Trojan.Patched.V
MEDIUM
MEDIUM
30k
(Trj/Agent.FTI, Win32:Small-DKF[Trj])
Symptoms
The firewall detects connection requests to the sites: wikipedia.org, myspace.com, youtube.com, yahoo.com and www.google.com.
The HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad registry key has as entry a file with suspect name, that is a name that does not belong to the operating system files or to the applications installed by the user.
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Boeriu Laura, virus researcher
Technical Description:
A mutex named updater3 is created in order to allow only one instance of the malware to be executed at a time.
The malware checks the availability of the internet connection by trying to reach www.google.com and sends ICMP echo requests to
wikipedia.org,
myspace.com,
youtube.com and
yahoo.com.
If the sites can be reached, the malware downloads an executable file,verifies its MZ signature and executes it.
Trojan.Patched.V has backdoor capabilities: listens on some ports and accepts multiple clients to connect.
It creates an entry in the registry key Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad to be loaded at every system restart.
SHARE
THIS ON