Subscribe
When executed, the malware copies original (clean) file %sysdir%/userinit.exe into %sysdir%/userini.exe.
It disables System File Protection, and overwrites %sysdir%/userinit.exe with a copy of itself, in order to be executed on every system start-up.
After it deletes the initially executed copy of itself, the malware drops the file:
%tempdir%\ie[hex-digit].tmp, detected as: Trojan.Downloader.Gadja.D.
It starts a new %sysdir%\svchost.exe process and injects its code into it in order to bypass firewalls or other security based software.
It also tries to download other malware from the following URL-s, save them to %tempdir%\ie[hex-digit].tmp and execute them:
- http://fixaserver.ru/[hide]/gate.php?[8-digit-hex-number]
- http://djaga-djaga.cn/[hide]/gate.php?[8-digit-hex-number]
An example of a malware downloaded file would be Trojan.Peed.JOP. Rename %sysdir%/userini.exe into %sysdir%/userinit.exe and let BitDefender disinfect your files.
Presence of the file: %sysdir%/userini.exe.
Hot Articles