If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
- Delete the original program file (its location on the infected computer will depend on how the program got onto the computer).
- Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?):
%Temporary Internet Files%
- Delete the following file:
- Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).
When launched, the exploit downloads a file from a link. Depending on the version, the exploit may download the file from different links, for example:
http://98.***.14.171:321/cc.exe http://121.***.170.179:54321/h.exe http://121.***.168.129:987/ss.exe http://x.***ririni.info:6789/down/my/103.exe http://x.***ririni.info:6789/down/my/108.exe http://58.***.36.199:8832/xx/xm05.css
When creating the description, two files were downloaded from some of the indicated links. One file is 16372 bytes and is detected by Kaspersky Antivirus as Trojan-Downloader.Win32.Agent.ssax. The second file is 25088 bytes and is detected by Kaspersky Antivirus as Trojan-Downloader.Win32.Geral.vnk. The downloaded file is saved under the following name:
The downloaded file is then launched and the exploit shuts down.