Subscribe
When launched, the Trojan causes the following message to be displayed:
The malicious user is asked to enter a URL from which a file can be downloaded. Once a URL has been entered, the program will open a file called server.exe which should be located in the same folder as the program. It will write the URL entered by the malicious user to this file at offset 528. Before writing, the linked will be encrypted using XOR with a mask of 0x0C8.
The server.exe file is a Trojan downloader. It is a Windows PE EXE file. It is 826 bytes in size.
When launched, this downloader will download a file from the link which was designated by the program generator. It saves the files as:
C:\msrestore.exeand launches it for execution. The downloader will then cease running.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program.
- Terminate the Trojan process.
- Delete the original Trojan files.
- Delete the following file: C:\msrestore.exe
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan downloads other programs via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent.
The Trojan itself is a Windows PE EXE file. It is 3,584 bytes in size. It is written in Assembler.
Payload
Hot Articles