Technical Details

A trojan program. It is a Windows application (PE-EXE file). 742912 bytes. Packed by an unknown packer. Unpacked size – around 788 kB. Written in Delphi.

Installation

When launching, the trojan copies its executable file under the following name:

%AppData%\msuwarn\<Original_Filename>

So that it may be automatically launched each time the system is started, the trojan adds a link to its executable file in the system registry startup key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"msuwarn"="%AppData%\msuwarn\<Original_Filename>"

Payload

The trojan deletes the following registry branch and all of the keys within it. This means that the OS cannot be loaded in "Safe mode":

[HKLM\System\ControlSet001\Control\SafeBoot]

%AppData%\msuwarn\sdata.dll

%Temp%\msuwarn.exe

WS FTP
CuteFTP
Total Commander
FileZilla
FTP Commander
Mozilla Thunderbird
The Bat!
Pidgin
ICQ
QIP
Miranda

%WinDir%\VD3User.dat
%WinDir%\Vd3main.dat
%WinDir%\win.ini
%UserProfile%\My Documents\*.rdp

v***erm.freehostia.com

p***ergi.dk
k***sse.ru
s-***isa.ru
e***a.ru
0***5d30.freehostia.com
a***2ec.110mb.com
8***808.x10hosting.com
c***0abb.awardspace.com
b***5413.exofire.net
b***e135.hostei.com
0***c269.orgfree.com
d***f5ac1.h18.ru
7***d80e.eu.pn

http://83.***.208.173/data/setx.txt
http://89.***.66.31/setx.txt
http://216.***.199.76/setx.txt
http://208.***.240.35/setx.txt
http://69.***.6.102/setx.txt
http://69.***.6.102/setx.txt
http://31.***.160.249/setx.txt

Removal instructions

If your computer has not been protected by antivirus software and is infected by a trojan program, you need to use Kaspersky Antivirus to delete it: run a full scan of the computer with Kaspersky Antivirus with updated antivirus databases (download trial version).

17 апреля 2024 года