Other versions: .cg, .cz, .dam, .hg, .jk, .jm, .s, .tnd, .tne, .tor, .tos, .yk, .yt, .yx
| Detection added |
Jul 12 2008 |
| Update released |
Jul 12 2008 12:21 GMT |
| Description added |
Feb 24 2009 |
This Trojan downloads other files via the Internet and launches them for execution
on the victim machine without the user’s knowledge or consent. It is
a Windows PE EXE file. It is 34816 bytes in size. It is not packed in any way.
It is written in C++.
Installation
Once launched, the Trojan copies its body to the Windows temporary directory
as shown below:
%Temp%\hbgdown.exe
%Temp%\msdtc.exe
In order to ensure the Trojan is launched next time the system is started,
it creates a service called “HTTP SSH”:
[HKLM\SYSTEM\CurrentControlSet\Services\HTTP SSH]
"DisplayName" = "HTTP SSH"
"ErrorControl" = "0"
"ImagePath" = "%Temp%\msdtc.exe"
"ObjectName" = "LocalSystem"
"Start" = "2"
"Type" = "10"
The Trojan downloads a file from the URL shown below:
http://*****gcdon.com.cn/v.exe
This file is saved to the Windows temporary directory as shown below:
%Temp%\gbn.exe
The downloaded file will then be launched for execution.
At the time of writing, the link was not active.
If your computer does not have an up-to-date antivirus, or does not have an
antivirus solution at all, follow the instructions below to delete the malicious
program:
- Use Task
Manager to terminate the Trojan process.
- Delete the following system
registry key:
[HKLM\SYSTEM\CurrentControlSet\Services\HTTP SSH]
- Delete the original Trojan file (the location will depend on how the program
originally penetrated the victim machine).
- Delete the following files:
%Temp%\hbgdown.exe
%Temp%\msdtc.exe
%Temp%\gbn.exe
- Delete all files from %Temporary
Internet Files%.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
