Subscribe
Once launched, the Trojan creates the following registry keys in order to save its data:
[HKLM\Software\Microsoft\Direct3D\dinput\update] "SetupId"="50077" [HKLM\Software\Microsoft\Direct3D\dinput\update\Score] [HKLM\Software\Microsoft\Direct3D\dinput\update\StartTime] [HKLM\Software\Microsoft\Direct3D\dinput\update\Version]
It then attempts to download a file from one of the following addresses:
http://setup1.*****com/barbindsoft/barsetup.exe http://setup2.*****com/barbindsoft/barsetup.exe http://setup3.*****com/barbindsoft/barsetup.exe http://setup4.*****com/barbindsoft/barsetup.exe
This file will be saved to the current user's temporary directory as
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine) if it has not deleted itself.
- Delete the following file: %Temp%\temp.exe
- Delete the following system registry keys: (see What
is a system registry and how do I use it for details on how to edit the registry).
[HKLM\Software\Microsoft\Direct3D\dinput\update] "SetupId"="50077" [HKLM\Software\Microsoft\Direct3D\dinput\update\Score] [HKLM\Software\Microsoft\Direct3D\dinput\update\StartTime] [HKLM\Software\Microsoft\Direct3D\dinput\update\Version]
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan downloads other programs via the Internet and launches them on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. The file is 24,576 bytes in size. It is written in C .
Payload
Hot Articles