If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
- Delete the original program file (its location on the infected computer will depend on how the program got onto the computer).
- Change the modified "%System%\drivers\etc\hosts" file using any standard application (for example, "Blocknote" — "Notepad"). You need to delete all of the strings added by the trojan. The original hosts files looks as follows:
# (C) Microsoft Corp., 1993-1999 # # It is a sample HOSTS file using Microsoft TCP/IP for Windows. # # This file contains the mappings for the IP-address to the host names. # Each element should be located within a separate string. The IP-address should # be located in the first column, followed by the relevant name. # The IP-address and host name should be separated by at least one space. # # Moreover, some strings may contain comments # (details of the string). These should follow the name of the host and should be separated # from it by the '#' symbol. # # For example: # # 18.104.22.168 rhino.acme.com # source server # 22.214.171.124 x.acme.com # client host x
- Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).
Using the "wget" utility, the trojan downloads a file from the internet from the following link:
The link did not work when creating the description.
The downloaded file is copied by the trojan under the following names:
c:\WINDOWS\system32\drivers\etc\hosts d:\WINDOWS\system32\drivers\etc\hosts e:\WINDOWS\system32\drivers\etc\hosts f:\WINDOWS\system32\drivers\etc\hosts g:\WINDOWS\system32\drivers\etc\hosts
The trojan therefore replaces the "hosts" system file if the operating system is installed on one of the indicated drives.
A trojan program that downloads files from the Internet without the user's knowledge. This is a batch file command interpreter (BAT-file). 8326 bytes.