Other Name: .ac, .bl, .bq, .fk, .pj, .qlh, .rs, .td, .uj, .zf

Technical



The Trojan displays the following message:



It also modifies the following system registry key parameter values:

* Prevents Task Manager from being launched in order to view processes, priority changes or the state of individual processes:


* Prevents Regedit.exe. or Regedt32.exe from being launched in order to edit the system registry:

    
* Disables the Run shortcut in the Start menu, and also the <WIN>+<R> key combination:


* Prevents the computer from being shut down by choosing Shut Down from the Start menu, or by pressing Ctrl+Shift+Del:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoClose" = "1"

Stops services listed below:

ccEvtMgr
NPFMntor
SNDSrvc
NSCService
SPBBCSvc
ccSetMgr

The Trojan sends a request to download a file from one of the addresses shown below which belong to the malicious user:

http://www.freeweb*****.com/solti
http://dave*****host9.com
http://www.freeweb*****.com/pete2244
http://www.rej*****/temp/

The file will be saved as "index.html " to the following directory:

%WinDir%Web Download\index.html

At the time of writing, the Trojan reads the following URLs from the downloaded file in order to download further files:

http://www.freeweb*****.com/pete2244/pics/solar_system_1.jpg
http://www.freeweb*****.com/pete2244/pics/solar_system_5.jpg
http://www.freeweb*****.com/pete2244/pics/solar_system_8.jpg

These files will be saved as follows:

%WinDir%Web Download\solar_system_1.jpg
%WinDir%Web Download\solar_system_5.jpg
%WinDir%Web Download\solar_system_8.jpg

The Trojan then extracts the files shown below from the files it downloaded and saved, and saves them to the current user's Windows temporary directory:

%Temp%\build_dol.exe

This file is 10240 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.Pakes.kxv.

%Temp%\bundle.exe

This file is 85960 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Dropper.Win32.Agent.bfr.

%Temp%\DealioKit97-stub-0.exe

This file is 291776 bytes in size.

%Temp%\install.exe

This file is 44032 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.Delf.fdx.

%Temp%\is_cookie.exe

This file is 419731 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.Agent.agih.

%Temp%\NNDSKA638.exe

This file is 45063 bytes in size. It will be detected by Kaspersky Anti-Virus as not-a-virus:AdWare.Win32.ZenoSearch.o.

The saved files are then launched for execution.

The Trojan then creates a command interpreter file called "updq.bat" in the same directory:

%Temp%\upd1.bat

It writes code to delete the body of the Trojan and the "%WinDir%Web Download" directory to this file.

When it has delivered its payload, the Trojan launches "%Temp%\upd1.bat" for execution.


Removal

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process.

2. Delete the following system registry key parameter values:

      [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      "DisableTaskMgr" = "1"
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      "DisableRegistryTools" = "1"
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
      "NoRun" = "1"
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
      "NoClose" = "1"

3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).

4. Empty the temporary directory (%Temp%).

5. Delete all files from %Temporary Internet Files%.

6. Update your antivirus databases and perform a full scan of the computer.





____________________
The more you lose yourself in something bigger than yourself, the more energy you will have!!