Subscribe
The Trojan sends notification that the victim machine had been infected to the following email address:
**@webshell.cnThe Trojan tracks keystrokes in windows titled "Lineage Windows Client". It harvest the user name and password to Lineage accounts.
Harvested data is saved to the following log file:
c:\gamect1.txtThe log will periodically be sent to the remote malicious user by email.
The Trojan also terminates the following processes:
KVMONXP.KXP KVXP.KXP EGHOST.EXE MAILMON.EXE KAVPFW.EXE IPARMOR.EXE RavMon.exe PasswordGuard.exe
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following parameter from the system registry (see
What
is a system registry and how do I use it for details on how to edit the registry).
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "loadMect1" = "This Trojan is one of a family of Trojans which steals user passwords. It is a Windows PE EXE file. It is 52 925 bytes in size. It is packed using FSG.
InstallationWhen launched, the Trojan copies its executable file to the following directory:
%Program Files%\rundll32.exeThe Trojan also extracts the following .dll file from its body:
%System%\ct1dll.dll. - this file is 42 496 bytes in size.In order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds a link to its executable file in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "loadMect1" = "<path to Trojan executable file> "
Payload
Hot Articles