Trojan.Win32.Scar.dgje
Detected | Dec 04 2010 12:24 GMT |
Released | Dec 04 2010 23:09 GMT |
Published | Sep 09 2011 09:54 GMT |
Technical Details
A trojan program. It is a Windows application (PE-EXE file). 742912 bytes. Packed by an unknown packer. Unpacked size – around 788 kB. Written in Delphi.
Installation
When launching, the trojan copies its executable file under the following name:
%AppData%\msuwarn\<Original_Filename>Where <Original_Filename> is the original name of the trojan file.
So that it may be automatically launched each time the system is started, the trojan adds a link to its executable file in the system registry startup key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "msuwarn"="%AppData%\msuwarn\<Original_Filename>"The trojan also periodically checks for this registry key and restores it if it has been deleted.
Payload
The trojan deletes the following registry branch and all of the keys within it. This means that the OS cannot be loaded in "Safe mode":
[HKLM\System\ControlSet001\Control\SafeBoot]The trojan retrieves two files from its body and saves these under the following names before launching them:
%AppData%\msuwarn\sdata.dllThis file is 69632 bytes and is detected by Kaspersky Antivirus as Trojan.Win32.Agent2.cosd.
%Temp%\msuwarn.exeThis file is 69632 bytes and is detected by Kaspersky Antivirus as Trojan.Win32.Pasmu.gv. When launched, this trojan program steals the logins, passwords, and other access data to various services from the following programs:
WS FTP CuteFTP Total Commander FileZilla FTP Commander Mozilla Thunderbird The Bat! Pidgin ICQ QIP MirandaThis trojan program also steals data from the following files:
%WinDir%\VD3User.dat %WinDir%\Vd3main.dat %WinDir%\win.ini %UserProfile%\My Documents\*.rdpThe trojan may transfer the collected data to the attacker through HTTP-requests to the following resource:
v***erm.freehostia.comThe trojan carries out network communication with the following hosts:
p***ergi.dk k***sse.ru s-***isa.ru e***a.ru 0***5d30.freehostia.com a***2ec.110mb.com 8***808.x10hosting.com c***0abb.awardspace.com b***5413.exofire.net b***e135.hostei.com 0***c269.orgfree.com d***f5ac1.h18.ru 7***d80e.eu.pnThe trojan may also download files from the following links:
http://83.***.208.173/data/setx.txt http://89.***.66.31/setx.txt http://216.***.199.76/setx.txt http://208.***.240.35/setx.txt http://69.***.6.102/setx.txt http://69.***.6.102/setx.txt http://31.***.160.249/setx.txtThese links did not work when creating the description.
Removal instructions
If your computer has not been protected by antivirus software and is infected by a trojan program, you need to use Kaspersky Antivirus to delete it: run a full scan of the computer with Kaspersky Antivirus with updated antivirus databases (
НОВОЕ НА САЙТЕ
17 апреля 2024 года
В 2023 году самыми всераспространенными Android-угрозами стали троянские программы, демонстрирующие рекламу. Шпионские троянские приложения по уподоблению с прошлым годом понизили свою энергичность таково словно стали вторыми по числу детектирований на защищаемых антивирусом Dr.Web устройствах. невзирая на то, словн... Вирусные новости
11 апреля 2024 года
Обновление ориентировано н... Антивирус Dr.Web
4 апреля 2024 года
1 апреля 2024 года
1 апреля 2024 года