Subscribe
When launching, the Trojan launches a system process, svchost.exe, and injects its code into this process. It then deletes its original file.
The code injected into the process waits for a connection to the Internet, and downloads files from the following links:
http://85.***.23.36/o/4.exe http://85.***.23.37/e/444.exe
(At the time of writing, these links were not working.)
The Trojan saves the files it has downloaded to its current directory under the following names:
csrss.exe smss.exe
The files are then launched for execution.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
- Delete the files downloaded by the Trojan.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan is a Windows PE EXE file. The file is 10,757 bytes in size. It is packed using FSG. The unpacked file is approximately 60KB in size. It is written in Delphi. Payload
Hot Articles