IFRAME exploit. The appended files are detected as HTML/Iframe136 trojan with the 4892 dats and above. resence of the following files in the C:\Program Files\Common Files\Update folder: - update0.exe
- update1.exe
- update2.exe
- update3.exe
- update4.exe
- update4.exe
- update5.exe
- update5.exe
- update6.exe
- update7.exe
- update8.exe
- update9.exe
Increae in size of *.ASP and *.HTM files. Downloaders are designed to pull files from a remote website and execute the files that have been downloaded. This downloader uses an IFRAME code which is appended to *.ASP and *.HTM files on the victims computer to install further malware. All Users:
Use specified engine and DAT files for detection and removal. |
