Subscribe
Once launched, the Trojan creates the following folder:
%UserProfile%\Application Data\iefeatsl
It then downloads files from the following URLs:
http://00hq.com/feat/iefeatsl.dll http://winlink.biz/feat/iefeatsl.dll http://00hq.com/feat/msiesh.dll http://winlink.biz/feat/msiesh.dll
and saves them to the folder it created.
%UserProfile%\Application Data\iefeatsl\msiesh.dll %UserProfile%\Application Data\iefeatsl\iefeatsl.dll
Once the files have been saved, the Trojan will call the following function from the saved files:
DllRegisterServer
If the download procedure is not successful, the Trojan will repeat the download process every 5 minutes.
At the time of writing, files could not be downloaded from the addresses shown above.
- Use Task Manager to terminate the Trojan process
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following files: %UserProfile%\Application Data\iefeatsl\msiesh.dll %UserProfile%\Application Data\iefeatsl\iefeatsl.dll
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus)
This Trojan downloads files via the Internet without the user’s knowledge or consent. It is a Windows PE EXE file 5632 bytes in size, packed using UPX. The unpacked file is approximately 20KB in size. It is written in C .
Payload
Hot Articles