Subscribe
Once launched, the backdoor creates a file named troyan.exe in the Windows root directory. This file is 3072 bytes in size.
%WinDir%\\troyan.exe
It then registers this file in the system registry, ensuring that the program will be launched each time Windows is rebooted on the victim machine:
[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run] "avast"="%WinDir%\\troyan.exe"
This file is an IRC backdoor program.
The backdoor connects to amsterdam2.******.org via port 6667. It will then process commands received from the remote malicious user via IRC.
The remote malicious user can check the connection with the bot using PING. It is also possible for the remote malicious user to download any number of files. Each new file will overwrite the previous file. Each downloaded file will be saved as "z31.exe" in the directory where the backdoor file is located. Once the download is complete, the file will be launched in hidden mode.
Delete the "troyan.exe" process from memory.
Delete the backdoor's installation key from the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "avast"="%WinDir%\troyan.exe"
Delete the following files:
%WinDir%\troyan.exe %WinDir%\z31.exe
Reboot the computer.
Perform a full scan of the computer.
This Trojan makes it possible for a remote malicious user to control the victim machine. The program is a Windows PE EXE file 2560 bytes in size.
Payload
Hot Articles