Subscribe
The Trojan contacts the following web sites:
http://damndskj.com/*****/tpktskk2.php http://damndskj.com/*****/tpknlkk433.phpIn response it gets a list of links from which it will download files.
At the time of writing, the links were as follows:
http://58.65.***.***/gwer234/alexey.exehttp://58.65.***.***/gwer234/u_f1_v33_63.exe
http://58.65.***.***/gwer234/krea.exe
http://88.255.***.***/all/loader.exe
http://58.65.***.***/gwer234/nn.exe
http://58.65.***.***/gwer234/01113.exe
At the time of writing, these links were not working.
The list of links is saved to a file called "RunOnce.tmp" in the Windows system directory:
%System%\RunOnce.tmpThe files will be downloaded to the current user's temporary directory and then launched for execution.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete all files created by the Trojan:
%System%\_svchost.exe
%System%\RunOnce.tmp
%Temp%\alexey.exe
%Temp%\u_f1_v33_63.exe
%Temp%\krea.exe
%Temp%\nn.exe
%Temp%\01113.exe
%Temp%\loader.exe - Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan downloads another program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 6144 bytes in size. It is written in C .
InstallationOnce launched, the Trojan copies its body to the Windows system directory as "_svchost.exe":
%System%\_svchost.exeThis file will be registered in the system as "Microsoft Inet Service".
Payload
Hot Articles