Subscribe
This Trojan makes it possible for a remote malicious user to appear to be working on the victim machine within a network.
The victim machine may be used as part of a botnet for sending spam and malicious programs.
When the system is started, it loads a library which launches IEXPLORE.EXE into which malicious code has been injected. This process will open a random TCP port. Notification is then sent to maila.microsoft.com.
The Trojan will try to access the Internet and connect to the following address:
http://66.36.***.132Use Kaspersky Anti-Virus 6.0 to delete the Trojan. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan program makes it possible for a remote malicious user to use the victim machine as a proxy server. It is a Windows PE EXE file. The file is approximately 15KB in size. It is written in Visual C . It is packed using UPack. The unpacked file is approximately 258KB in size.
InstallationOnced launched, the Trojan drops the files listed below to %Documents and Settings%\%All Users%\Common Documents%\Settings.
- polymorph.dll — the attribute 'hidden' is assigned to this file
- desktop.ini — the attribute ‘hidden’ is assigned to this file
The Trojan ensures that its library will be loaded when the Winlogon process starts (on system boot):
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\polymorphreg]"Asynchronous"="dword: 0x00000001"
"DllName"="%Documents and Settings%\%All Users%\%Common Documents%\Settings\ polymorph.dll"
"Startup"="polymorphreg"
"Impersonate"="dword: 0x00000001"
The Trojan constantly checks that this key is present in the registry, and will restore it if the key is manually deleted.
Payload
Hot Articles