Subscribe
The Trojan creates the following registry key where it saves its configuration:
[HKCU\Software\MService]It then opens the following link::
66.**.9.246/SA/mmc.phpIt writes the data received from this link to the following file::
%System%\serviced.dat%System%\serviceh.dat
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following registry key: [HKCU\Software\MService]
- Delete the following system registry key parameter:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MService" = "rundll32.exe \"This Trojan is designed to download files via the Internet without the knowledge or consent of the user.
The Trojan itself is a Windows DLL file, 13312 bytes in size, packed using UPX. The unpacked file is approximately 36KB in size.
InstallationThe Trojan is installed on the victim machine by another malicious program.
It then registers itself in the system registry, ensureing that the Trojan will be launched each time Windows is started on the victim machine:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MService"="rundll32.exe \"<path to Trojan file>\",Startup" Payload
Hot Articles