Subscribe
Once launched, the Trojan creates a unique identifier to flag its presence in the system and prevent it from being repeatedly launched. While downloading files, the Trojan remains in memory as a process. The process will have the same name as that of the Trojan executable file.
The Trojan then tries to establish a connection with the remote malicious user's HTTP server:
http://goldenfreehost.com/****der.php?l=0419The Trojan downloads a file which contains a list of URLs.
This file will be saved to the Windows temporary catalogue as "list":
%TEMP%\listThe Trojan then attempts to download files from the URLs listed in this file. These files will also be saved to the Windows temporary directory, and then launched for execution.
- Use Task Manager to delete the Trojan process from memory.
- Delete the original Trojan file (the location of this file will depend on how the victim machine was infected).
- Delete all files downloaded by the Trojan from the Windows temporary directory.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan program downloads files via the Internet without the knowledge or consent of the user. The Trojan itself is a Windows PE EXe file 3072 bytes in size.
Payload
Hot Articles