Trojan-Downloader.Win32.Geral.aakv

Removal Instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Using , end the trojan process.
  2. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  3. Delete the parameters in the key of the system registry:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "System"="%System%\system.exe"
    

  4. Delete the following file:
    %System%\system.exe

  5. Clear the current user's temporary file directory:
    %Temp%\

  6. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


[MD5: 1d39cc9adc940f75ae99f3748c6ac819]
[SHA1: b3eb5c53da03302f9b44588a26c4b63ec49b6f83]

Payload

After launching, in order to control the uniqueness of its process within the system, the trojan creates a unique identifier called "SeBebugPrivilege". The trojan then copies the system library named:

%System%\wininet.dll

and saves this in the temporary file directory under a random name:
%Temp%\<tmp>.tmp

where tmp is the name of the temporary file. The trojan then imports the functions which the trojan needs to download other malware from the saved copy of the library. The trojan then tries to download the file located at the following link:
http://e05.cxe95.com:8080/re05/sc.png
.
and saves this in the temporary file directory under the following name:
%Temp%\<tmp>.tmp

The file is then launched for execution. The file is then copied to the system directory under the following name:
%System%\system.exe

So that it may be automatically launched each time the OS is started, the trojan creates a link to the malicious file in the system registry startup key in a separate string:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"System"="%System%\system.exe"

The trojan also determines the physical address of the computer (MAC-address) and transfers this to the attacker's server in a HTTP request from the following link: http://e05.cxe95.com:8080/?a=<rnd>&b=<rnd>&c=<rnd>&d=XX-XX-XX-XX-XX-XX where
XX-XX-XX-XX-XX-XX – MAC-address;

rnd is a random sequence of digits.


These links did not work when creating the description.

Technical Details

A trojan program that downloads other software to the computer without the user's knowledge and launches this software for execution. It is a Windows application (PE-EXE file). 52224 bytes. Written in C++.