Trojan-Downloader.BAT.wGet.m

Removal Instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original program file (its location on the infected computer will depend on how the program got onto the computer).
  2. Change the modified "%System%\drivers\etc\hosts" file using any standard application (for example, "Blocknote" — "Notepad"). You need to delete all of the strings added by the trojan. The original hosts files looks as follows:
    # (C) Microsoft Corp., 1993-1999
    #
    # It is a sample HOSTS file using Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings for the IP-address to the host names.
    # Each element should be located within a separate string. The IP-address should
    # be located in the first column, followed by the relevant name.
    # The IP-address and host name should be separated by at least one space.
    #
    # Moreover, some strings may contain comments 
    # (details of the string). These should follow the name of the host and should be separated
    # from it by the '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # client host x
    127.0.0.1 localhost

  3. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: af66f43f9ef8d8e3257e67592e71e7a3
SHA1: 3f43c4d6b0548d331e83545da22647b2122c6ee3

Payload

Using the "wget" utility, the trojan downloads a file from the internet from the following link:

http://tinyurl.com/6***9bc

The link did not work when creating the description.


The downloaded file is copied by the trojan under the following names:

c:\WINDOWS\system32\drivers\etc\hosts
d:\WINDOWS\system32\drivers\etc\hosts
e:\WINDOWS\system32\drivers\etc\hosts
f:\WINDOWS\system32\drivers\etc\hosts
g:\WINDOWS\system32\drivers\etc\hosts

The trojan therefore replaces the "hosts" system file if the operating system is installed on one of the indicated drives.

Technical Details

A trojan program that downloads files from the Internet without the user's knowledge. This is a batch file command interpreter (BAT-file). 8326 bytes.