Trojan.Win32.Jorik.Carberp.ar
| Detected | Jul 06 2011 11:08 GMT |
| Released | Jul 06 2011 13:08 GMT |
| Published | Sep 20 2011 12:23 GMT |
Technical Details
A trojan that provides the attacker with remote access to the infected computer. It is a Windows application (PE-EXE file). 176640 bytes. UPX packed. Unpacked size – around 245 kB. Written in C++.
Installation
After launching, the trojan copies its body to the current user's Startup directory, providing it with the option to automatically launch every time the system is started. A copy is created under a random name:
%USERPROFILE%\Start Menu\Programs\Startup\<rnd>.exewhere <rnd> is a random sequence of digits and Latin letters, for example: "v6o3pl8nhq".
The trojan then launches the copy of the "EXPLORER.EXE" system process and enters the executable code in the address space, implementing all of its destructive functions.
Payload
The code loaded during the "EXPLORER.EXE" process runs a copy of the "SVCHOST.EXE" system process and enters the code in the address space, implementing a backdoor function and carrying out the following actions:
- deleting the original trojan file;
- hiding the previously created copy in the Startup directory;
- establishing a connection with the attacker's servers to receive commands. Depending on the commands received, the backdoor may carry out the following actions:
- update its original file, loading an update from the attacker's server;
- load other files onto the infected computer;
- track network system traffic in order to steal confidential user information;
- collect information about the infected system;
- track the user's keyboard entries;
- send the collected information to the attacker's server.
me***i38.com a***gh.inWhen creating the description, the trojan had downloaded an update of its executable file. A file of 106496 bytes was downloaded; MD5: 27DDD62D3F3C7DFA3498C9A077F3D93A, SHA1: D9E958FED91C1A78A82C26F8B1728CA532BEECD1; detected by Kaspersky Antivirus as "Trojan.Win32.Diple.vvd".
Removal instructions
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
- Restart the computer in "safe mode" (when starting up, press F8, then select "Safe Mode" from the Windows start menu).
- Delete the following file:
%USERPROFILE%\Start Menu\Programs\Startup\<rnd>.exe
- Clear the Temporary Internet Files directory which may contain infected files (
). - Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (
).
MD5: BCB0C595A3CB7244FE00388963129476
SHA1: 9F0FCBE303BE4B8020E731DB55DA5AAB84A08AF6
НОВОЕ НА САЙТЕ
23 апреля 2024 года
В составе песочницы будет обновлена документация — описание работы обслуживания будет снова на... Антивирус Dr.Web
Бизнес-школа «БИЗНЕС ИНСАЙТ» и проект «ЭКСПЕРТЫ» приглашают на III Всероссийский онлайн-форум «БИЗНЕС. ВЕСНА 2024». Бизнес-форум — важнейшее событие в мире бизнеса. На одной площадке соберутся действующие предприниматели, эксперты-практики, чтобы поделиться […]
The post
17 апреля 2024 года
В 2023 году самыми всераспространенными Android-угрозами стали троянские программы, демонстрирующие рекламу. Шпионские троянские приложения по уподоблению с прошлым годом понизили свою энергичность таково словно стали вторыми по числу детектирований на защищаемых антивирусом Dr.Web устройствах. невзирая на то, словн... Вирусные новости
11 апреля 2024 года
Обновление ориентировано н... Антивирус Dr.Web
4 апреля 2024 года