Monday, February 8, 2016

Trojan-Downloader.Win32.VB.eql (Translated)

Trojan-Downloader.Win32.VB.eql


Translated from
https://securelist.social-kaspersky.com/ru/descriptions/Trojan-Downloader.Win32.VB.eql 


Technical details

This Trojan downloads without your knowledge on your computer other software. The program is a Windows application (PE EXE-file). Its size is 1509125 bytes.

Installation

Once launched, the Trojan copies its body to the Windows system directory under the name "WINSP00L.EXE":
% System% \ WINSP00L.EXE
To start automatically each time you start the system, the Trojan adds a link to its executable file in the system registry:
[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"WINSP00L" = "% System% \ WINSP00L.EXE"

Load

Once launched, the Trojan extracts from its body to the catalog "E_4" in the temporary directory of the current user the following files:
% Temp% \ E_4 \ krnln.fnr - 1110016 bytes
% Temp% \ E_4 \ shell.fne - 61440 bytes
% Temp% \ E_4 \ eAPI.fne - 335872 bytes
% Temp% \ E_4 \ internet.fne - 196608 bytes
% Temp% \ E_4 \ spec.fne - 86016 bytes
% Temp% \ E_4 \ RegEx.fne - 167936 bytes
% Temp% \ E_4 \ dp1.fne - 126,976 bytes
% Temp% \ E_4 \ com.run - 278528 bytes
Then copy them to the Windows system directory under the same name:
% System% \ krnln.fnr
% System% \ shell.fne
% System% \ eAPI.fne
% System% \ internet.fne
% System% \ spec.fne
% System% \ RegEx.fne
% System% \ dp1.fne
% System% \ com.run
In addition, it removes the Windows system directory files:
% System% \ ul.dll - 2404 bytes
% System% \ og.dll - 692 bytes
% System% \ og.edt - 512 bytes
After completing these steps, the Trojan accesses the following address:
http: //www.*****base.cn/install.htm pn = M080410?
At the time of writing, this link was not working. The file is located on this link is stored in the temporary Internet files directory and launched for execution. Filename - random. And also drawn to the following address:
http://www.microsoft.com
http://hi.baidu.com/siletoyou
http://www.baihe.googlepages.com/ul.htm
http://www.bloguser.googlepages.com/au.htm
After that, remove the file from its body with a name composed of the current date and time, for example 20090929153554.exe and places it in the Windows system directory:
% System% \ 20090929153554.exe
This file has a size of 9216 bytes. 
The extracted file gets executed and then deleted. 
In addition, the Trojan spreads via removable media under the name "Recycled.exe". "Autorun.inf" file is also created to automatically run the Trojan file in the root directory of removable media.


Removal Instructions

If your PC was not protected by Antivirus and got infected with this malware, then remove it, proceed as follows:
  1. Using Task Manager to terminate the Trojan process:
    WINSP00L.EXE
  2. Delete the original Trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
  3. Delete the copy of the Trojan:
    % System% \ WINSP00L.EXE
  4. Remove files and directories created by the Trojan:
    % Temp% \ E_4 \ krnln.fnr
    % Temp% \ E_4 \ shell.fne
    % Temp% \ E_4 \ eAPI.fne
    % Temp% \ E_4 \ internet.fne
    % Temp% \ E_4 \ spec.fne
    % Temp% \ E_4 \ RegEx.fne
    % Temp% \ E_4 \ dp1.fne
    % Temp% \ E_4 \ com.run
    % Temp% \ E_4
    % System% \ krnln.fnya
    % System% \ shell.fne
    % System% \ eAPI.fne
    % System% \ internet.fne
    % System% \ spec.fne
    % System% \ RegEx.fne
    % System% \ dp1.fne
    % System% \ com.run
    % System% \ ul.dll
    % System% \ og.dll
    % System% \ og.edt
    Remove key registry :
    [HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
    "WINSP00L" = "% System% \ WINSP00L.EXE"
  5. Check removable media for files:
    Recycled.exe
    autorun.inf
    In case of detection - remove them.
  6. Clear Temporary Internet Files directory, containing infected files ( How to delete infected files from Temporary Internet Files folder? ):
  7. And perform a full scan of your computer with Kaspersky Antivirus Update your antivirus databases ( download a trial version ).

No comments:

Post a Comment