Subscribe
When launched, the Trojan checks to see if a file c:\program files\trustin popups\popups.exe is present on the victim machine. If such a file is present, the Trojan will cease running.
If such a file is not found, the Trojan will create a directory c:\program files\TrustIn Popups and download a file called popups.exe from the following address:
http://***.trustincash.com/popups/popups.exe
This file will be saved to the directory created by the Trojan:
c:\program files\trustin popups\popups.exe
The Trojan then downloads a file from the following URL:
http://***.trustincash.com/popups/uninstall.exe
and saves it to the same directory:
c:\program files\trustin popups\uninstall.exe
At the time of writing, these links were not working.
The Trojan registers the uninstall.exe file to the system registry by adding the following key values:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\TIPU] "UninstallString" = "c:\program files\trustin popups\uninstall.exe" "DisplayName" = "TrustIn Popups"
The file saved to the victim machine will then be launched and the Trojan will cease running.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the files downloaded by the Trojan: popups.exe uninstall.exe from the following directory: c:\program files\trustin popups
- Delete the following registry key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\TIPU]
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus)
This Trojan downloads files via the Internet without the user’s knowledge or consent. It is a Windows PE EXE file. The file is 7168 bytes in size. It is packed using UPX. The unpacked file is approximately 20KB in size. It is written in Visual Basic.
Payload
Hot Articles