Subscribe
The Trojan launches a process linked to the following registry key:
[HKLM\SOFTWARE\Classes\http\shell\open\command]
The Trojan then injects its code into the process, which will then try to connect to nimabi.serve***r.com, to get a script.
The script may include the following:
- downloading files from the Internet and launching them on the victim machine
- providing the remote malicious user with system information
The backdoor also injects its code into explorer.exe This code will check for the presence of the backdoor
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate explorer.exe and iexplore.exe processes.
- Delete the following file:
%System%\com.exe
- Delete the following registry key:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{04F4BA85-A3C7-4235-0200-060204060705}] - Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).
This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. The file is 5,040 bytes in size.
InstallationWhen launched, the Trojan copies its executable file to the Windows system directory:
%System%\com.exe
It also creates the following registry key:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{04F4BA85-A3C7-4235-0200-060204060705}]
"StubPath" = "%System%\com.exe" Payload
Hot Articles