Subscribe
The Trojan launches Internet Explorer and injects into it code which downloads a file from the following links:
http://59.***.197.***/t21.exe http://59.***.197.***/10050.exeThese files will be saved to the Windows system directory:
%System%\t21.exeIf your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following system registry key parameter: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "wdfmgrnt" = "%System%\wdfmgrnt.exe"
- Delete the following files: %System%\wdfmgrnt.exe %System%\t21.exe %System%\10050.exe
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 31744 bytes in size. It is written in Visual Basic.
InstallationOnce launched, the Trojan copies its executable file to the Windows system directory:
%System%\wdfmgrnt.exeIn order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds a link to its executable file in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "wdfmgrnt" = "%System%\wdfmgrnt.exe" Payload
Hot Articles