This Trojan has a malicious payload. It is a Windows application (PE EXE file). It is 585 661 bytes in size. It is written in Delphi.
The program's main window is shown below:
Once launched, the Trojan performs the following actions:
- If it detects the following processes, it ceases running:
VMwareUser.exe VMwareService.exe VMwareTray.exe
- It checks for the presence of the following system registry key (which presumably is created by other malicious programs):
- It moves the following files:
For Windows XP and Windows 2003:
%Documents and Settings%\All Users\Templates\Directdb.xml
For Windows Vista and Windows 7:
%Temporary Internet Files%\Directdb.xml
It moves these files under the following names respectively:
%Documents and Settings%\All Users\Templates\qweoi.tmp %Temporary Internet Files%\qweoi.tmp
Then it executes a deferred deletion of these files (the origin or ownership of the deleted files by certain applications has not been established).
- It deletes the following files (the origin or ownership of the deleted files by certain applications has not been established):
- It causes the following error message to be displayed:
The Trojan also launches two copies of its body, into which it injects a code from its resources.
The code injected into the first copy is 99 328 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-Downloader.Win32.Agent.eisi. The injected code performs the following actions:
- It deletes the following file:
where <X> indicates the system disk.
- It runs the following command:
ipconfig.exe /all >C:\tmp.log
This command makes it possible to save Windows IP protocol settings to the file "C:\tmp.log".
- It rewrites the content of the "C:\tmp.log" file with the following strings:
pushd interface ip set dns name="<Name>" source=static addr=121.***.240 register= PRIMARY add dns name="<Name>" addr=125.***.219 index=2 set wins name="<Name>" source=static addr=none popd
where <Name> is the name of the network connection, for example "Local Area Connection". It runs the command shown below:
netsh.exe -f C:\tmp.log
This modifies the addresses of the main and auxiliary DNS servers, and, as a consequence, redirects all DNS requests to specified addresses (the DNS server modification method is implemented in such a way as to work only in those systems where the string "Ethernet adapter" when executing the "ipconfig /all" command has not been localized, i.e. it has not been translated into a national language. This method, for example, does not work for Russian localization, as the mentioned string is not encountered when the "ipconfig /all" command is displayed, since the localized string "Ethernet àäàïòåð" is displayed in its place.
- It terminates the following process:
- It sends a request to the following site:
where <StartPage> is the home page, received from the following registry key:
[HKCU\Software\Microsoft\Internet Explorer\Main\Start Page]
- It creates the directory:
where it places its body as:
and executes deferred deletion of this file. The code injected into the second copy is 479 232 bytes in size. This code performs the following actions:
- It connects to the following resource using a GET request:
At the time of writing, this resource was not accessible.
The data received in response to this request is checked for the requested data (response code 200) and for the string
The received data is then processed (presumably, the received data contains a list, possibly of URL addresses, as we can see in the code responsible for handling the received data that an extensive search is performed for delimiters, however the data processing mechanism has not been investigated, as the resource is no longer available and the data processing mechanism is data-driven).
- If the server's response from the above-mentioned address does not contain the requested data, the "infmantion.bat" file is created in the working directory. This file contains the following strings:
:try del /q /f "<Path_to_original_body_of_trojan>" if exist <Path_to_original_body_of_trojan> goto try del %0Running this file deletes the body of the Trojan.
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the malicious process.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following file:
where <X> indicates the system disk.
- Your network administrator can provide the original values for the main and auxiliary DNS servers so you can restore them in your system.
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).