Other versions: .ac, .bl, .bq, .fk, .mee, .pj, .qlh, .rs, .td, .tuc, .uj, .zf
| Detection added |
Sep 24 2008 |
| Update released |
Sep 24 2008 21:53 GMT |
| Description added |
Feb 24 2009 |
This Trojan downloads another malicious program via the Internet and launches
it on the victim machine without the user’s knowledge or consent. It
is a Windows PE EXE file. It is 9216 bytes in size. It is packed using UPX.
The unpacked file is approximately 38KB in size. It is written in C++.
The Trojan downloads files from the following URLs:
http://*****fdujt.info/?44ffa2
http://*****fdujt.info/i.php
http://*****fdujt.info/myh.php
At the time of writing, these links were not working.
The files will be saved to the current user’s Windows temporary directory
with random names.
The Trojan then sends a request to the following address:
http://195.24.77.***/utest/?*****74&oo=2&75f2d3=33985db&ra=0
If the server does not respond, the Trojan will repeat the attempt after six
minutes.
The Trojan also creates a unique identifier, “S_SERV_v0.66_Beta_erf”
to flag its presence in the system.
If your computer does not have an up-to-date antivirus, or does not have an
antivirus solution at all, follow the instructions below to delete the malicious
program:
- Delete the original Trojan file (the location will depend on how the program
originally penetrated the victim machine).
- Delete all files from %Temporary
Internet Files%.
- Empty the temporary directory (%Temp%).
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
